The UK’s Information Commissioner’s Office has published new guidance on the use of encryption software to protect the security of personal data. The Data Protection Act 1998 does not specifically state that organisations must encrypt personal data. However, the seventh data protection principle requires organisations to take appropriate technical and organisational measures to keep the personal data they hold secure.
The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur. On top of the fines, data controllers risk significant damage to their reputation if they do not store personal data securely.