Data Encryption – How does the ICO view non-compliance
Encryption and the Data Protection Act
Encryption is software designed to enhance the security of your computer by scrambling the contents so it can only be read by the authorised encryption key holder . Principle 7 of the DPA states encryption should be applied to PC’s, USB sticks and portable media devices that might contain personal data. The ICO can issue severe fines to organisations who fail to meet Principle 7 if data is lost from an unencrypted source which could have been protected.
What the ICO Says;
‘The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. Encryption is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily. ‘ Source: Sally Anne Poole, Enforcement Group Manager, ICO
Encryption should be applied to PC’s and laptops, USB sticks and any other portable media that might contain personal data. Encryption should meet at least the FIPS 140-2 standard and, for laptops, the encryption software should provide whole disk encryption and require pre-boot authentication (i.e. it should force you to enter the decryption password before you can log on to the laptop).
FIPS 140-2 stands for Federal Information Processing Standard Publication 140-2, and is a government standard for accrediting cryptographic modules on all sorts of media – this is deemed the ICO’s credible and internationally recognised standard.
JMS Secure Data have identified appropriate laptop encryption software which we can supply directly to individuals and to organisations. We have also identified, and can supply in single units or in bulk, USB sticks which are appropriately encrypted and meet CESG security requirements.
Contact us if you would like more advice on DPA Encryption software or take our 60 second DPA compliance check to see if your business is at risk for non-compliance.