Charlotte Walker-Osborn, technology partner, and Aonghus Martin, technology solicitor, from Eversheds LLP, discuss the English legal position in relation to encryption.

More than 8,500 laptops are left in UK airports and over 10,000 are left in London taxis every year. Human error and the increasing adoption of portable technology inevitably means these figures are unlikely to decrease. The Information Commissioner's Office (ICO) is starting to get tough, giving clear messages that data controllers (in this context employers) must encrypt certain personal data.

It had previously been a question for consideration as to whether, under the 7th Principle of the Data Protection Act 1998, which requires data controllers to take 'appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data' meant that encryption technology should be used.

There was little guidance expressly addressing this point. However, there have been a number of high profile companies who have received enforcement notices which specifically detail a failure to encrypt as being a breach of the DPA and DP principles.

Data protection law is therefore, largely by way of enforcement notices and guidance (issued on security and encryption both in 2007 and 2008), beginning to impose certain specific obligations and recommendations on companies, in relation to encryption.

Although these are not definitively stated, it seems pretty clear that where personal data (data which can identify a living individual which can include name, HR records etc.) is placed on mobile devices, encryption must now be used.

Otherwise, there is currently no strict legal obligation to encrypt personal data, although it may be helpful in some cases to do so voluntarily, for example where such data has to be emailed to a higher risk country or is particularly sensitive or potentially valuable or damaging. There is no specific legislation imposing obligations to encrypt confidential information not containing personal data in the UK.

However, you should consider using encryption in relation to relevant technology to protect important business information. This is likely to include certain HR information (which also gets squarely caught by the DPA), plus board information, certain financial information such as pricing, confidential information on customers and other important confidential information.

So, outside of mobile devices, you should be making judgements around the types of data that should be encrypted as well as keeping an eye on ICO and other security guidelines on this area.

With newly granted powers given to the Information Commissioner now is a good time to undertake a review of the security applied to personal data being processed within your organisation and how this is treated in your contracts, for example with service providers, including your encryption obligations.

This will assist in guarding against a security breach and the resultant adverse publicity, reputational damage and loss of customer confidence which flows from such incidents.

In addition, buoyed by a plethora of recent data loss incidents and new powers recently introduced, such as the ability to levy fines for serious breaches, it is clear that the Information Commissioner will be looking to flex his new found muscles.

© Copyright 2009 Eversheds.
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.