New guidance has been issued by the Information Commissioner’s Office
(ICO) on the use of encryption software to protect personal information. It confirmed that regulatory action may be taken where personal information is lost, stolen or subject to unauthorised access where encryption software has not been used, resulting in potentially substantial financial penalties as well as loss of reputation.
Although there is no provision within the Data Protection Act 1998 (DPA) that specifies the need to encrypt personal information, Principle 7 of the DPA states that ‘appropriate technical and organisational measures shall be taken’ to ensure any personal information held by an organisation is kept secure.
The ICO guidance is comprehensive and should be useful at least as an introduction for organisations of all sizes. It outlines the types of encryption software available and gives sample scenarios and details of previously issued fines. For example, Greater Manchester Police was fined £150,000 following the loss of an unprotected USB stick containing personal data of over 1000 people. £150,000 fine was issued to the Nursing and Midwifery Council following the loss of three DVDs containing confidential information and sensitive personal information. A further £150,000 penalty was issued to Welcome Financial Services after the loss of over 500,000 sets of customers’ details. These are just three examples of several fines issued over recent years.
It seems the times of simply giving data protection the equivalent of a cursory nod are over and that organisations really do need to start sitting up and paying attention. As Peter Brown from the ICO says ‘encryption doesn’t have to be complicated or difficult…don’t wait until after a data breach to start using it’. For more information or advice concerning encryption or any other aspect of data protection please contact me