Peter A Clarke

Encryption is a critical part of privacy (to prevent misuse of information) and data security. It is also something that is very poorly understand and even more badly implemented. Properly implemented encryption provides real protection of personal information. It is not the only answer but encrypting personal information goes a long way towards showing there has been a real attempt made to comply with APP 11 of the Privacy Act 1988. The key issue when assessing a data breach is whether personal information has been accessed and misused.  If personal information has been encrypted then an organisation has a good story to tell the regulator, notwithstanding the breach, if there is an investigation.

The UK Information Commissioner has released a guidance on the use of encryption. While it refers to UK legislation the principles are equally applicable to the APPs in the Privacy Act.

Some of relevant points from the guidance:

• Encryption is a process that uses a secret key to encode information, ensuring that only those with access to the key can read it. Decryption is the opposite – the secret key decodes the information and makes it useful again.
• there are two types of encryption: symmetric and asymmetric.
  • Symmetric encryption is where the same key is used for both processes. This means it is critical to use a secure method to transfer the key between sender and recipient.
  • Asymmetric encryption is where one key is used for encryption and a different key is used for decryption. One of the keys is typically known as the private key and the other is known as the public key.
• encryption can be used for:
  • data storage: This encrypts data stored on a device or network in such a way that it is unintelligible to unauthorised users without a key. It ensures that the data is kept secure against risks of theft or unauthorised access. This type of encryption can be used for storing data on devices (eg servers, PCs, laptops, mobile phones, removable storage) and in backups
  • data transfer: This protects data as it moves across a network, such as the internet. The data is shielded from interception or eavesdropping. Even if the communication is intercepted, the data remains unintelligible without the decryption key. This type of encryption is useful when  sending and receiving data online (eg through websites or over email).
  • when processing: This protects data when it is being used. Normally, to make use of data protected by encryption, it must first be decrypted and turned back into plaintext. In recent years, technological advances mean that it is possible to perform computations on encrypted data without decrypting it first. This maintains the data’s security while still enabling it to be used.
• it is important to chose the right algorithm because vulnerabilities may be discovered over time, or advances in computing processing power may mean that a brute-force attack (ie attempting every possible key) is no longer a time-consuming task
• it is important to choose the right software because if its development did not follow good practice, or the product itself is poorly tested or subject to insufficient review, there may be vulnerabilities or other opportunities for attackers to intercept data or break the encryption without the users’ knowledge
• it is critical to manage the key appropriately including:
  • ensure that you keep symmetric keys and passwords secret
  • configure keys to have a finite lifespan and for processes to be in place to generate a new key and re-encrypt the data.
  • being able to revoke the existing key and generate a new key or key pair
• there are specific encryption scenarios:
  • Encrypted email can allow encryption of the body and attachments of emails. OpenPGP and S/MIME standards are widely-used encryption methods.
  • encrypting attachments: it may be possible to encrypt a file and then add it as an attachment to a standard emai
  • encrypting back ups.  Backups are often recorded onto tape, disk or other physical media. They can be stored  in an encrypted format, which helps protect the data against unauthorised access.
  • if CCTV systems make use of wireless communication links (eg transmitting images between cameras and a receiver), it is necessary to encrypt these signals to prevent interception
  • regarding photographs and videos the use of encryption is a way of protecting images from misuse.  If there is no ability to encrypt images other options include moving images from the camera to a secure location and delete them from the device or memory card as soon as practical. Alternatively use a device (eg a smartphone or tablet) that does offer an encrypted file system, as well as encrypting any memory cards.
  • body worn videos should be encrypted whether this involves the device itself or the storage medium.
  • if drones are being used to capture personal information and transmit it back to the pilot (eg a live feed of video footage over Wi-Fi to a smartphone app), the data should be protected from interception by using an encrypted wireless communication link
  • if providing Internet of Things devices it is important to ensure that any personal information  processed is done securely