Encryption scenarios
In detail
There are a number of typical data processing activities where you should consider using encryption. In each case, it is important that you consider the residual risks even after implementing encryption.
The purpose of this section is to explore some of typical scenarios where personal data is processed, to indicate where you should consider encryption and to highlight the remaining risks that you should take into account.
- Transferring personal data by CD or DVD
- Transferring personal data by USB device
- Sending personal data by email
- Encrypted email
- Encrypted attachments
- Digital signatures
- Backups
- Sharing personal data online
- Mobile devices
- Fax
- Online Faxing
- CCTV
- Photography and video equipment
- Body worn video
- Law enforcement use of BWV
- Audio recordings
- Unmanned Aerial Systems (UAS)
Transferring personal data by CD or DVD
When it is necessary to transfer a large volume of personal data from one location to another you might consider using a physical disc such as a CD or DVD. In this scenario, you must consider the format of the data on the disc and the security of the transfer (eg the postal service used).
Using a recorded delivery method or specialist courier will give assurances that the disc is signed for by the intended recipient. This reduces, but not entirely eliminates, the risk of the personal data being intercepted, lost or stolen.
If you send the data unencrypted there is a risk that if it was lost or stolen any third party could gain unauthorised access to the personal data.
It is therefore necessary for you to consider encryption as a means of adding an additional layer of protection.
Encrypting the data on the disc ensures that an attacker could only gain access to the personal data by breaking the encryption.
However, in order to decrypt the data the recipient must have access to the correct type of hardware to read the disc (ie access to a CD drive) and compatible software to decrypt the data (in some cases the exact same software will be needed). This can cause some difficulties in corporate environments which have disabled access to CD drives or do not permit users to install unauthorised software.
You also need to consider a method to transfer the key or password to the recipient. To achieve the maximum guarantees that can be offered by the use of encryption the password must be transferred over a separate communication channel, eg by disclosing the password over the telephone upon confirmation that the package has been delivered. Including the password within the same envelope as the disc effectively removes the protection offered from the encryption.
Example
The Nursing and Midwifery Council were issued with a £150,000 Civil Monetary Penalty (under the DPA98) after the council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children.
The ICO investigation found the information was not encrypted.
Transferring personal data by USB device
USB devices such as memory sticks or external hard drives offer a convenient way to transfer data. However, their small physical size and large data capacity means that large volumes of personal data can be lost or stolen with relative ease.
Furthermore, if personal data is not securely wiped from USB devices prior to reuse there is a possibility that data you consider ‘deleted’ could be recovered by a third-party.
Personal data can be encrypted by placing the files within an encrypted container on a USB device but this requires the recipient to have access to the same encryption algorithm or software.
Hardware-encrypted USB devices are also available which contain the necessary encryption capability embedded within the device, meaning that the data can be decrypted without the need for the user to install additional software. However, due to the security risks present in permitting the use of USB devices, it is possible that you have implemented policies which forbid or technically limit the functionality of USB devices within your network. In this case you would need to consider how you might transfer data to these devices, and likewise how you would access data on any you receive.
You also need to consider a method to transfer the key or password to the recipient over a separate communication channel.
Example
North East Lincolnshire Council was issued with a civil monetary penalty of £80,000 (under the DPA98) after a serious data breach resulted in the sensitive information of hundreds of children with special educational needs being lost.
The information was stored on an unencrypted memory stick and went missing after the device was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop the memory stick was gone and it has never been recovered.
The device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements. The device also included the pupils’ dates of birth and some included details of their home addresses and information about their home life.
Sending personal data by email
Another common method of sharing information is by email. By necessity the TO, FROM, DATE and SUBJECT fields of an email are transmitted in plaintext and may be accessed by any unintended recipient or third-party who intercepts the communication. Without additional encryption methods in place, the email body and any attachments will also be accessible to any unintended recipient or third-party who intercepts the communication.
