Out-Law News 2 min. read

Data watchdog encourages companies to get encryption software independently assessed


Organisations should get the encryption software they intend to use independently assessed where it is "of critical importance" that they can be sure the personal data they are responsible for cannot be accessed via built-in vulnerabilities in the software, the UK's data protection authority has said.

The Information Commissioner's Office (ICO) made the recommendation in new guidance it has produced on encryption.

"Software can use a state of the art algorithm and a suitably long key to output encrypted data, but if its development did not follow good practice, or the product itself is poorly tested or subject to insufficient review, there may be vulnerabilities or other opportunities for attackers to intercept data or break the encryption without the users’ knowledge," the ICO said.

"It is also possible that the encryption software includes an intentional weakness or backdoor to enable those with knowledge of the weakness to bypass the protection and access the protected data. It is therefore important to gain an external assessment of encryption software where it is of critical importance to have an assurance that such vulnerabilities do not exist," it said.

The ICO's guidance said that encryption is one of a number of "technical and organisational security measures" that organisations should consider using to prevent the unauthorised accessing of personal data. It said data controllers should set out a specific policy governing the use of encryption. This should include "guidelines that enable staff to understand when they should and should not use it".

"For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format," the ICO said. "Data controllers should also be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data."

Organisations should "regularly assess whether their encryption method remains appropriate", the watchdog said.

Under the Data Protection Act organisations are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Peter Brown, senior technology officer at the ICO, said: "The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption, being a widely available technology with a relatively low cost of implementation, is one such measure."

"The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur. On top of the fines, data controllers risk significant damage to their reputation if they do not store personal data securely… Encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.