ICO publishes guidance on encryption and passwords
On 1 November, the ICO published guidance for organisations specifically on the use of passwords and other methods for protecting data such as encryption.
In the context of passwords, the ICO suggests practical steps to ensure passwords remain secure and effective as a measure taken to comply with the requirement to use “appropriate technical and organisational measures” to protect personal information:
- Whether passwords are the most effective security method available should be reviewed periodically;
- Individual passwords themselves must be reviewed and changed periodically;
- Requiring that passwords are of an appropriate “strength” and not just something that an individual finds memorable; and
- If your organisation stores passwords in some form, that that form is as difficult as possible for hackers to access those passwords in a useable form.
Similarly, encryption is often a method of technical security used to keep data secure and the ICO has also updated its guidance on this. If your organisation stores any type of personal data, the ICO highly recommends that encryption is used to protect data from unauthorised and unlawful processing, due to encryption solutions being “widely available and can be deployed at relatively low cost.” In the same way as its guidance on passwords, the ICO again offers practical steps which organisations can take to implement encryption in its operations:
- Utilise built-in encryption already available on your operating systems;
- Consider whether to encrypt individual files separately depending on the type of information being protected;
- Investigate the encryption possibilities on applications and databases frequently used by your organisation; and
- Train staff on what encryption is, when to use it, and associated risks.
In addition to offering practical ways organisations can utilise and implement encryption, the guidance stresses that encryption should not just be reserved for the protection of the most high risk data, rather that encryption should be considered and implemented as a standard form of technical security. It is also now highly recommended that organisations have a specific encryption policy covering when it should be used so that all staff can understand their responsibilities. If you would like more information on the benefits of encryption or a policy drafted specific to your organisation, please get in touch with your usual data protection contact.
ICO publishes guidance on selecting processors
A key change in GDPR has been the possibility for processors to be held liable for data protection violations whereas previously only controllers could be held liable. Whilst this should, in theory, give controllers more protection over failings caused by acts taken by their processors, the GDPR still expects controllers to only use processors that provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” On that note, the ICO in December published new guidance on the kind of reasonable diligence controllers should carry out before deciding to contract with a processor:
- Expert knowledge: is your processor used to providing the services you are expecting them to provide to you? Do they have a good track-record with other customers?
- Resources: can your processor provide you with the level of service you require? Do they have enough staff to ensure the data you pass to the provider can be properly managed?
- Reliability: What level of service availability is the processor offering? Are there factors outside their control which may impact on the service they can offer your organisation?
- Industry standards: Does the processor comply with usual industry standards? Do they have the appropriate official certification? Are they ISO27001 certified (if relevant)?
- Data protection policies: Have you had sight of the processor’s privacy notices, security policies and any other documentation setting out what data protection processes they adhere to, e.g. what is their data breach process? Can they assist you with dealing with data subject rights?
This level of diligence is really important in managing risk. Although it is starting to become common to negotiate liability between controllers and processors in a written agreement, this guidance demonstrates the level of scrutiny controllers must do as the ICO could still decide to hold a controller ultimately responsible for any resulting breaches, if the controller has failed to meet their obligations in relation to appointing and managing suppliers.
