Encryption and data storage
In detail
- What are the benefits of encrypting the data we store?
- What is full disk encryption?
- How do we implement full disk encryption?
- How do we encrypt our smartphones and tablets?
- How do we encrypt removeable media?
- How do we secure USB storage ?
- How do we encrypt individual files?
- What are the residual risks with encrypted data storage?
What are the benefits of encrypting the data we store?
Encrypting personal information you intend to store (eg on a laptop, mobile, USB or back-up media, databases, and file servers) provides effective protection against unauthorised or unlawful processing.
It is especially effective in protecting the information from unauthorised access if the device you use to store the encrypted data is lost or stolen.
An effective and appropriate encryption solution can also be a way to demonstrate your compliance with the security requirements of UK data protection law.
You should enable storage encryption on laptops, smartphones and tablets that store personal information.
If the encryption you use depends on the user’s password for its security, you should:
- ensure that passwords are sufficiently complex to provide appropriate security;
- ensure that passwords are not stored or written down near the encrypted device; and
- use alphanumeric passcodes, when possible, as they provide greater protection than passcodes that only contain numbers.
What is full disk encryption?
Full disk encryption involves encrypting the entire contents of a device’s built-in storage. Most modern operating systems have full disk encryption built in. With full disk encryption, the data is decrypted only when the user accesses the device, and it becomes more difficult to access data stored on a device without its password.
This functionality is also available in some non-portable devices, such as desktop PCs and servers. These may have a lower risk of loss or theft because they are generally located in a secure location (eg on business premises with restricted access).
However, there is still a risk of loss or theft of a disk or the device itself (eg during a break-in). Therefore, you should use encryption on non-mobile devices, if it is available. This can be beneficial, especially if you cannot maintain physical security of the devices at an appropriate level.
Example
A hospital uses non-portable computer systems in some areas (eg shared administrative offices). It is not possible for the hospital to keep these areas locked because multiple medical and administrative personnel need to be able to access them constantly.
Encryption is therefore critical to ensure that sensitive patient and other confidential information remains secure, even if the physical devices are compromised.
Example
An organisation issues laptops to employees for remote working.
As the devices are used outside the office, there is a risk of loss or theft (eg when an employee uses it outside the office or travelling to and from the office).
To address this risk, the organisation requires all data stored on laptops to be encrypted using built-in full disk encryption technology.
This significantly reduces the chance of unauthorised or unlawful processing of the data, if a laptop is lost or stolen.
Full disk encryption depends on the user’s password for its security. This means you should ensure that passwords are sufficiently complex to provide appropriate security.
Example
A laptop is protected using a secure full disk encryption product. This means that the personal information is stored in an encrypted form when the laptop is switched off.
The laptop is stolen. The thief turns on the laptop and is challenged for the password. Without knowing the password, the thief is unable to access the data.
However, as the laptop’s password was written on a piece of paper stored in the same bag as the laptop, the thief has everything necessary to decrypt the data and gain full access to it. This makes the encryption ineffective.
Full disk encryption may not be enabled by default. You should check whether it is enabled. If not, you should enable it by accessing the relevant settings option within the operating system of your device(s) and following the instructions, for example.
Further reading – ICO guidance
The passwords guidance looks at what we expect you to do when setting up an online authentication system (eg for user accounts). However, some of its underlying concepts about appropriate passwords can apply in other circumstances.
How do we implement full disk encryption?
There are a number of ways to achieve full disk encryption. We don’t recommend any particular encryption solution or product. The outcome is what’s important – that you make it more difficult for someone with physical access to a device to gain unauthorised access to personal information on it.
Not implementing encryption on mobile devices can lead to severe consequences, for example:
- unauthorised people accessing sensitive personal information that may cause significant harm to people, including identity theft, financial fraud, and other malicious outcomes;
- reputational damage; or
- regulatory action.
Example
In 2013, under the previous data protection regime, we issued a fine of £150,000 to Glasgow City Council.
This followed the loss of two unencrypted laptops. One of them contained the personal information of 20,143 people.
Most modern operating systems include full disk encryption as a feature. You should consider whether using this feature is appropriate for your circumstances.
Other resources
The NCSC has platform-specific guidance for securing devices. It has also published downloadable configurations in its Github repository.
NCSC guidance on Windows: the Windows operating system includes a feature called BitLocker Drive Encryption which encrypts all user and system files on the drive.
NCSC guidance on macOS: macOS includes the FileVault feature which encryptions the startup disk.
A number of Linux-based systems include disk encryption features. If you use Linux, we advise you to consult the documentation of your particular distribution for more information.
This list is not exhaustive and there may be other solutions that apply depending on your circumstances.
How do we encrypt our smartphones and tablets?
Modern smartphone and tablet operating systems also have the functionality to enable encryption, just like full disk encryption for PCs and laptops,. This can provide greater protection against unauthorised access to personal information if the device is lost or stolen.
The protection provided by encryption for smartphones and tablets depends on the passcode used to unlock the device, as it is used as part of the encryption key generation process.
This means you should ensure that passcodes for these devices are sufficiently complex to provide appropriate security.
Encryption is enabled by default on modern smartphones and tablets that are set up with a passcode required to unlock the device. By default, the passcode may only allow numbers, but most devices have a setting to enable letters as well as numbers which allows greater security.
On iPhone and iPad, encryption is called ‘data protection’. When enabled, you see a line of text saying “data protection is enabled” at the bottom of the “FaceID & Passcode menu” in “Settings”.