A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. You should be aware that encryption will only provide protection to personal data send by email if the incorrect recipient does not have the means to decrypt the data (eg does not have the decryption key).
Personal data can also be at risk if an individual gains unauthorised access to the email server or online account storing emails which have been read or waiting to be read.
The choice of password securing the server or email account is similarly important when considering the security requirements of the email system.
Some types of encrypted email solutions can be complex to set up and require the sender and recipient to have compatible systems for the encryption and decryption process. This can cause problems when you intend to send encrypted email to another organisation, to members of the public, or to anyone who has not previously been contacted.
Other systems are available which rely on the sender uploading encrypted data to a web application and using ordinary email to notify the recipient that a message is available (See ‘Sharing information online’ below).
There are efforts to design and implement a secure email protocol however there is still currently no universally-adopted method for sending email securely.
Some sectors have developed their own secure email systems, such as CJSM for criminal justice practitioners and NHSmail for sharing patient data. These solutions may be available to organisations working in these sectors and as a result should be used where possible, for as long as they continue to be supported. It is however important to recognise any residual risks with such systems and have appropriate policies in place to ensure correct usage. For example, systems may permit communication with external addresses in an unsecure and unencrypted manner. Sending a communication to the incorrect recipient may still remain a possibility.
Example
Surrey County Council was served with a civil monetary penalty of £120,000 (under the DPA98) after three data breaches that involved misdirected emails:
- a member of staff emailed a file containing the sensitive personal data of 241 individuals to the wrong email address. As the file was neither encrypted nor password protected, every recipient of the email could access the data. Subsequently, the Council was unable to confirm whether the recipients had destroyed the data or not;
- personal data was email to over 100 recipients on the Council’s newsletter mailing list; and
- the children’s services department sent sensitive personal data to an incorrect internal group address.
Example
North Somerset Council was served with a civil monetary penalty of £60,000 (under the DPA98) after five emails, two of which contained details of a child’s serious case review, were sent to the wrong NHS employee.
A council employee selected the wrong email address during the creation of a personal distribution list. The data itself was not encrypted, and thus was able to be viewed by the unintended recipient.
Following the receipt of the data, the council employee was informed of the error by the recipient, yet the information was emailed to this individual on several further occasions. After an internal investigation the recipient confirmed the emails had been destroyed.
The ICO also found that the Council had not delivered appropriate data protection training to relevant staff, and recommended that the Council adopt a more secure means of sending information electronically such as using encryption.
Other resources
For more information on NHSMail and data protection, visit the NHSMail Portal.
Encrypted email
Encrypted email can provide the capability to encrypt the body and attachments of emails. For example, OpenPGP and S/MIME standards are widely-used encryption methods which have been implemented by a range of free and commercial software products.
The sending and receiving of encrypted email requires the use of compatible email client software and requires configuration in advance. A wide range of free and proprietary products are available for desktop, laptop and mobile operating systems. There are some specialist webmail providers which support encrypted email but it is not generally supported by the majority of online email providers, although there are some browser plug-ins which can provide this capability and further progress is being made in this area.
Encrypted email uses asymmetric encryption and requires a user to generate a key pair before they will be able to send an encrypted email. Users will also have to exchange public keys before an encrypted email can be sent between them.
The private key must be kept secret.
Configuring encrypted email within a corporate environment can cause complications for server-based malware scanning products as the content and attachments will be encrypted and may even be actively blocked by the scanning software. There can also be compatibility issues with automated email processing systems or managing multiple private keys amongst multiple staff (eg a common mailbox at [email protected]).
It can also be difficult for some individuals to install compatible software, generate key pairs, and appreciate the necessity of key management. Furthermore, loss of the private key can mean that received emails that were encrypted with the associated public key cannot be decrypted.
It is therefore necessary for you to consider the risks and investment required and whether there are alternative solutions for encrypted transfer of data should be considered.
