Most of the ICO's enforcement action relates to security breaches and frequently results in the regulator assessing whether data is encrypted and requiring encryption to be implemented where it isn't currently used (or requiring the standard of encryption to be improved where it isn't adequate to safeguard the data it is intended to protect, as in the recent Whatsapp example). Here's a quick introduction to encryption and why it matters from a data protection perspective.
Let's start with the legal position and some myths. The DPA doesn't require organisations to ensure that personal data is never compromised - no data is ever totally secure (even encryption isn't totally secure - recent reports emanating from disclosures made by Edward Snowden suggest that government security and intelligence agencies have decoded key internet security protocols which are routinely used to protect sensitive electronic data including bank and medical records).
So, if no form of security is totally safe, what does the DPA require and what does the ICO expect? The key requirement is in the 7th principle of the DPA, which all data controllers must comply with (and which all data controllers must ensure that their data processors comply with e.g. service providers and sub-contractors by imposing the same obligation on them in a legally binding written contract). It says:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
So the legal requirement is to implement appropriate security measures to guard against the risk of personal data being accessed or used in an unauthorised way. When assessing whether security measures are appropriate, organisations can take into account the state of technological developments and the cost of implementing security measures i.e. you are not obliged to implement and maintain the most expensive security measures or the most up-to-date security measures, but those which you consider to be appropriate given the data that needs to be protected (and specifically considering the harm that might arise if the data is compromised and the nature of the data).
So, where does encryption fit into all of this? Wherever data is held in electronic format, there are potential security issues - the data might be used by somebody who doesn't have appropriate permission (e.g. an employee or temp staff who can access data because of a lack of training or poor access controls), it might be copied on to or be accessible from a memory stick/a smartphone/tablet or it might be intercepted when it is transmitted. The risks with electronic data increase as our reliance on technology increases - organisations are increasingly reliant on 'the cloud' and masses of information are being held in remote datacentres around the world which necessitates the transmission of data in order for it to be held and accessed in cloud-based infrastructure.
Not all of this is personal data (and where this is the case, the DPA doesn't apply) but there will be a large amount of personal data both in the regular sense of names, addresses, contact details as well as more oblique categories of data which many organisations may not consider to be personal data, but which is in fact caught by the DPA (i.e. any data relating to a person which enables that person to be identified from it or distinguished from others including behavioural data derived from internet enabled devices and apps - even if the ultimate end-user isn't identified by name).
Let's deal with some myths around encryption:
- It isn't password protecting documents, files or IT equipment - once a password is 'cracked', all of the information which is protected by the password is compromised (so password protecting a device isn't an appropriate security measure if it holds customer or employee records, for example).
- Not all encryption techniques are the same - encrpytion solutions are dynamic and standards change over time - simply using an encrpytion solution won't necessarily constitute an appropriate security measure, particularly if the 'key' that enables data to be decrypted is obvious or relatively easy to hack (e.g. using the mobile phone/IMEI number of end-user devices).
- Encyption doesn't automatically cover everything - just as encyption solutions differ, so does the range of data that encryption can protect - individual devices may be protected (through full disk encrpytion) or individual files or batches of files may be encrypted (so that even if the file is transferred to another device or a memory stick, it remains encrpyted). That just deals with data 'at rest' - depending on the way in which you make data available, you may also need to consider how you encrypt data which is being transmitted across networks when it is 'in transit' - and if that's the case, how data remains secure/encrypted once it has been securely transmitted to the recipient. The regulatory guidance on cloud recommends the use of encryption techniques both when data is 'at rest' and 'in transit' and the regulator has consistently encouraged the use of encryption as an effective way of protecting personal data.
- The key is key - encryption works on the principle that the person who holds the key can decipher the data - so, you need to ensure that you understand what the key is and who has access to it (and take steps to ensure that knowledge of the key is also kept secure through appropriately secure processes).
Encryption basically enables data to be rendered unintelligible to a recipient unless they hold the key which enables the data to be deciphered. If it all sounds a bit like the battle waged by mathmeticians at Bletchley during the Second World War as they tried to crack the key to the codes used by 'enigma' machines, that's because the concept is exactly the same. In a digital world, protocols have been developed to enable data to be encrpyted on a mass scale to enable organisations and people to communicate securely with another by using digital certificates (you'll have noticed the 'padlock' appearing in your browser and 'http' changing to 'https' when a secure socket layer or transport layer security protocol is being used to encrypt data accessed through a web browser). What links ciphers utilised in Greek and Roman times to 'enigma' machines through to contemporary digital encyption solutions is that all of them require the recipient to have the correct 'key' to decipher the data.
So that's our introduction to encryption which coincides with the ICO's own update on encryption which was issued in the wake of three recent security failures resulting in fines of over £700k being levied where encryption techniques weren't used but which may have avoided/mitigated the breach had they been utilised.
The final point to note on encrpytion takes us back to where we started - the ICO's investigations into security breaches involving personal data held in electronic format has always included a focus on encryption and enforcement action has regularly and routinely resulted in the regulator mandating the use of encryption to safeguard personal data. If you're holding data about individuals in electronic form, don't take the risk - make sure that you:
- Regularly evaluate the data that you're holding.
- Regularly assess the harm that might be caused to the people whose data you're holding if it's used in an unauthorised way.
- Regularly evaluate whether your current security measures are appropriate to the data that you hold about people and the harm that they might suffer if your security measures are breached (which, we hope, includes encryption solutions and staff training and robust policies and procedures and if you have personal data hosted in the cloud, that you've checked and are comfortable with the encyption standards that your service provider is using and its service providers/sub-contractors and that you have a contract in place with your cloud service provider or any service provider for that matter, etc.
We'll stop now, but you get the point - security is key to data protection compliance and encryption is key to security in a digital world.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.