Encryption and data protection
In detail
- What does UK data protection law say about encryption?
- Does this mean we must encrypt personal information?
- How do we decide whether encryption is appropriate?
- How should we consider the state of the art and cost of implementation of encryption?
- What happens if we don’t encrypt personal information?
- Is encryption relevant for other parts of UK data protection law?
- Does encryption remove the risks?
- If we encrypt personal information, does this count as processing?
- Is encrypted data still personal information?
What does UK data protection law say about encryption?
Article 5(1)(f) of the UK GDPR states that you must process personal information:
“… in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
This is the integrity and confidentiality principle, or security principle for short. Although the UK GDPR does not define the meaning of ‘appropriate’, it has further considerations in Article 32 on security of processing.
“Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) pseudonymisation and encryption of personal data”
You must implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing.
Does this mean we must encrypt personal information?
No. The UK GDPR doesn’t specifically require you to use encryption or encrypt all personal information you hold. But it does say you must process the personal information securely, and it includes encryption as an example of an appropriate technical measure.
Encryption is a widely available measure and is relatively easy to implement. There are many low cost, easily deployable encryption tools and solutions.
Specifically, you should use encryption to protect personal information when:
- it is in transit electronically (eg online);
- you store it on computing devices like PCs, laptops, smartphones and tablets; and
- you store it on removable media.
These types of encryption and how to implement them are explained further in the ‘encryption in practice’ section.
Further reading – ICO guidance
How do we decide whether encryption is appropriate?
Although encryption is a widely available measure and is relatively easy to implement, it is also not always suitable for every processing operation and may not mitigate some types of risk.
So, you should consider encryption alongside other measures that may be relevant to the risks you identify, as part of a ‘defence in depth’ approach to security.
You should assess your information risk before deciding on what measures are appropriate. For example, by reviewing the personal information you hold to determine things like its value, sensitivity, and confidentiality and risk.
You should look at this as part of any data protection impact assessment (DPIA) you carry out. Although it is good practice to carry out a DPIA for any intended processing activity, there are some where you must do so to comply with the law. (See our DPIA guidance for more information.)
Ultimately, whether or not encryption is the right measure to put in place depends on your circumstances. For example:
- the processing you want to carry out;
- the risks it may pose to people’s rights and freedoms;
- the state of the art of technology available to you to protect that data; and
- the cost of implementing encryption.
Regardless of whether you do a DPIA, you should consider factors such as:
- the potential damage or distress to people if the data was compromised;
- the nature, scope, context, purpose of processing and extent of your organisation’s premises and computer systems; and
- the number of staff you have and the extent of their access to personal information.
There is always risk in processing personal information. Even where you assess the risks to be lower, some encryption measures are very likely to be appropriate.
Where there is greater risk, a wider potential selection of encryption or other security measures are appropriate.
You should have a policy governing your use of encryption, including guidelines to help staff understand when they should and should not use encryption.
Example
An organisation uses spreadsheet software to keep track of personal information. The spreadsheet software allows users to encrypt the spreadsheet with a password they enter.
The organisation instructs staff not to use that functionality unless the spreadsheet is being sent to someone outside the organisation.
The organisation does not have a process in place to keep track of the passwords used. This means that when a staff member forgets, loses or mistypes the password, the personal information in the spreadsheet is inaccessible.
Personal information becoming inaccessible in this way will likely mean the organisation has not implemented appropriate security measures. It may also constitute a personal data breach (eg if the data is then unavailable to the organisation).
To mitigate this risk, the organisation decides to operate centrally managed encryption measures to protect this information.
You should take account of any industry or sector-specific guidelines. These may include a minimum standard or expectation, or recommend a specific policy or approach to encrypting personal information.
Further reading – ICO guidance
Other resources
The General Council of the Bar:
- Cyber and Information Security affirmation (PDF).
- Guidance on information security (PDF), which includes a section on encryption.
The Attorney General’s guidelines on information security and government work, that include a section on storing and handling electronic material.
The Payment Card Industry Data Security Standard (PCI-DSS). Requirements 3 and 4 of the PCI-DSS cover the protection of cardholder data in storage and in transit. If you use encryption as part of the measures, there are specific considerations detailed in each of the requirements.
How should we consider the state of the art and cost of implementation of encryption?
When you assess whether a technical or organisational measure is appropriate, you must consider the state of the art of technology and the cost of implementing that measure.
To understand what ‘state of the art’ means in the context of encryption, you could think about whether a particular encryption technology is:
- widely available or widely used;
- aligned with recognised industry standards (eg FIPS 140-3 or FIPS 197 from the National Institute of Standards and Technology (NIST)); or
- certified or accredited (eg by the NCSC’s Certified Assisted Products Scheme (CAPS)).
