Last week the Information Commissioner's Office (ICO) published updated Guidance for data controllers on the encryption of personal data.
The Data Protection Act does not itself expressly state that data controllers must encrypt personal data held by them. Instead the Act has a general requirement that "appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The ICO has clarified this by providing that regulatory action may be taken in the future where personal data is stolen, lost or subject to unauthorised access, and such data is not protected by encryption.
The ICO has identified the encryption of data when it is being stored and when it is being transferred (data storage and data transfer) as providing effective (but not failsafe) protection against unauthorised or unlawful processing. The Guidance considers full disk encryption, individual file encryption and application or database encryption when storing data.
The ICO provides scenarios within the Guidance indicating when data controllers will require to consider encrypting data to ensure compliance with the Act. The scenarios are wide and varied, and include by way of example:- the transfer of personal data by CD, DVD or USB; the sending of personal data by email; the sharing of personal data online; mobile devices; fax; CCTV; audio recordings; photography and video equipment and even drones. The scenarios are backed-up by various examples of where the ICO has taken enforcement action (including imposing civil monetary penalties) where data controllers have failed to encrypt personal data.
The ICO has imposed heavy fines in the past on data controllers which have not encrypted personal data which has been lost/stolen or damaged.
- Data Storage: In 2012 the Greater Manchester Police were fined £120,000 by the ICO for not encrypting data stored a USB after an unencrypted USB containing the personal data of over 1,000 people was stolen from a police officer's home.
- Data Transfer: The ICO fined The Nursing and Midwifery Council £150,000 after the Council lost three unencrypted DVDs containing confidential video files relating to alleged offences by a nurse as well as witness accounts by two vulnerable children.
It is clear that this latest focus on encryption by the ICO, emphasising its application to many forms of data storage and many methods of data transfer, is intended to serve as an important reminder to organisations to keep personal data secure failing which regulatory action will follow.
Data controllers should help facilitate compliance by adopting an internal policy specifically for the encryption of personal data. This will ensure that their employees know when and how to use encryption. Data controllers should also familiarise themselves with applicable industry or sector specific guidelines which recommend minimum standards for encryption. The types of encryption software used and the encryption methods adopted by data controllers should also be regularly assessed by data controllers to ensure that they are still appropriate. In particular, the ICO recommends that data controllers ensure any encryption solution which they or their data controllers use comply with current standards such as FIPS 140-2 and FIPS 197.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
