In more detail
- What is the benefit of encrypting the data that we store?
- What is ‘full disk encryption’?
- What is individual file encryption?
- What about application or database encryption?
- What are the residual risks with encrypted data storage?
Encrypting data whilst it is being stored (eg on a laptop, mobile, USB or back-up media, databases and file servers) provides effective protection against unauthorised or unlawful processing. It is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen.
Depending on the circumstances, an effective and appropriate encryption solution can also be a means of demonstrating compliance with the security requirements of the UK GDPR. The ICO considers encryption to be an ‘appropriate technical measure’, and in cases where data is lost or unlawfully accessed and encryption was not used, we may consider regulatory action.
A civil monetary penalty of £150,000 was served on Greater Manchester Police under the Data Protection Act 1998 (‘the 1998 Act’) after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal data of over 1,000 people with links to serious organised crime investigations going back over an 11 year period. It was unencrypted and had no password protection.
An investigation established that an officer had used the device to copy information from his personal folder on the force’s network in order to access the data from outside the office. It was subsequently discovered that a number of other officers were also using unencrypted memory sticks on a regular basis.
Greater Manchester Police failed to implement appropriate technical measures against the loss of personal data. Although there was an order requiring the use of encrypted memory sticks, it was not enforced and no steps were taken to restrict the downloading of files onto external devices.
Encryption can also benefit you in other ways. If you do suffer a personal data breach, the acquisition of an encrypted dataset by an attacker still requires notification to the ICO under Article 33 of the UK GDPR.
However, Article 34(3)(a) states that notification to individuals is not required where you have:
‘implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption’
There is still a requirement for you to be able to demonstrate that the data was appropriately encrypted. Therefore, you need to assess whether this was the case and document your decision not to notify. You should also provide this information to the ICO when you notify us.
We will use this to assess whether:
- the breach is likely to result in a high risk to those individuals, in which case we may direct you to notify them, or
- your security measures have rendered the data unintelligible and therefore notification is not required.
This involves encrypting the entire contents of a device’s disk. Most modern operating systems have full disk encryption built in, although in some cases you may need to ensure you are using a device with specific hardware.
With full disk encryption, the data is decrypted only when the user accesses the device. Unfortunately, full disk encryption may not be enabled by default. You may need to activate it, for example by accessing the relevant settings options within the operating system of your device(s) and following the resulting instructions. Alternatively it may be an option that is available when you install the operating system.
Although the ICO does not endorse nor recommend any one particular encryption solution, there are a number of modern operating systems that feature full-disk encryption as a feature. This list is not exhaustive and there may be other solutions that apply depending on your circumstances. The key is to ensure that the encryption adheres to accepted standards (see the section on ‘How should we implement encryption?').
The Windows operating system includes a feature known as Bitlocker Drive Encryption which encrypts all user files and system files on the drive. For more information on Bitlocker, including additional considerations in respect of hardware, you can consult the ‘Information Protection’ section of the Windows IT Pro Center' (external link).
macOS includes the FileVault feature which encrypts the startup disk. For more information on this feature you can read the FileVault section on Apple’s support site (external link). You should however note that full disk encryption is only possible with FileVault 2.
A number of operating systems based on GNU/Linux also include disk encryption features. If you are using Linux, we advise you to consult the online documentation of your particular distribution for more information. Disk encryption solutions are also available on BSD-derived operating systems.
Other third party solutions may also apply depending on your circumstances.
It is possible that you may consider setting a PIN or requiring users to provide a username/password in order to access a device provides sufficient protection. Whilst this can offer assurance that the user is authorised to perform certain functions, this approach offers little protection to the underlying data which is commonly stored in plaintext on the disk. This method must not be considered as equivalent to encryption. The data can also be easily accessed by an attacker with physical access to the device.
Passwords used to decrypt the hard disk or for access control must be sufficiently complex in order to provide an appropriate level of protection (see section Keeping the key secure)
Alternatively, you can encrypt files individually, or place groups of files within encrypted containers. In the event of loss or theft of the device an attacker might gain access to the device and to some data but not to the encrypted files—assuming the key remains secure.
The ability to create encrypted containers may be part of encryption or other archive software or be built-in to the operating system. Once a container is created, files can be placed within it and encrypted and the container itself can be moved and/or copied.
Some software applications and databases can also be configured to store data in an encrypted form. The benefit here is that the application controls the encryption, so it can access the keys when needed without relying on the underlying IT infrastructure.
When data is shared between applications then processes are required to share keys securely.
You should recognise that there are occasions where data can still be accessed by an unauthorised person, even if a system uses encrypted data storage. For example:
- if an encrypted device is left unattended whilst a user is logged in, then an attacker can gain access to the decrypted material;
- devices that store data in encrypted volumes or containers must mount or open these containers in order for the data to be accessed. If the volumes are not closed or unmounted once the user has finished, the data may be accessible to others;
- if a device is infected with malware which has appropriate permissions to access the data, full disk encryption or use of secure containers will offer little protection once a user has decrypted the data;
- if applications on the device are compromised by an attacker then any data which can be accessed by the application is vulnerable. For example, successful exploitation of a website vulnerable to an SQL injection attack could expose data whether or not the device itself is encrypted; and
- APIs which permit web content to read and write files on the underlying file system may pose additional security considerations.
Addressing these types of risks is therefore an important part of an encryption policy, which should also include employee awareness training.
Personal data should be stored in an encrypted form to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals.
This guidance was written under the 1998 Act. It concerned common technical errors seen in the ICO’s cyber breach casework at the time and how you can avoid them. While the technological environment has changed, its general principles still apply.