Encryption scenarios

In detail

This section explores some typical scenarios where personal information is processed and when you should consider encryption and take into account the remaining risks.

• Encrypted email
• Encrypted attachments
• Encryption and the cloud
• Encryption and backups
• Sending personal information on physical storage media
• Faxing
• CCTV and video surveillance
• Photography and video cameras
• Body worn video (BWV)
• Unmanned aerial systems (UAS)
• Encryption and Internet of Things (IoT) devices

Encrypted email

Encrypted email can allow you to encrypt the body and attachments of emails. OpenPGP and S/MIME standards are widely-used encryption methods that have been implemented by a range of free and commercial software products.

Sending and receiving encrypted email requires: 

• using compatible email client software; and
• configuration in advance. 

Encrypted email uses asymmetric encryption and requires a user to generate a key pair before they are able to send an encrypted email. Users have to exchange public keys before they can send an encrypted email between them.

However,  if you lose the private key it can mean that you cannot decrypt emails that were encrypted with the associated public key.

When deciding whether to implement encrypted email, you should consider:

• the risks and investment required;
• compatibility with other security measures; and
• alternative solutions for encrypted transit such as storing sensitive information in encrypted attachments.

For example, how you will:

• keep the private key secret;
• deal with any potential complications, such as whether configuring encrypted email within your corporate environment may cause problems for server-based malware scanning products (as the content and attachments are encrypted and may even be actively blocked by the scanning software);
• manage any compatibility issues with automated email processing systems or managing multiple private keys amongst multiple staff (eg a common mailbox, such as support@example.com); and
• make available compatible software and ensure people can generate key pairs and appreciate the necessity of key management. This is particularly the case when communicating with people external to your organisation. 

Encrypted attachments

Depending on the software on your devices, it may be possible for you to encrypt a file and then add it as an attachment to a standard email. (For more details, see the encryption and data storage section.)

To decrypt the attachment, the recipient needs to have compatible software (in some cases the same software) and have access to the key. 

The key is commonly derived from a shorter, more-memorable password that you share with the recipient. You should choose passwords that are sufficiently long and complex to prevent compromise.

Also, you should communicate the key to the recipient over a separate communication channel (eg by disclosing the password over the telephone when you receive confirmation that the email has been delivered). Do not include the password within the same email as the encrypted file attachment.

Encryption and the cloud

Storing data in the cloud

Many cloud service providers use encryption at rest as a common security measure to protect data they store on their systems. This protects data from physical attacks, such as unauthorised access to storage devices. 

On a technical level, this does not prevent cloud providers from accessing the data, as they typically manage the encryption keys. However, if you use a cloud provider as your processor, you must only choose those that offer sufficient guarantees, with the processing governed by a contract or other legal act that specifies the rights and obligations of the parties. 

Encryption at rest in the cloud also does not prevent the risks of data exposure due to misconfigurations or unauthorised access through other means. So, you should consider whether the cloud provider’s encryption solutions are appropriate for your requirements.

Alternatively, you could encrypt the data yourself before you upload it to the cloud provider. This is called client-side encryption and can provide a further layer of protection for the data once you store it in the cloud. 

Doing this can provide an extra layer of security, provided you don’t also store the key in the same cloud storage system. For example, if an attacker compromises the cloud provider’s systems, that attacker won’t be able to decrypt the data. 

Client-side encryption can work well with file storage but may be incompatible with some of the other benefits of using a cloud service. For example,  collaboration tools like Google Docs or Microsoft 365 allow multiple users to edit documents in real-time. If the documents are encrypted on the client side, the cloud service cannot process the content for real-time collaboration, significantly reducing the effectiveness of these tools.

When considering using the cloud, you must also protect personal information when it is in transit over the internet. This is likely to be the default with any cloud provider, but you should confirm this is the case.

Using cloud-based services and applications

Many online applications support file-sharing and collaboration features. For example, common office software suites that allow documents to be shared with a range of users.

This means that files are typically stored remotely and accessed over the internet, often by multiple users.

You must use in-transit encryption for your online applications (eg TLS) to ensure that information is not accessed if it is intercepted while in transit. 

You should also consider whether any additional encryption methods are needed when the data reaches the server or client device.

If the online application is simply a repository that the recipient can collect their file(s) from, you could encrypt the files prior to upload. This ensures that no third-party (including a service provider) can gain access to the personal information. 

If the online application performs some processing on the personal information, it is a complex requirement to insist that data remains in an encrypted form inaccessible to the application provider. This requires a sophisticated key management system that is not a feature found on most cloud-based applications today. 

UK data protection law outlines requirements for when a controller engages a processor. This includes conducting due diligence that: 

• the processor has appropriate technical and organisational measures in place;
• the processing is governed by a contract with key information; and
• the processor acts only in accordance with the controller's instructions.

