When should you encrypt data, stored on mobile and static devices or in transmission? The data protection watchdog the Information Commissioner’s Office (ICO) has published updated guidance on encryption, featuring several scenarios designed to help you consider when and how you should use encryption.
Peter Brown, Senior Technology Officer at the regulator, says: “A question we often get asked is whether or not encryption is a legal requirement. The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption, being a widely available technology with a relatively low cost of implementation, is one such measure.
“The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur. On top of the fines, data controllers risk significant damage to their reputation if they do not store personal data securely.
“Many of the cases we see involve data controllers making basic errors like storing personal data on unencrypted devices such as USB sticks which are either stolen or lost. Other cases include data controllers failing to dispose IT equipment correctly or sending sensitive personal data in an unprotected form to the wrong individual. Everyone’s needs are different when it comes to encryption; the ‘right’ encryption will depend on the sensitivity of the personal data being processed and how that data is stored. There are many encryption products available and data controllers can use these without having to build their own solution personally. Encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.”
Visit https://ico.org.uk/for-organisations/encryption/.
Among the ICO’s examples are its fine of £150,000 served on Greater Manchester Police after a USB stick containing data on police operations was stolen from an officer’s home; and securing laptops, whether physically or when it’s used to send data.
