ICO publishes new encryption guidance

Updated guidance on the use of encryption has been released by the UK's Information Commissioner's Office (ICO), Technology Law Dispatch reports.

The guidance highlights the areas the ICO expects encryption software to be used. It also reveals that in the future, if a data breach occurs and encryption has not been used, 'regulatory action may be pursued'.

Although the term 'encryption' is not in the UK's Data Protection Act 1998, the requirement to implement the technique for specific types of data derives from the obligation to implement 'appropriate technical and organizational measures' to protect against destruction, damage or loss of personal data.

While it is not necessary or possible to encrypt all personal data, the guidance makes it clear that organizations must take a risk-based approach to using the technique.

The ICO has built upon its previous guidance by making key recommendations, including the following:

• An encryption policy should be in place in organizations and guidance should be offered to assist staff in understanding it. Organizations should be aware of any industry or sector-specific guidelines that are in place.

• Personal data should be stored in an encrypted form, particularly in cases where its loss would result in damage or distress to individuals.

• When transmitting personal data over the internet, an encrypted communication protocol should be used on sensitive personal data.

As operations change and methods of encryption are updated, organizations' encryption policy will require amendment.

As the implementation of GDPR (the General Data Protection Regulation) approaches, guidance such as the ICO's will help give an insight into how data protection authorities could enforce the new powers.