Many types of encryption are well-established and widely deployed. There are many solutions, and you can often implement encryption relatively easily at little or no cost.
For example, encryption is widely available in the context of protecting:
- computing devices (eg full disk encryption);
- files and folders on computing devices (eg file encryption, encrypted containers);
- web traffic, including online communications;
- emails; and
- removable media (eg external storage devices like USB drives or portable hard disks).
Further reading – ICO guidance
Other resources
- FIPS 140-3 - security requirements for cryptographic modules
- FIPS 197 - the Advanced Encryption Standard (AES)
- NCSC certifications, including the CAPS scheme
- List of agreed cryptographic mechanisms published by the Senior Officials Group Information Systems Security (SOG-IS)
- NIST Special Publication 800-131A on use of cryptographic algorithms
- Technical guidelines on cryptographic mechanisms from the German Federal Office of Information Security (in English)
What happens if we don’t encrypt personal information?
Poor information security doesn’t just leave your systems and services at risk. If the data you process is compromised, this can cause real harm to people. In extreme cases, lives may even be endangered.
Additionally, you may face risks of regulatory action and reputational damage, if you don’t put appropriate security measures in place.
Some examples of the harms that poor information security can cause include:
- identity fraud;
- fake credit card transactions;
- targeting of people by fraudsters, potentially made more convincing by compromised personal information;
- witnesses put at risk of physical harm or intimidation;
- offenders at risk from vigilantes;
- exposure of the addresses of service personnel, police and prison officers, and those at risk of domestic violence;
- fake applications for tax credits; and
- mortgage fraud.
Although these serious consequences do not always happen, people are still entitled to be protected from less serious kinds of harm. For example, embarrassment or inconvenience.
Further reading – ICO guidance
Is encryption relevant for other parts of UK data protection law?
Yes. Alongside the security principle and the provisions on security of processing, encryption may be relevant for compliance with your data protection by design obligations in Article 25.
These mean you must put in place appropriate technical and organisational measures to implement the data protection principles effectively and integrate necessary safeguards into the processing.
You must do this at the design phase of any processing you want to do, as well as for the duration of the processing.
Implementing the data protection principles effectively includes ensuring appropriate security. Therefore, encryption can be an effective way to demonstrate that you’ve put in place a data protection by design approach.
Further reading – ICO guidance
Does encryption remove the risks?
No. Encryption can reduce risks, but it does not remove them entirely. Residual risks may remain. You should consider the benefits that encryption will offer in the context of your processing, as well as these residual risks and how you will manage them.
You should also consider whether there are other security measures that may be appropriate for you to put in place, either instead of encryption or alongside it, as you cannot use encryption cannot in every situation.
If you lose a decryption key it means that no-one, including you, is able to decrypt the data. You should mitigate this risk through proper key management, file storage or backup procedures.
Depending on the circumstances, loss of a decryption key may constitute “accidental loss, destruction or damage” to personal information. Additionally, if you cannot restore the data, this may constitute a personal data breach due to a lack of availability.
This can result in harm to people, if the personal information is lost due to loss of the encryption key. For example, a person is unable to access important financial documents, personal videos or photos.
Encrypting data can reduce the risk of a personal data breach and the extent that it impacts people’s rights and freedoms. This in turn can determine whether:
- you must tell people about it; or
- you don’t have to, eg because the encryption makes the personal information unintelligible to anyone not authorised to access it.
However, you must still check whether you need to tell us about the personal data breach.
Further reading – ICO guidance
If we encrypt personal information, does this count as processing?
Yes. Article 4(2) of the UK GDPR defines ‘processing’ as any operation or set of operations performed on personal information, It includes ‘adaptation or alteration’. The process of converting personal information from plaintext into ciphertext is an example of adaptation or alteration.
Is encrypted data still personal information?
From your perspective, yes. Although the status of encrypted data as personal information can depend on the circumstances, ultimately if you decided to carry out encryption, then the encrypted data is still personal information in your hands.
This means encryption is typically a pseudonymisation technique. It is a security measure designed to protect personal information and is reversible with a key.
You should not automatically view your use of encryption as an anonymisation technique or assume the encrypted data is not subject to the requirements of data protection law.
If you can access the encrypted data and the key, you have the means available to re-identify people through decryption of that dataset. Therefore, the encrypted data is personal information and UK data protection law applies to it.
This means you must also comply with the law when processing that encrypted data (eg if you store it, retrieve it, consult it, or otherwise use it).
Likewise, the encrypted data is subject to UK data protection law, if you are a processor acting on behalf of a controller who can decrypt the dataset, or vice versa. You are simply carrying out processing on behalf of your controller. The status of the data in their hands is what matters.
Further reading – ICO guidance