For Android devices, confirmation that encryption is enabled depends on the device you use.
For more information about securing iPhone, iPad and Android devices, see NCSC guidance.
How do we encrypt removeable media?
Personal information stored on removeable media, such as USB devices and SD cards, is at risk of unauthorised access if you don’t encrypt it. When you encrypt removeable storage media, anyone who tries to access the data needs to enter a password or have a digital key on their computer to do so.
It can be easy to lose or misplace removable media. This can make it difficult to comply with other data protection obligations, such as dealing with a subject access request (SAR). They can also introduce malware or other cyber security risks.
You should consider more appropriate ways of transporting or storing data.
You should implement encryption, if you have a business need to store personal information on removable media. In particular due to the wide availability of ways for you to do this on removable media, and the low cost of doing so. (For more examples, see the encryption scenarios section.)
Example
Under the previous data protection regime, we fined Greater Manchester Police £150,000 after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal information of over 1,000 people with links to serious organised crime investigations going back over an 11-year period. It was unencrypted and had no password protection.
An investigation established that an officer had used the device to copy information from their personal folder on the force’s network to access the data from outside the office. It was subsequently discovered that a number of other officers were also using unencrypted memory sticks on a regular basis.
Greater Manchester Police failed to implement appropriate technical measures against the loss of personal information. Although there was an order requiring the use of encrypted memory sticks, it was not enforced, and no steps were taken to restrict the downloading of files onto external devices.
Example
Under the previous data protection regime, North East Lincolnshire Council was issued with a fine of £80,000 after a serious data breach resulted in the loss of sensitive information of hundreds of children with special educational needs.
The information was stored on an unencrypted memory stick and went missing after the device was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop, the memory stick was gone and it has never been recovered.
The device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements. The device also included the pupils’ dates of birth and, for some, details of their home addresses and information about their home life.
Further reading – ICO guidance
How do we secure USB storage?
There are three main ways to avoid storing unencrypted personal information on USB devices:
- Prohibiting or restricting your staff’s use of USB storage devices.
- Implementing measures to prevent your organisation’s devices from connecting to USB devices, and to prevent unauthorised access of personal information (eg staff training and enforcement, or technical controls).
- Restricting how your organisation’s devices interact with USB devices. This is good practice from a wider cyber security perspective.
If you do have a business need for your staff to use USB storage devices, you should:
- implement appropriate measures (eg policies governing USB use and staff training); and
- encrypt the whole device or ensure that individual files containing personal information are encrypted before they are stored on it.
Encrypting the USB device provides protection against unauthorised access by requiring a key before the files stored on it can be read.
Software for encrypting USB storage devices is widely available. For example, a common tool is Bitlocker on Windows.
Alternatively, encrypting individual files before you put them on a USB device can also protect personal information. Even though the presence of the individual encrypted files can be seen on the USB drive, they cannot be accessed without the password.
Whole USB device encryption is generally more robust and enforceable than device restrictions. However, you could:
- use both whole device encryption and individual file encryption; or
- choose between the two based on what best fits your needs.
How do we encrypt individual files?
In order to encrypt files, you could:
- encrypt each file separately, which may be appropriate when you need to protect specific files without encrypting the entire storage device; or
- place groups of files within encrypted digital containers. These containers act like secure folders that can hold multiple files and directories. This method is appropriate for managing and protecting multiple files at once.
The ability to create encrypted files or containers may be part of encryption or other archive software you use. It may also be a feature of the operating system on your devices or other applications like your productivity software (eg Microsoft Office, LibreOffice, Google Docs or other applications).
Once you create a container, you can place files into it and encrypt it. You can then move the container itself, or copy it, or both.
Other dedicated software solutions for encrypting files are available, including free options such as VeraCrypt. You should choose whichever solution best fits your needs.
If you rely on file password functionality to protect personal information, you should check that the password functionality actually encrypts the data. For example, in some cases, an application may allow you to just add a password, but may not encrypt the underlying data.
You should not store the password or key in the same place as the encrypted file.
When you encrypt files, you should ensure that what you’ve done is effective and that you mitigate the risk of someone reversing the encryption. For example, encryption may be ineffective if you:
- store the password in an unencrypted text file alongside the encrypted files. This means the decryption key is stored alongside the data;
- make the password the same as the name of the encrypted file; or
- send a password in the same email as an encrypted attachment.
What are the residual risks with encrypted data storage?
Encryption is only one component of a robust data security strategy.
There are occasions when an unauthorised person can still access data, even if you use encrypted data storage. For example:
- If an encrypted device is left unattended and unlocked while a user is logged in, an attacker can gain access to the decrypted material.
- Devices that store data in encrypted volumes or containers need to ‘mount’ or open these containers for the data to be accessed. If the volumes are not closed or unmounted once the user has finished, the data may be accessible to others.
- If a device is infected with malware that has appropriate permissions to access the data, full disk encryption or use of secure containers offers little protection once a user has decrypted the data. This is because after the device is unlocked and the operating system is running, all the data held on disk is decrypted and accessible to applications and processes, including malware with the necessary permissions.
- If applications on the device are compromised by an attacker, any data that can be accessed by the application is vulnerable. For example, successful exploitation of a website vulnerable to an SQL injection attack can expose data whether or not the device itself is encrypted.
- Application programming interfaces (APIs) that permit web content to read and write files on the underlying file system may pose additional security considerations.