Data encryption brought into focus by HMRC

The issue of data encryption has been brought into sharp focus recently with the HMRC data loss fiasco. Paul Bentham explains why it is important government staff adhere to guidelines around it.

Since that catastrophic incident, the Information Commissioner, Richard Thomas, has come forward to warn that several other public bodies have now admitted they too have lost personal data.

With critical and confidential data of UK citizens floating about everywhere from post boxes to rubbish dumps, the encryption of data is taking on a more and more central role. Data encryption will not prevent these physical losses, but will, of course, mean that this data is not accessible.

A key problem within the public sector is that of awareness - the government admitted that civil servants ignored, or possibly didn't know, their own security policies and procedures in copying database information to disk and sending it unencrypted in the post. A recent survey showed that almost 90 per cent of public sector IT managers said staff would open unknown emails and 75 per cent connect private USB devices to their work PCs.

This is a far worse problem than in the private sector. Getting public sector IT managers to understand the issues associated with data encryption is the first step towards solving the problem. One of the most important questions that needs to be asked is whether public sector organisations are obliged to use data encryption technology.

There is actually no explicit obligation under the Data Protection Act (DPA) to use encryption, although the DPA does state that 'appropriate technical and organisational measures' should be taken to ensure data is kept completely secure, which could be taken as referring to encryption. However, it is widely recognised that data encryption helps to secure electronic data and safeguard privacy and therefore it is surprising that it has not been more widely adopted in the public sector.

A recent survey of UK businesses carried out by the Department of Trade and Industry reported that, of businesses surveyed, 30 per cent of those who use online transactions do not encrypt them. The Information Commissioner's Office expects that an organisation's security policy and practices should reflect the technology that is available. Therefore, as encryption technology become more widely available more organisations should start adopting it.

But how can the public sector better safeguard itself from another HMRC disaster? The simple solution would be not to copy huge reams of information to a disc at all, but to transfer them directly to the receiver in an encrypted form over either internal or external networks. The sender would have to use software that encrypts the data using strong algorithms encrypting sensitive data at source and tightly controlling and monitoring the way people access the database.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

A common problem that arises when data encryption is on the agenda is that of who has access to the data. The whole point of encrypting the data is to make sure that data thieves and those who have not got permission to access the data are not allowed to use it. Therefore authorised personnel need to be given passwords of a suitable complexity that they can be remembered but not cracked.

This is magnified when the complexities of a shared service centre come into play. Shared services are about the consolidation of a set of services common to multiple business units, such as HR or finance and accountancy. The shared services approach is increasingly being used in the public sector to maximise efficiency.

When data is coming in from a number of different sources to a single data processor (the supplier) the encryption technology must meet these added requirements. The contract drawn up with the supplier for multiple end users must accommodate the added complexity of encrypting data from a number of different sources and the complications arising from the different levels of encryption needed within a single centre.

Another occasion in which data encryption is vital is within an outsourcing arrangement. When outsourcing, the public sector body must choose a supplier that can provide sufficient guarantees with respect to the technical and organisational security measures governing the processing of data. The public sector must also take reasonable steps to ensure compliance with those security measures, including undertaking regular audits and reviews.

As HMRC discovered to its cost, data encryption is a vital part of any security system. Using data encryption is a necessity for public sector organisations, but they need to include this within a rounded, holistic security policy including both data and physical security.

Paul Bentham is a partner at legal firm Addleshaw Goddard