New encryption guidance published by UK’s Information Commissioner


The UK’s Information Commissioner’s Office published update guidance on encryption on 3rd March 2016, amidst concerns that there was a general lack of understanding of how and when to use encryption. It is the lack of appropriate technical measures, such as the use of encryption that has led to a significant number of fines issued in the UK since 2010. There is a risk of bigger fines with the introduction of the new General Data Protection Regulation. Organisations need to be prepared!

The UK legislation does not specify the types of technology to use, potentially a failing in the UK, given that in other jurisdictions such as Japan and Germany, encryption is seen as a standard and critical measure to the safeguarding of data. However the latest guidance does state that ‘Encryption should be considered alongside a range of other technical and organisational security measures.’

The ICO’s guidance suggests that encryption should be considered when data is stored (data at rest) and data is transferred (data in transit). This is usually applied to laptops which can be lost or stolen and to backup media or media used to transfer critical information such as a CD ROM or DVD, but also can apply to USB sticks and drives. Policies governing the use of encryption within organisations are recommended; however any policies need to be governed and enforced. The Greater Manchester Police were fined £120,000 where an unencrypted USB stick containing details of over 1,000 people linked to serious crime was stolen from an officer; despite there being a requirement to use encrypted memory sticks – it was not enforced!

The new General Data Protection Regulation (Article 30) requires that ‘pseudonymisation and encryption of personal data’ are appropriately used as part of an organisation’s security management. The extent of any encryption would need to be considered in light of likely risks, codes of practise and certifications.

As stated by the ICO’s office;

“Everyone’s needs are different when it comes to encryption; the ‘right’ encryption will depend on the sensitivity of the personal data being processed and how that data is stored. There are many encryption products available and data controllers can use these without having to build their own solution personally. Encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.”

At Clearswift we use encryption in a number of different ways to prevent data loss. For example on the endpoint, when copying information to a USB stick, if the file contains critical information it can be blocked, or it can be copied encrypted. With email, there are multiple encryption options – the key being to make their use transparent to the sender, and as easy as possible for the recipient. If the company has invested in PGP or S/MIME infrastructure, then this can be used – or it can be as simple as ensuring the file is encrypted in an archive, and then the password can be sent on to the recipient. In using the solution to determine and apply the encryption the organisation keeps control of the encryption keys used. Leaving the decision to the user for the password, opens the organisation up to future problems when the information may need to be decrypted for compliance reasons.

Do you have an encryption query? When and where it should be used? What type? How does encryption enable compliance and with what? We can us today.

Further reading: