On 1 November 2018 the Information Commissioner’s Office (ICO) issued new guidance in relation to the use of encryption and passwords as security measures.
Article 32 of the GDPR suggests encryption of personal data as a potential method of implementing appropriate technical and organisational measures. However, the use and distribution of passwords is not specifically referred to in the GDPR. The ICO’s latest guidance considers the steps that an organisation looking to implement either system should take and the inherent risks involved in doing so.
The ICO’s guidance provides a detailed explanation of what encryption is, the different types of encryption available to organisations and how encryption can be implemented.
In particular, the ICO suggest that organisations should have an encryption policy in place governing how and when encryption is implemented. Alongside an appropriate policy, organisations should train their staff in “the use and importance of encryption”. The use of encryption in respect of data which is stored or data which is transmitted should also be in line with “current standards” and organisations should always be aware of the residual risks that are involved, ensuring that sufficient steps are taken to deal with these.
With regard to the transmission of personal data, the ICO suggests that organisations use encrypted communications channels whenever such data is transmitted over an untrusted network. The ICO also warns organisations that unencrypted data which is lost or destroyed may be subject to regulatory action in some circumstances.
In respect of continued measures once an organisation has implemented an encryption solution, the ICO suggests that the encryption methods in place are regularly assessed for appropriateness, that encryption software meets current standards and that any encryption keys are kept secure.
Whilst the GDPR does not specifically address the use of passwords as a method of security, Article 5 of the GDPR requires that personal data is:
Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
It seems the use of a robust password system is consistent with this requirement. The ICO advises organisations considering such a system to also consider alternatives to the use of passwords and to monitor developments in this area to ensure that any processes used are sufficiently robust to manage “evolving threats”.
To assist organisations with taking a comprehensive approach to passwords, the ICO guidance explores the following:
- How passwords should be stored;
- How users should enter their passwords;
- What requirements should be set for passwords;
- What to do about password expirations and resets; and
- What defences to put in place against attacks.
Given the importance of ensuring that system users are legitimate, the ICO recommends that organisations consider verification through a second authentication factor through another contact method or a two-factor authentication method such as a one-time token generator.
The ICO’s latest GDPR guidance provides organisations with a detailed and comprehensive consideration of two security systems that businesses might implement in order to assist with the duty to implement technical and organisational measures under the GDPR. In addition to a general review of the merits of each system, the ICO has provided a detailed note of both the risks and its recommendations.