We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

ICO Provides Further Guidance on Encryption

17 September 2013
The UK Information Commissioner's Office ("ICO") recently published further guidance on encryption on its blog.  The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software.  If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO's position on encryption, but it does explain in layman's terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.
ICO Provides Further Guidance on Encryption

Here are some key take-aways from the guidance:

  • Controlling access to a device using a password or PIN is not encryption and does not provide an equivalent level of protection;
  • It is important to understand the types of protection a particular encryption methodology offers to determine whether it is suitable for any particular scenario;
  • There are differences between full disk encryption, individual file encryption, and encrypting data in transit, and it is important to understand which is appropriate in the circumstances; and
  • It is of paramount importance to keep the encryption key secure – an obvious point which is frequently overlooked.

Loading data