You should have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be sent encrypted.
Encrypted attachments
Email can also send information by encrypted attachments. The file is encrypted using software on the sender’s device and added as an attachment to a standard email.
This is similar in concept to sending data via USB devices or optical disks. In order to decrypt the attachment the recipient must have compatible software (in some cases the same software) and have access to the key. Commonly the key is derived from a shorter, more-memorable password which can be transferred to the recipient; however the password must be sufficiently long and complex to prevent compromise.
To achieve the maximum guarantees that can be offered by the use of encrypted attachments the key must be communicated over a separate communication channel, eg by disclosing the password over the telephone upon confirmation that the email has been delivered. Including the password within the same email as the encrypted attachment affords little protection to the encrypted personal data.
A common limitation to this method of data transfer is that most email providers will set an upper limit on the size of attachments that can be sent and received. Encrypted attachments that exceed any such limit would not be successfully sent.
Digital signatures
A digital signature can provide a level of trust that an email has not been intercepted or spoofed and that the contents match those that were sent by the sender. A digital signature by itself will not encrypt the communication.
Backups
Creating and storing a backup of data is an important component of a disaster recovery strategy. It is also important to keep a backup in a remote location (ie not in the same physical location as the live copy).
A common scenario is for an organisation to record backups onto tape, disk or other physical media which are moved to a secure location. If the data is stored in an encrypted format then it will be protected against unauthorised access. It will be important however to have good key management to ensure that the data can be accessed when necessary in the future.
In the case of a long-term backup or archive it may also be important to ensure that the data can still be accessed and that the encryption that was used remains appropriate over time. You will also need to consider the ‘right to erasure’ under Article 17 of the UK GDPR, and how this may apply when determining both the use of encryption and the retention period of your backups.
An additional option is for an organisation to use a cloud-based service for offsite backup or data storage. The data would typically be transmitted over the internet and stored on a remote server managed by the third-party cloud provider. Use of a secure transfer protocol (eg TLS) will ensure that data cannot be intercepted in transit. However, it is important to remember that without additional encryption methods in place the data will only be encrypted whilst in transit and be stored on the cloud provider’s system in the same form as it is stored on your system.
If you encrypt the data prior to transmission (and keep the key secure) this would mean that the cloud provider, or any third-party who gained unauthorised access to the data, would be unable to access the data.
Example
Welcome Financial Services Limited was served a civil monetary penalty of £150,000 (under the 1998 Act) after the loss of more than half a million customers’ details. The organisation was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted.
Sharing personal data online
There is a range of web applications that enable online file sharing. The feature can also be part of a larger product, such as within online word processing software where documents can be shared with a range of users to enable collaboration.
If you used a file sharing application you would typically transmit data to be stored on a server and accessed, over the internet, from a remote location. This could be achieved by you hosting your own system or by using a service managed by a third-party cloud provider.
Use of a secure transfer protocol (eg TLS) will ensure that data is not able to be intercepted whilst in transit. However, it is important to remember that without additional encryption methods in place the data will only be encrypted whilst in transit and not encrypted on the server or client device.
If the purpose of the online service is merely to provide a storage area from where the recipient can collect the data then you can encrypt the personal data prior to upload. This will ensure that no third-party (including a service provider) can gain access to the personal data. You can then grant the recipient access to the encrypted package. The sender will then need to transfer the key to the recipient.
If the web application performs some processing on the personal data then insisting that data remains in an encrypted form on the cloud server is a complex requirement. It either means that the service provider overlays their own encryption solution (for which they will likely hold the key) or requires a sophisticated key management system, which is not a feature found on most cloud-based file-sharing systems today.
It is more common that a web application offers the ability to ‘share a private URL’ or grant specific users access to individual files or folders. Whilst this can provide a secure and auditable means to share information, unless additional encryption methods are in place the files should not be regarded as being stored in an encrypted form. Even if data was stored encrypted a robust user authentication process, eg requiring a username and password, would still be a necessary component.
