Consultation on updates to our encryption guidance – summary of responses
Introduction
In May 2025 we launched a public consultation seeking your views on a new version of our encryption guidance.
The consultation ran until 24 June 2025. This page summarises the key themes emerging from the consultation responses.
We received 15 responses to the public consultation. We thank everyone who took the time to comment and share their views.
| Category of respondent | Responses |
|---|---|
| An organisation seeking to use (or already using) encryption to protect personal information | 7 |
| An organisation that provides encryption technologies (e.g. software or hardware solutions) | 3 |
| An academic or researcher | 0 |
| An individual acting in a professional capacity | 3 |
| An individual acting in a private capacity (eg someone providing their views as a member of the public) | 1 |
| Other | 3 |
Please note that more than one category applies for some respondents.
About the consultation
In general, the responses were positive. Most organisations said the draft guidance was clear and easy to understand, and that it was easy to find information within it.
In analysing these responses we’ve identified several key themes. We’ve summarised these here, set out what you asked for and how we’re going to respond.
Key themes
Case examples
The guidance includes some worked examples from ICO casework where the use of encryption could have reduced the impact of security incidents. But we took out some older examples from the 1998 Act.
Many of you preferred having more real-world examples of these incidents – you said they helped you understand the types of risk to look out for and what our regulatory expectations are, even if the incidents happened some time ago.
Some of you also wanted the examples we did include to have more detail. For example, what the specific issues were, why the organisation faced regulatory action, and what they could have done to avoid it.
ICO response
We’ve put back in most of the examples from the previous version of the guidance. We’ve also included some more recent ones.
We’ve also added some more details and included links to archived versions of the regulatory action we took. These are to past versions of the ICO website on the National Archives. Many of these pages include the actual notices we issued at the time. These say what happened and why we took action.
Cloud computing
We included some new content about encryption and the cloud. Some of you wanted a few more specific examples about common cloud use cases, like scalable computing, in order to help you with your risk assessments.
ICO response
We’ll be updating our cloud computing guidance in due course. We think the development of this guidance is the better place to consider these use cases. Depending on this, we may do some targeted updates to the scenarios in the encryption guidance afterwards.
We’ve also added links to our guidance on privacy-enhancing technologies (PETs), which includes some examples that may be useful for cloud-based scenarios.
Mentions of specific encryption products and standards
The guidance gives a number of examples of commonly-used software that may include encryption features. Some of you wanted more examples of these, such as password managers and trusted authentication services.
Others asked about the role of Cyber Essentials and other industry practices, standards and approaches.
ICO response
We agree that in principle, signposting to commonly used tools can be useful and practical. This is why we included more references to encryption features in widely-used software applications as well as to specific tools like VeraCrypt. But we’ll continue to keep this under review and consider adding more references as appropriate.
For tools like password managers, we think other products like the security outcomes or our guidance on passwords in online services are more appropriate to discuss these. We’ll consider whether any changes like this are needed in future reviews of those products as well.
Our main security guidance advises organisations that Cyber Essentials is a good starting point. And that depending on the context of the processing, organisations may need more sophisticated technical and organisational measures.
Encryption, anonymisation and pseudonymisation
The guidance includes a section about encryption and data protection law. The majority of respondents agreed that this section was clear. But several of you wanted us to include some more information about encryption and re-identification risks. You also suggested that we highlight the benefits of pseudonymisation as a risk reduction measure.
You also asked about including references to recent guidance from the European Data Protection Board (EDPB) and case law from the Court of Justice of the European Union (CJEU).
ICO response
We provide advice about most of these issues in our guidance on anonymisation and pseudonymisation, and what we say in the encryption guidance builds off this. For example:
- assessing identifiability risk, including looking at the status of data in the hands of different parties; and
- the benefits of pseudonymisation, including how it can help you reduce risk and process personal data for other purposes.
We’ve added more references to the anonymisation guidance at relevant places in the encryption guidance to make these links clear. We’ve also added some more content about how encryption can form part of how you go about complying with the security principle – ie, it’s a technical measure you can use to protect personal information.
EDPB guidelines are no longer directly relevant to the UK data protection regime. Similarly, new CJEU case law doesn’t apply in the UK. For more information about changes since the UK left the EU, see our guidance on data protection and the EU.
Clarifications
We received some helpful suggestions for minor clarifications or additions in different parts of the guidance. These included:
- a suggestion to refer to integrity checks to detect tampering;
- adding a reference to encrypting storage systems in an example about full disk encryption;
- highlighting risks of insider threats, eg in the context of things like administrators misusing encryption keys;
- adding references to password length and not just complexity; and
- considerations for the use of HTTPS testing tools.
ICO response
We agree with these suggestions and have made some changes to reflect them:
- We’ve added a good practice recommendation to include integrity checks to ensure that an attacker can’t tamper with encrypted data even if it hasn’t been accessed.
- We’ve added a reference to encryption of storage systems into the example on full disk encryption.
- We’ve included a reference to insider threats as well as links to NIST guidance on key management.
- We’ve made sure the content about passwords aligns with our guidance on passwords in online services. This refers to both length and complexity.
- We’ve added a good practice recommendation about considering safe testing environments for HTTPS testing tools.
There were some other suggestions about wording, terminology and definitions. Based on the consultation responses as a whole, we think that the guidance strikes the right balance at the moment. We’re not making any changes right now, but we’ll keep things under review.
Scope of the guidance
The guidance largely focused on updates rather than covering entirely new topics. Most of you agreed with this, but some suggested we include things like end-to-end encryption (E2EE), homomorphic encryption or post-quantum cryptography. Others suggested that we mention other security methods alongside encryption, like hashing and salting.
ICO response
For this update, we decided to refresh the main topics and not cover things like quantum cryptography or E2EE. This is partly because we have other guidance that talks about these. For example:
- our statement on E2EE (PDF);
- our guidance on PETs, which discusses homomorphic encryption; and
- quantum computing in our tech futures report.
As the state of the art develops, we may include some of these topics in future versions of the guidance.
Respondents who asked about other security measures also acknowledged that these may be out of scope of this guidance product specifically. The guidance does talk about this, noting the importance of taking a ‘defence in depth’ approach to security and how encryption can form a part of this. Our wider guidance on data security discusses security measures as a whole.
Checklists, standards and staff training
The guidance discusses encryption standards, regular testing and staff training. But some of you suggested that we include a checklist covering these things as a way of helping organisations when they consider using encryption.
ICO response
We do include a checklist in our ‘in brief’ version of the encryption guidance. This talks about:
- having an encryption policy;
- staff education and training;
- ensuring encryption solutions meet appropriate standards; and
- keeping encryption under review to take account of technological developments.
We wrote this shorter version of the guidance to follow the content of the longer, more detailed one.