Data protection: new ICO guidance on implementing encryption to ensure the security of personal data

To ensure the security of the personal data they process, data controllers must implement appropriate technical and organisational measures. Encryption is one of the most effective measures that can be used to ensure personal data can be processed securely, and to minimise the risk of the personal data being lost, stolen, or subject to unauthorised access.

The Information Commissioner’s Office (ICO) has recently published new guidance on encryption. Although this new guidance does not have the status of a code of practice, it will be considered by the ICO in the event of a data breach and/or compliance investigation, so data controllers should try to follow it wherever possible.

In summary, the ICO’s new encryption guidance:

• explains the importance of encryption as an appropriate technical measure that can be used to protect personal data and keep it secure;

• highlights the main compliance considerations under data protection law that data controllers should consider when implementing encryption;

• clarifies the key difference between symmetric encryption (which uses the same ‘key’ to encrypt and decrypt the data) and asymmetric encryption (which uses different ‘keys’ for each part of the encryption process); and

• provides advice for data controllers about implementing encryption techniques, including specific practical guidance around:

  • storing and processing personal data, including encrypted back-ups

  • encrypting removeable storage devices and cloud storage

  • encrypting personal data on smartphones and tablets

  • transferring personal data to others in an encrypted format

  • using encrypted attachments

  • choosing the right encryption software, algorithm and ‘key’ size

  • securing the encryption ‘key’ appropriately

  • emails and faxing

  • CCTV, video surveillance and body worn video