Mobile devices
By their very nature mobile devices such as laptops, smartphones and tablets have a high risk of loss or theft. Encryption of the data contained on the device can provide an assurance that, if this happens, the risk of unauthorised or unlawful access is significantly minimised.
Non-mobile devices, such as desktop PCs and servers, have a lower risk of loss or theft when they are stored and used in a secure location, eg, in a server room with restricted access. Although encryption is not generally used in non-mobile devices, you should recognise that there is still a risk of loss or theft of a disk or the device itself (eg during a break-in). Therefore, using encryption on non-mobile devices can be beneficial especially when the physical security cannot be maintained at an appropriate level.
Example
A civil monetary penalty notice of £150,000 (under the 1998 Act) was served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
The laptops were missing from the unlocked storage where they were being kept overnight.
Fax
Fax remains a common means of transmitting personal data from one location to another in particular industries. Due to the limitations of the technology it is not generally possible for a data controller to overlay additional encryption measures.
Although fax machines are not immune from interception whilst in transit the Privacy and Electronic Communications Regulations require the provider of a public communications network to assure the security and confidentiality of the service.
As it is not possible to implement encryption of the message, it is essential to ensure that faxes are sent to the correct recipient or to consider whether another means of communication may be more appropriate.
Fax machines in public areas also present a risk that received faxes are not collected and any personal data they contain can be read by any passing individual. One method of addressing this risk is to move fax machines into ‘safe havens’ - a secure physical location with an agreed set of organisational measures surrounding their usage.
Example
A civil monetary penalty of £75,000 (under the 1998 Act) was served on Bank of Scotland plc for repeatedly faxing customer’s account details to the incorrect recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.
The data controller failed to implement additional technical and organisational measures having been previously informed that faxes were being misdirected.
Further reading
Read our Canllaw i’r PECR for more information about public communications networks and their security obligations.
Online Faxing
Online faxing, also called internet faxing or e-faxing, allows for the sending or delivery of faxes via the internet without the need of a dedicated phone line or a fax machine. It may be offered as a subscription service, and may form part of a wider package of cloud-based communications products.
Online faxing may offer benefits such as reduced infrastructure cost, ensuring the receipt of documents and enabling faxes to be sent and received from anywhere with an internet connection. From a security perspective any benefits will depend on how the particular service is implemented. For example, faxes could be delivered to the email inbox of the recipient rather than immediately printed on receipt by the fax machine. Online services may also offer additional encryption whilst the data is in transit – although the actual extent of protection may be limited. It is also the case that sending a fax to an email inbox would be at risk from a similar set of security risks as sending personal information entirely via email.
When deciding whether to use online faxing, some factors to consider may include:
- whether the provider offers encryption of any part of its services and faxes sent through them, as standard or for additional cost;
- similarly, whether the provider offers secure online storage, and whether it includes additional features (eg, the ability to delete faxes from its servers upon delivery in cases where sensitive information may be sent);
- whether the provider offers an audit trail of faxes sent and received through its servers; and
- where the provider's services are located and whether they are based in a secure environment.
- Use of online faxing has grown in some sectors, such as housing and healthcare. Where sensitive personal data are likely to be transmitted using online faxing, it is important to make sure that suitable technical and organisational safeguards for the transmission and/or storage of data are in place.
CCTV
In general, CCTV is directed at viewing and/or recording the activities of individuals. Therefore, most uses of CCTV by organisations or businesses will be covered by the UK GDPR. The ICO issued a guidance on the use of video surveillance systems.
If you use CCTV systems that make use of wireless communication links (eg, transmitting images between cameras and a receiver), you should ensure that these signals are encrypted to prevent interception.
If you use CCTV systems that transmit images over the internet (eg, to allow viewing from a remote location), you should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access (eg, a username and secure password).
