The Information Commissioner’s Office (ICO), the UK’s independent authority that oversees data privacy, recently released a new guidance on encryption best practices. Although encryption of data is not mandatory under UK data protection legislation, the ICO strongly recommends that organizations dealing with personal data use it.
“In recent years there have been numerous incidents where personal data has been stolen, lost or subject to unauthorized access,” the ICO states.
“In many of these cases, these were caused by data being inadequately protected or the devices the data was stored on being left in inappropriate places – and in some cases both. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect data, regulatory action may be pursued.”
The guidance highlights a number of cases where organizations were fined for not complying with this obligation. Personal data from over 1,000 people with links to serious organized crime investigations, information and evidence concerning vulnerable children, as well as sensitive information on hundreds of children with special educational needs, are among the cases of lost removable media with unencrypted data.
Additionally, it drew attention to a case involving a financial services company, which was unable to locate the whereabouts of two backup disks that contained more than half a million customer details; as well as a case relating to a local authority in Scotland, which misplace two laptops that had personal information of over 20,000 people stored on it. In both instances, the data was not encrypted.
The UK’s Data Protection Act of 1998, which stems from The Data Protection Directive and is thus closely similar to privacy laws across the European Union, states in its Principle 7:
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO recommends that organizations carry out a Privacy Impact Assessment to identify and reduce privacy risks of their projects. However, encryption should be always considered – of course, alongside a range of other technical and organizational security measures.
by Peter Stancik, ESET