Keeping personal data secure is a well-established obligation under the UK data protection regime. The UK data protection watchdog, Information Commissioner’s Office (ICO), has published advice on using encryption to satisfy this requirement. The ICO recommends universal use of encryption, especially when the loss or theft of personal data could have detrimental effects on individuals. The advice elaborates on how encryption works and the types of encryption that are available.
The advice discusses the difference between encryption and password or PIN protection. Password protection only blocks access to the data, but can be easy to circumvent, and if circumvented, full access to the information is attainable. In contrast, encryption uses a complex series of mathematical algorithms to protect and hide the underlying data. This ensures that data cannot be accessed without an encryption key, which is far harder to circumvent.
The ICO makes it clear that keeping the encryption key secret is of paramount importance. Even the best encryption will be pointless if the key is easily accessible or kept with the encrypted device or data, with best practice suggested by the watchdog to provide the encryption key over the phone once it is confirmed that the data is in the hands of the correct person.
The type of encryption method, such as symmetrical or asymmetrical, and the encryption strength, will depend on a number of factors, including the sensitivity of the information and how it is being stored or processed. The ICO advice describes some of the most common forms of encryption and suggests how they should be used. The advice covers full disk encryption, encryption of a single file or container with files, and data in transit.
Choosing and applying relevant encryption mechanisms may seem like a complicated and costly endeavour. However, the ICO’s blog points out that the costs of not using encryption may be even higher. Not only is there the potential for reputational damage, but the watchdog also recently issued three monetary penalty notices to organisations amounting to £700,000 for not using encryption.