encryption with padlock logo

Encryption is the method used to convert any form of data or information stored on static and portable devices, and whilst in transmission over the Internet, into complex code using computer software. The purpose of encryption is to protect information from being accessed and read by unauthorised persons, and it is commonly used to secure personal data held by companies and organisations. The only way the encrypted data can be accessed is by using an encryption key that only authorised persons will have.

Information Commissioner’s Office (ICO)

Unless exempt, any company or organisation that processes personal information, such as names, addresses, phone numbers, bank details etc, is legally required to register with the Information Commissioner’s Office (ICO) and ensure the safekeeping of such personal information by complying with 8 principles set out by the Data Protection Act 1998. The data must be:

  • Processed fairly and lawfully.
  • Obtained and processed for one or more specified purposes and no more.
  • Adequate, relevant and not excessive in relation to the specified purpose(s).
  • Accurate and kept up to date.
  • Not kept for longer than is necessary for the specified purpose(s).
  • Processed in accordance with the rights of data subjects under the Data Protection Act.
  • Kept secure from unauthorised access or loss.
  • Not transferred to a country outside the EEA without adequate assurance of protection.

The ICO strongly urges all businesses, even small ones, to ensure adequate steps are taken to protect and secure the personal data in their possession. Stephen Eckersley, Head of Enforcement for ICO recently stated:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected.”

Security measures

Failure to do so could lead to identity theft and businesses could face severe penalties. Many people think a password is enough to secure computer devices and the information they contains, but this level of protection is weak and not secure enough for this kind of sensitive data. Encryption software is widely available but there are many different products to choose from, so it is worth doing your research and speaking to a specialist to advise on the best software for your company. As a starting point, the ICO offers some useful advice on the security measures you should put in place to protect any personal data you possess.