The devices used to store CCTV images are also a common target during a break-in (eg, to remove potential evidence of the crime). In the first instance, you should consider the physical security of the storage device such as whether it is kept in a locked room. Newer systems may allow for recordings to be stored in an encrypted format which will prevent unauthorised access in the event of loss or theft, and which could be considered in addition to a range of appropriate access controls.
In responding to subject access requests or other disclosures, you should consider an appropriate format for the data to be disclosed, and appropriate security controls. During procurement, the capability of the device or prospective system to export data securely to third parties should also be considered. However, you should ensure that you do not use proprietary encryption that will restrict a data subject’s ability to access their personal data.
Example
An organisation receives a subject access request for CCTV images. Its CCTV system can export images to an MP4 file format which can be accessed by the data subject on his personal computer. The organisation uses a file encryption product to encrypt the data before saving onto a CD (with a copy of the encryption software) and posting it to the data subject. Once the data subject confirms the safe receipt of the disc the organisation discloses the password used to generate the encryption key.
A second data subject submits a subject access request for CCTV images to be provided in a DVD Structure format (ie compatible with a standard DVD player). The organisation accepts the request but is unable to encrypt the images because the DVD Structure format is not compatible with encryption and the data would therefore not be accessible to the data subject because a consumer DVD Player will not understand the data format. The organisation makes the data subject aware of this limitation and offers them the choice of collecting a DVD in person, recorded delivery, or to export in an alternative format.
Photography and video equipment
Use of digital photography and video recording can provide a permanent record of an event for a range of different purposes. Consumer devices may not possess the ability to encrypt images stored on the device. As a result there is a risk of unauthorised access if the device, or a removable memory card, is lost or stolen.
When encryption is not a reasonable option, it is important to consider the measures you can take to ensure that the risk is reduced to a tolerable level. For example, you could transfer images from the camera to a secure location and securely delete them from the memory card as soon as is practical.
It may also be possible to consider using an alternative device such as a smartphone or tablet which does offer an encrypted file system and encryption of their memory cards. However, you should take care that the device does not automatically upload images to a remote cloud service or social network and that the method used to transfer the images from the device does not present a further security risk (eg transfer as an email attachment).
Example
The Royal Veterinary College signed an undertaking to comply with the seventh data protection principle following the loss of a memory card containing personal data.
The ICO investigation revealed that a personal digital camera was lost which included a memory card containing the passport images of six job applicants.
Given that the camera in question did not support encryption additional technical and organisational measures could have been put in place to militate against the loss or theft of the camera or memory card. This could include a process for the transfer of images to a secure location and deletion from the memory card as soon as practicable.
A further option would include use of a photocopier or a scanner to take copies of the documents where necessary.
Body worn video
Body worn video devices (BWV), worn as part of a uniform, are increasingly being considered for use in the workplace, especially by the emergency services. There are also a range of ‘sports action cameras’ which are being used by data controllers for this purpose.
The sensitivity of the footage (including both audio and video) will differ according to the situation. If you use such devices, you must therefore take into account the extent of the damage and distress if they were accessed by an unauthorised individual. Given the potentially active nature of individuals wearing BWV, you must also take into account the increased likelihood of loss or theft. This is complicated by the method by which the device stores data. For example, some BWV devices store data directly on the device, whilst others store data on removable memory cards. Loss of such a card, either due to theft or technical issues, may be perceived as a greater risk than the loss of the device itself.
If video was stored in an encrypted form on the device and it is lost or stolen then the potential for unauthorised access is greatly reduced. Therefore, you should give specific consideration to your own circumstances and consider the most appropriate encryption or other compensatory methods such as retaining a log of device usage, secure fastenings, copying data to a secure location and securely destroying data on the device as soon as practical.
