The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”.
Although the term “encryption” is not found in the UK’s Data Protection Act 1998, the requirement to implement the technique for certain types of data is derived from the obligation to implement “appropriate technical and organisational measures” to protect against loss, destruction or damage to personal data. The guidance makes clear that while it is not necessary or possible to encrypt all personal data, organisations must take a risk-based approach to using the technique.
The ICO builds upon its previous guidance by making key recommendations, including that:
- Organisations should have an encryption policy in place and guidance to assist staff in understanding it. Where industry or sector-specific guidelines are in place, organisations should be aware of these.
- Personal data should be stored in encrypted form, especially where its loss would result in damage or distress to individuals.
- When transmitting personal data over the internet, sensitive personal data should use an encrypted communication protocol.
An organisation’s encryption policy will require amendment over time as its operations change and methods of encryption are updated. Regular Privacy Impact Assessments will be key to identifying new areas of risk. As we move toward the implementation of the GDPR, guidance such as this is key to gaining an insight into how Data Protection Authorities may wield their new enforcement powers.