Online applications can offer a ‘share a private URL’ feature or the ability to grant specific users access to individual files or folders. This can provide a secure and auditable means to share information. But unless additional encryption methods are in place, the files are not stored in an encrypted form. To maintain security, you must include a robust user authentication process.

Encryption and backups

Creating and storing a backup of data is a key component of a disaster recovery strategy. Remember, you must have technical measures that ensure you can restore the availability and access to personal information in a timely manner in the event of an incident. You could use backups to achieve this.

Backups are often recorded onto tape, disk or other physical media. You could store these backups in an encrypted format, which helps protect the data against unauthorised access. 

If you encrypt your backups, you should have good key management in place to ensure that you can access the backup when necessary.

In the case of an encrypted long-term backup or archive, you should ensure you can still access the data and that the encryption you used remains appropriate over time. 

You must consider the right to erasure under Article 17 of the UK GDPR, and how this may apply, when determining both your use of encryption and the retention period of your backups.

Sending personal information on physical storage media

Physical storage media is another way you can send large volumes of personal information from one location to another. But in this scenario, there is a risk of that the information may be physically intercepted, lost, or stolen. 

To address this, you should consider:

• the type of storage device;
• the format of the data you store on it;
• the sensitivity of the information; and
• the security of the transport (eg the postal service used). 

The format determines how easily the data can be accessed or read if it is intercepted. The more sensitive the information stored on the disc, the greater the potential impact if it is lost or stolen. 

The method of transport can affect the risk of interception, loss, or theft. 

You could use a recorded delivery method or specialist courier. This gives assurances that the disc is signed for by the intended recipient. It reduces the risk of the data being intercepted, lost or stolen, but does not entirely eliminate it.

If you send personal information in unencrypted form, there is a risk that if it were lost or stolen, a third party might gain unauthorised access to the information.

Therefore, you should use encryption as a way of adding an additional layer of protection.

Encrypting the data on the disc ensures that an attacker can only gain access to the personal information by breaking the encryption. However, to decrypt the data, the recipient needs: 

• access to the correct type of hardware (eg an optical drive if the storage media is a CD or DVD); and
• compatible software to decrypt the data (in some cases the exact same software will be needed). 

This can cause some difficulties in corporate environments that have disabled access to external drives or do not permit users to install unauthorised software.

If you choose to encrypt the disc, you should share the password over a separate communication channel (eg by disclosing the password over the telephone on confirmation of delivery). 

You should not include the password alongside the storage media (eg in the same envelope as the disc or USB stick). This effectively removes the protection offered from encryption.

Faxing

Fax, particularly online faxing, remains a way of transmitting personal information from one location to another. 

Due to the limitations of normal fax machines, it is generally not possible for you to overlay additional encryption measures when you send a fax. You could consider whether another means of communication may be more appropriate.

Although fax machines are not immune from interception while in transit, the Privacy and Electronic Communications Regulations require the provider of a public communications network to assure the security and confidentiality of the service.

As it is not possible to encrypt the message, you should ensure that you send faxes to the correct recipient. 

Fax machines in public areas also present a risk if received faxes are not collected promptly by the intended recipient which could lead to a passing person being able to read any personal information they contain. To address this risk, you could move fax machines into ‘safe havens’ - a secure physical location with an agreed set of organisational measures about their usage.

What about online faxing?

Online faxing, also called internet faxing or e-faxing, has grown in sectors such as housing and healthcare. It allows  you to send and receive faxes via the internet, without a phone line or a fax machine.

It may be offered as a subscription service and may form part of a wider package of cloud-based communications products.

Online faxing may offer benefits compared to traditional faxing. For example, reduced infrastructure cost and enabling you to send and receive faxes from anywhere with an internet connection. 

Any security benefits of using online faxing depend on how you implement the service. For example, whether faxes are delivered to a recipient’s email address, or immediately printed on receipt by a fax machine (where another person might see them). 

Online fax services may also offer additional encryption while the data is in transit, although the extent of protection may be limited. Sending a fax to an email inbox presents a similar set of security risks as sending personal information via email.

When deciding whether to use online faxing, you should consider if the provider:

• offers encryption of any part of its services, and the faxes sent through them, as standard or at an additional cost;
• offers secure online storage, and whether it includes additional features (eg the ability to delete faxes from its servers on delivery in cases where you may send sensitive information);
• offers an audit trail of faxes sent and received through its servers; and
• has located its services in a secure environment.

Whenever you use faxing or online faxing services, you must implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing. 

CCTV and video surveillance

Data protection law applies to most organisational use of video surveillance. 

If your CCTV systems make use of wireless communication links (eg transmitting images between cameras and a receiver), you should ensure that these signals are encrypted to prevent interception.

