Encrypt, encrypt, encrypt...

Updated November 2011

The Information Commissioner's Office (ICO) has repeated its guidance that electronic devices containing data that would cause damage or distress if lost or stolen must be encrypted.

The ICO's announcement follows breaches by two organisations of the Data Protection Act by failing to encrypt personal data on laptops which were then stolen. A laptop belonging to the Association of School and College Leaders (ASCL) was stolen from a trade union employee's house that contained unencrypted information, including data concerning the member's mental and physical health. Although the device was equipped with the software to enable encryption, the decision on whether to encrypt was left to the employee.

In another incident, a London school breached the Data Protection Act following the theft of an unencrypted laptop from an unlocked office. The laptop contained information relating to pupils' names, addresses, exam marks and limited information relating to their health. Following an investigation by the ICO, it became apparent that the school did not have a data protection policy in place at the time of the breach.

The ICO has taken the opportunity to reiterate its guidance on this point: "all personal information – the loss of which is liable to cause individuals damage or distress – must be encrypted". Further the ICO has described breaches of this type "inexcusable" on the basis that encryption is one of the most basic security measures and is inexpensive to implement.

Both these episodes show the importance of monitoring data protection compliance relating to the electronic storage of personal data. The risk of breaches of this type can be reduced by ensuring that your business has appropriate data protection policies and training in place and ensuring compliance with those policies. Should your business require any assistance or advice in relation to the storage of electronic data or any other data protection matter, please contact Alison Deighton, head of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.