Encryption and data storage

In more detail

• What is the benefit of encrypting the data that we store?
• What is ‘full disk encryption’?
• What is individual file encryption?
• What about application or database encryption?
• What are the residual risks with encrypted data storage?

What is the benefit of encrypting the data that we store?

Encrypting data whilst it is being stored (eg on a laptop, mobile, USB or back-up media, databases and file servers) provides effective protection against unauthorised or unlawful processing. It is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen.

Depending on the circumstances, an effective and appropriate encryption solution can also be a means of demonstrating compliance with the security requirements of the UK GDPR. The ICO considers encryption to be an ‘appropriate technical measure’, and in cases where data is lost or unlawfully accessed and encryption was not used, we may consider regulatory action.

Encryption can also benefit you in other ways. If you do suffer a personal data breach, the acquisition of an encrypted dataset by an attacker still requires notification to the ICO under Article 33 of the UK GDPR.

However, Article 34(3)(a) states that notification to individuals is not required where you have:

‘implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption’

There is still a requirement for you to be able to demonstrate that the data was appropriately encrypted. Therefore, you need to assess whether this was the case and document your decision not to notify. You should also provide this information to the ICO when you notify us.

We will use this to assess whether: 

• the breach is likely to result in a high risk to those individuals, in which case we may direct you to notify them, or
• your security measures have rendered the data unintelligible and therefore notification is not required.

What is ‘full disk encryption’?

This involves encrypting the entire contents of a device’s disk. Most modern operating systems have full disk encryption built in, although in some cases you may need to ensure you are using a device with specific hardware.

With full disk encryption, the data is decrypted only when the user accesses the device. Unfortunately, full disk encryption may not be enabled by default. You may need to activate it, for example by accessing the relevant settings options within the operating system of your device(s) and following the resulting instructions. Alternatively it may be an option that is available when you install the operating system.

It is possible that you may consider setting a PIN or requiring users to provide a username/password in order to access a device provides sufficient protection. Whilst this can offer assurance that the user is authorised to perform certain functions, this approach offers little protection to the underlying data which is commonly stored in plaintext on the disk. This method must not be considered as equivalent to encryption. The data can also be easily accessed by an attacker with physical access to the device. 

Passwords used to decrypt the hard disk or for access control must be sufficiently complex in order to provide an appropriate level of protection (see section Keeping the key secure)

What is individual file encryption?

Alternatively, you can encrypt files individually, or place groups of files within encrypted containers. In the event of loss or theft of the device an attacker might gain access to the device and to some data but not to the encrypted files—assuming the key remains secure.

The ability to create encrypted containers may be part of encryption or other archive software or be built-in to the operating system. Once a container is created, files can be placed within it and encrypted and the container itself can be moved and/or copied.

What about application or database encryption?

Some software applications and databases can also be configured to store data in an encrypted form. The benefit here is that the application controls the encryption, so it can access the keys when needed without relying on the underlying IT infrastructure.

When data is shared between applications then processes are required to share keys securely.

What are the residual risks with encrypted data storage?

You should recognise that there are occasions where data can still be accessed by an unauthorised person, even if a system uses encrypted data storage. For example:

• if an encrypted device is left unattended whilst a user is logged in, then an attacker can gain access to the decrypted material;
• devices that store data in encrypted volumes or containers must mount or open these containers in order for the data to be accessed. If the volumes are not closed or unmounted once the user has finished, the data may be accessible to others;
• if a device is infected with malware which has appropriate permissions to access the data, full disk encryption or use of secure containers will offer little protection once a user has decrypted the data;
• if applications on the device are compromised by an attacker then any data which can be accessed by the application is vulnerable. For example, successful exploitation of a website vulnerable to an SQL injection attack could expose data whether or not the device itself is encrypted; and
• APIs which permit web content to read and write files on the underlying file system may pose additional security considerations. 

Addressing these types of risks is therefore an important part of an encryption policy, which should also include employee awareness training.