The UK Information Commissioner’s Office (“ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.
Here are some key take-aways from the guidance:
- Controlling access to a device using a password or PIN is not encryption and does not provide an equivalent level of protection;
- It is important to understand the types of protection a particular encryption methodology offers to determine whether it is suitable for any particular scenario;
- There are differences between full disk encryption, individual file encryption, and encrypting data in transit, and it is important to understand which is appropriate in the circumstances; and
- It is of paramount importance to keep the encryption key secure – an obvious point which is frequently overlooked.