The Information Commissioner’s Office (ICO), the UK’s
independent authority that oversees data privacy, recently released a
new guidance on
encryption best practices. Although encryption of data is not
mandatory under UK data protection legislation, the ICO strongly recommends
that organizations dealing with personal data use it.
“In recent years there have been numerous incidents
where personal data has been stolen, lost or subject to unauthorized access,”
the ICO states.
“In many of these cases, these were caused by data
being inadequately protected or the devices the data was stored on being left
in inappropriate places – and in some cases both. The Information Commissioner
has formed the view that in future, where such losses occur and where
encryption software has not been used to protect data, regulatory action may be
pursued.”
The guidance highlights a number of cases where
organizations were fined for not complying with this obligation. Personal data
from over 1,000 people with links to serious organized crime investigations,
information and evidence concerning vulnerable children, as well as sensitive
information on hundreds of children with special educational needs, are among
the cases of lost removable media with unencrypted data.
Additionally, it drew attention to a case involving a
financial services company, which was unable to locate the whereabouts of two
backup disks that contained more than half a million customer details; as well
as a case relating to a local authority in Scotland, which misplace two laptops
that had personal information of over 20,000 people stored on it. In both
instances, the data was not encrypted.
The UK’s Data Protection Act of 1998, which stems from
The Data Protection Directive and is thus closely similar to privacy laws
across the European Union, states in its Principle 7:
“Appropriate technical and organizational measures
shall be taken against unauthorized or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data.”
The ICO recommends that organizations carry out a
Privacy Impact Assessment to identify and reduce privacy risks of their
projects. However, encryption should be always considered – of course,
alongside a range of other technical and organizational security measures.