If you use CCTV systems that transmit images over the internet (eg to allow viewing from a remote location), you should: 

• encrypt these signals to prevent interception; and
• implement access controls (eg some form of authentication like a username and secure password).

The devices you use to store CCTV images may also be a common target during a break-in (eg to remove potential evidence of the crime). To reduce the risk of unauthorised access to data, you should:

• ensure the physical security of the storage device (eg by keeping it in a locked room);
• store the recordings in an encrypted format; and
• implement access controls to limit access to CCTV storage.

People may make requests to disclose this information. For example, under the right of access requests or in the context of other disclosures. You should consider an appropriate format for disclosing the data and implement appropriate security controls. 

During procurement, you should consider the capabilities of the device or prospective system. For example, how you can export data securely. However, you should not use proprietary encryption that restricts your ability to give someone access to their personal information.

Photography and video cameras

Use of digital photography and video cameras can provide a permanent record of an event for a range of different purposes. Not all devices may have the ability to encrypt images you store on them. This means there is a risk of unauthorised access if a camera (or any removable memory card) is lost or stolen.

When encryption is not a reasonable option, you should consider other measures you can take to reduce the risk to a tolerable level. For example, you could move images from the camera to a secure location and delete them from the device or memory card as soon as practical.

You could consider using an alternative device (eg a smartphone or tablet) that does offer an encrypted file system, as well as encrypting any memory cards. You could also ensure that: 

• the device does not automatically upload images to a remote cloud service or social network; and
• the method you use to move the images from the device does not present a further security risk (eg sending images as an email attachment).

Body worn video (BWV)

BWV devices are increasingly being considered for use in the workplace (eg for emergency services). There are also a range of sports action cameras that some organisations use for this purpose.

The sensitivity of the footage (including both audio and video) differs according to the situation. If you use these devices, you should take into account the risks to people if they are accessed by an unauthorised third party. 

You should consider using encryption, whether this involves the device itself or the storage medium. Where this is not appropriate, you should have other ways of preventing unauthorised access to information. 

In addition, you should consider designs that have robust technical security measures. For example, BWV devices that do not have removable memory cards and limited access permissions. These approaches further reduce the risk of loss or compromise of data if a device is stolen, misplaced or accessed by unauthorised people.

Unmanned aerial systems (UAS)

Unmanned aerial systems (UAS), also known as unmanned aerial vehicles (UAVs), remotely piloted aircraft systems (RPAS) or drones, commonly include features allowing the user to record video footage and, depending on the model, audio footage.

If you use these systems to capture personal information and transmit it back to the pilot (eg a live feed of video footage over Wi-Fi to a smartphone app), you should make sure that the data is protected from interception by using an encrypted wireless communication link. 

Encrypted communication is typically the default setting on UAS that supports it. However, you should still check whether this is the case. Using an encrypted wireless communication link may also give some protection against potential hijacking of the device.

If images or other personal information are stored on the UAS itself (eg an on-board memory card), you should appropriately protect the data in the event of loss or theft (eg following a crash). You could use encryption to accomplish this.

You should also consider the security of footage once you remove it from the device (eg for longer-term storage).

Additional legal requirements or best practice may include:

• flying UAS within line of sight of the operator;
• retaining a log of usage;
• ensuring data collection is kept to a minimum;
• copying data to a secure location; and
• securely destroying data on the device as soon as practical. 

Encryption and Internet of Things (IoT) devices

Many organisations now use IoT devices for a variety of purposes. If you make these devices available (eg to your customers or your employees), you must ensure that any personal information you process using them is done securely. 

The nature and risks of the data you collect, store and share from IoT devices differs according to why and how you deploy them. For example, wearable devices may collect and store a wide range of data. Some of this may seem innocuous, but can reveal quite detailed pictures about people’s habits and behaviours over time. For example, usage patterns or location data. Other data has greater sensitivity, like wearables that process people’s health data.

Many IoT devices are portable and may be at greater risk of being lost or stolen. Also, IoT devices often send personal information over a network, so you must also consider the security of any communications your devices engage in (see encryption and data transfer).

Encryption can help you to address these issues. When you plan your use of IoT devices, you should do a DPIA to understand: 

• the types of personal information collected by the device;
• the potential risks to people if that data is compromised; and
• how encryption can mitigate those risks.

You should also consider if any additional legislation applies to you, as this may mean you have to put specific security measures in place. For example, certain organisations, such as IoT product manufacturers, have security obligations under the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. 

These include:

• banning the use of default and easily-guessable passwords;
• putting in place a vulnerability disclosure policy; and
• providing people with information about how long the product will receive security updates.

These regulations are enforced by the Office of Product Safety and Security. Although their requirements are not specifically about data protection, we may take them into account, where appropriate, in any incidents we deal with that involve using IoT devices.