The Information Commissioner’s Office (ICO) has published final guidance on encryption, following a consultation earlier in the year (on which we commented here). 

The guidance is aimed at data protection officers and those implementing encryption, and provides a thorough account of both how encryption works as well as how it can be successfully incorporated into an organisation as a measure to protect personal information. This includes detailed guidance on how particular forms of information can be encrypted from individual files to smartphones, tablets and removable media. 

Importantly, whilst the ICO recognises that encryption can be a convenient and effective technical measure to secure personal information (particularly because it is widely available and relatively inexpensive to implement), it makes the point that it is not foolproof: its effectiveness will depend on organisations using it appropriately, recognising its limitations, and, if necessary, employing it in conjunction with other technical measures.  

The guidance provides numerous ways that organisations can get the most out of their use of encryption, including having appropriate policies in place, educating staff, and keeping encryption solutions under review so as to take account of new technological developments. More specifically, the ICO recommends that organisations use a trusted and verified algorithm rather than developing one for themselves, as well as choosing a key size that is large enough to reduce the risk of any attack succeeding. To further ensure that the encryption is effective, organisations are also encouraged to consider widely available and used solutions which align with industry standards or are certified, for example, by the National Cyber Security Centre’s Assisted Products Scheme. 

A particularly helpful feature of the guidance is its use of practical examples, which are littered throughout the various chapters and included within a dedicated section of scenarios which address matters such as encrypting emails, sending personal information on physical storage media, and how to use encryption with IoT devices. 

To read the guidance in full, click here.