Decrypting the ICO’s Draft Updated Guidance On Encryption

ICO Consultation and Draft Updated Guidance

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur. The Information Commissioner’s Office (“ICO”) recently published draft updated guidance on encryption, which it is consulting on. The consultation will remain open until the end of 24 June 2025.

The ICO has published two main updates:

1. It has made appropriate use of the words “must”, “should” and “could” to help ensure clarity regarding the obligations of organisations in relation to encryption, and to uphold consistency with other guidance.
2. It has updated the “encryption in practice” section of the encryption guidance to keep up with modern technology, and make clear that it expects all organisations to use Hypertext Transfer Protocol Secure (HTTPS).

Under the “About this guidance” section of the draft updated guidance, the ICO clarifies that “must” refers to legal requirements which organisations are bound by, whilst “should” refers to actions which the ICO expects organisations to take in order to effectively comply with the law (although not legal requirements in of themselves), and “could” refers to options and examples which organisations could consider to help them comply with the law and adhere to good data protection practices; such guidance helpfully provides clarity to organisations, so it is clear what their legal obligations are with regard to encryption.

What is Encryption?

The ICO states that: “Encryption is a process that uses a secret key to encode information, ensuring that only those with access to the key can read it. Decryption is the opposite – the secret key decodes the information and makes it useful again.” (Source: ICO Draft Updated Guidance On Encryption)

Many of us use some form of encryption every day; the passcodes many of us have set on our smartphones are a form of encryption, and websites accessed through a URL beginning with ‘https’ (such as the one you are visiting now) are protected by Hypertext Transfer Protocol Secure (HTTPS), which is a method for encrypting data traffic between a user and a website.

As part of encryption, readable words (‘plaintext’) may be converted into unreadable ‘ciphertext’ (this may appear as jumbled letters and numbers) using a key – a key is then needed to decrypt the ciphertext and convert it back into the plaintext.

Whilst the UK GDPR does not require all personal data held by an organisation to be encrypted, the ICO states: “…you should use encryption to protect personal information when:

• it is in transit electronically (eg online);
• you store it on computing devices like PCs, laptops, smartphones and tablets; and
• you store it on removable media.” (Source: ICO Draft Updated Guidance On Encryption)

Guidance on HTTPS

The draft updated guidance provides guidance on protecting data whilst it is in transit from one device to another.

Amongst other information, the ICO states: “If you provide a website, you should use HTTPS across all its pages.” It also states: “There is no longer a compelling argument for not implementing HTTPS across all pages of a website.” (Source: ICO Draft Updated Guidance On Encryption)

Organisations should therefore consider whether their websites are compatible with the draft updated guidance, and if not, should proactively look at taking appropriate action.

Clarkslegal

In the ever-evolving world of technology in which humans are processing personal data, we are, unfortunately, likely to see more data breaches occur, so it is becoming even more important to ensure that organisations adhere to robust data protection policies. Clarkslegal’s experienced data protection lawyers can provide valuable advice to help ensure that organisations don’t breach data protection laws; please don’t hesitate to get in touch!