It has long been the ICO’s position in dealing with data breaches that – where devices are lost or stolen (picture the classic “laptop left on a train” scenario) – the magic word “encryption” makes the difference between a forgivable accident and a reportable, sometimes enforceable breach of data security.
For smaller organisations in particular, the questions that usually follow this advice are either “what is encryption?” or, for the more enlightened, “what sort of encryption are we talking about?”. Encryption, for the uninitiated, it is a mathematical algorithm that renders information unreadable without the appropriate key.
Until this month the best “official” answer to the second, more specific question was to be found in the 7th Data Protection Principle: namely whatever method provides the appropriate level of protection for the type of personal data involved, to minimise the chances of it being accidentally or deliberately compromised.
In practice, for most organisations who use staff devices, this means something that sits behind password protection so that unauthorised access to the hard drive will return only meaningless data, rendering it both confidential and anonymised (a form of “static” encryption). Although an organisation’s means are also a factor in what level of cyber security is “appropriate”, the relative ease and affordability of basic encryption software means that a tight budget is rarely likely to be an acceptable excuse.
At last (as of 3 March 2016) the ICO has now shown its hand in terms of practical, situation-by-situation guidance on what it expects to see in various contexts – numerous contexts in fact, covering some 35 pages including 17 data storage “scenarios” on everything from USB sticks to drones via wearable tech. It also usefully reminds data controllers, via its enforcement case studies, what the practical and regulatory consequences have been for notable failures in this regard – including everyday risks like misdirecting (unencrypted) email.
Key takeaways include:
- Be aware of the difference between “static” encryption to “end to end” encryption.
The former, while not a strict legal requirement, is now a must for mobile devices if organisations want to avoid public enforcement following data breach. As the guidance says: “The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.”
“End to end” encryption (E2EE) covers communications being sent between devices, such as by email. It can be achieved by several means but requires the cooperation of both parties, and may be appropriate when highly sensitive data (or large volumes of data) are being sent for the eyes of a specific recipient only.
- Encryption is not a cure-all…
The ICO suggest, rightly, that encryption be considered “alongside other technical and organisational measures”. These range from password protection, anonymising and hashing (not itself strictly a form of encryption), secure networks and good IT practice, such as not leaving devices logged in and unattended, to the more ‘human’ concerns like staff training and the application of “need to know” access policies. The ICO will expect to see all these working in harmony in data-secure organisations.
- …but ignore it at your peril.
The new guidance makes it very clear, both in direct warnings and by repeated examples, that large fines (of up to £500,000) are not only available to the ICO for breaches of the Data Protection Act, but also that these powers are regularly used. Fines for serious breaches commonly reach £150,000 depending on the scale and nature of the leak, as well as the practices of the data controller responsible. Only abuses of direct marketing attract the same level and frequency of fine from the ICO.
The Information Commissioner has already indicated on several occasions that fine levels are on an upwards curve, even before the General Data Protection Regulation raises the ceiling. It is also clear that in certain cases, including many common scenarios, the presence or otherwise of encryption will be a major determinative factor in enforcement.
The new guidance is available to download here.
The ICO’s blog piece on the topic is here.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected]; 020 3375 7348) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2016