Many BWV devices have replay screens, meaning that data may still be viewable on the device even if that data is stored in an encrypted form. This could pose a risk if the device in question is lost or stolen. Access controls such as PIN codes may mitigate this risk; however, you must ensure that you have appropriate protocols and management procedures in place, particularly if BWV devices may be issued on a personal basis as well as from a general repository.
Using a BWV device which stores data in encrypted form, in conjunction with appropriate access control to prevent any replay directly on the device, would protect against unauthorised access to footage should the device be lost or stolen. Encryption and access control may also protect against unauthorised copying of the footage to a personal device – encryption alone would not prevent unauthorised copying, but it could make accessing the data more difficult.
Law enforcement use of BWV
The use of BWV by law enforcement will often be in connection with a crime being committed. This type of personal data is likely to be particularly private and therefore should be treated with particular care. Additionally, there will be frequent occasions where footage will show victims, potential witnesses, suspects or other third parties in a state of distress. The proximity and vantage point of cameras may also increase the level of privacy intrusion, for example recording footage from within someone’s home.
In respect of BWV, the ICO’s CCTV code of practice states:
‘Because of the volume of personal data and potentially sensitive personal data that BWV cameras will process and the portability of them, it is important that you have appropriately robust technical and physical security in place to protect this information. For example, make sure devices can be encrypted, or where this is not appropriate have other ways of preventing unauthorised access to information.’
Technical guidance from the Home Office on body worn video includes the warning that:
'some suppliers may erroneously claim files are encrypted when they are in reality recorded in a non-standard format.’
You must also consider the security of footage once transferred from the device for long-term storage and its accessibility in response to a subject access request.
Other resources
Read the Home Office’s technical guidance on BWV at the GOV.UK website (PDF) (external link).
Audio recordings
The recording of audio can also provide an important permanent record of an event, for example, in a call centre or recording audio in addition to video as is possible with some CCTV systems. However, it can also be intrusive, as recognised in an enforcement notice issued in July 2012. The ICO’s CCTV code of practice offers additional guidance on the proportionality considerations of audio recording.
You must consider the security of lawful recordings and whether this can be achieved through the use of full-disk or file encryption products. However, some types of audio recording devices such as a dictation machines may not routinely offer encryption. You must consider whether an alternative device is more appropriate or consider additional technical and organisational safeguards such as deleting the data as soon as practicable and locking the device away when not in use.
In the event that an unencrypted version of the recording should be retained (eg for playback in a Court of Law) then a range of other compensatory measures must be considered. These can include storage within a secure facility, limited and authorised access and an audit trail of ownership and usage.
You must also consider the security of recordings once transferred from the device for long-term storage and be aware of other requirements which may prohibit audio recording of certain types of data. For example, the Payment Card Industry Data Security Standard prohibits the recording of card validation codes.
Other resources
For more information on the PCI-DSS, visit the PCI Security Standards website (external link).
Unmanned Aerial Systems (UAS)
Unmanned Aerial Systems (UAS), also known as unmanned aerial vehicles (UAVs), remotely-piloted aircraft systems (RPAS) or drones, commonly include features allowing the user to record video footage.
Where you are using UAS and images or other personal data are transmitted from the drone back to the pilot (eg a live feed of video footage over Wi-Fi to a smartphone app) then the data should be appropriately protected against interception by using an encrypted wireless communication link. Using an encrypted wireless communication link may also give some protection against potential hijacking of the vehicle.
Where images or other personal data are stored on the vehicle (eg an on-board memory card) then the data should be appropriately protected in the event of loss or theft (eg following a crash). The data can be appropriately protected using encryption.
You must also consider the security of footage once transferred from the device for longer-term storage.
Additional legal requirements or best practice may include flying RPAS within line of sight, retaining a log of usage, copying data to a secure location and securely destroying data on the device as soon as practical. More general requirements regarding drone use are outside the scope of this guidance. For more information, wish to visit the website of the Civil Aviation Authority.
Further reading
Visit the Civil Aviation Authority’s website for guidance on the general requirements for drone use.