The UK Information Commissioner’s Office recently published further guidance (“Guidance”) on encryption on its blog. The Guidance supplements the ICO’s position on encryption which it published in October 2012. In the blog post, the ICO’s group manager for technology states that the ICO advises all organisations to use appropriate encryption if the loss of personal data could cause damage and distress to the individuals affected. The Guidance also clarifies that controlling access to a device using a password or PIN should not be mistaken for encryption and does not provide a level of protection equivalent to encryption. In practice a password or PIN can be easily circumvented and full access to the data can be achieved while if data is properly encrypted and the encryption key is not available it is close to impossible to get access to the data in an intelligible form.
The Guidance sets out the different types of encryption available and advises organisations that it is important to understand the types of protection a particular encryption methodology offers to determine whether it is suitable for any particular scenario.
The blog post concludes by underlining the importance of keeping the encryption key secret. The ICO advises that to ensure the maximum level of protection offered by encryption, the key or password should be transmitted using an alternative means of communication. For example, the encrypted data could be sent by email and the key provided over the telephone once the intended recipient has confirmed that the data has been successfully received. By adopting this approach, even if the data is accidentally sent to the wrong recipient, the information will remain secure as the person will not have the necessary key to access it.
This guidance all makes sense and (putting data protection laws aside for a moment) is good data security advice which corresponds with best practice.
However, we await European Data Protection regulators, the Article 29 Working Party and European legislator’s detailed consideration and security analysis of a more difficult data protection question in relation to encryption:
Q. Is encrypted (and hence unintelligible) data on a device or in the cloud relating to living individuals held by a party who does not have access to the relevant encryption key (which is exclusively and secretly held by the relevant data controller) properly considered “personal data”?
While in practice this question may be overly simplistic, an answer to this question would demonstrate (at least in theory) how some modern day technology solutions can truly deal with all of our concerns about data protection and make technology certification a focus for legal compliance.