ICO releases new encryption guidance

By Peter Brown, Senior Technology Officer

encryption-blogSo many data breaches that make the headlines lead to questions about whether the data placed at risk was encrypted. All too often, despite the relative ease with which encryption software can be used, the answer is either ‘no’ or ‘we’re not sure’.

Today the ICO has published updated guidance on encryption, featuring several scenarios designed to help you consider when and how you should use encryption.

A question we often get asked is whether or not encryption is a legal requirement. The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption, being a widely available technology with a relatively low cost of implementation, is one such measure.

The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur.

On top of the fines, data controllers risk significant damage to their reputation if they do not store personal data securely.

The recently announced DROWN vulnerability demonstrates the importance of good cyber hygiene, which involves dropping support for old and insecure protocols and keeping your current systems up to date.

Many of the cases we see involve data controllers making basic errors like storing personal data on unencrypted devices such as USB sticks which are either stolen or lost. Other cases include data controllers failing to dispose IT equipment correctly or sending sensitive personal data in an unprotected form to the wrong individual.



Everyone’s needs are different when it comes to encryption; the ‘right’ encryption will depend on the sensitivity of the personal data being processed and how that data is stored. There are many encryption products available and data controllers can use these without having to build their own solution personally.

Encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.

peter-brownPeter Brown is a Senior Technology Officer within our Technology team, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.
This entry was posted in Peter Brown and tagged , , , . Bookmark the permalink.

One Response to ICO releases new encryption guidance

  1. Reblogged this on 121prodata and commented:
    This is very useful – for smaller businesses in particular – what do you think?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s