Let’s get one thing out of the way: there is no such thing as “encryption laws in the UK”. Certainly, the Information Commissioner’s Office (ICO) highly recommends the use of strong encryption software, like AlertBoot, to safeguard personal data in laptops and other portable media devices. But, technically, there is no such thing as encryption laws in the United Kingdom.
What the country does have are data protection laws, which include the use of encryption software as well as other technologies and strategies.
Read the (ICO’s) FAQ
Trust me when I say that navigating the UK’s Data Protection Act (DPA) is not an easy matter. Based on the EU Directive 95/46/EC (the EU’s Data Protection Directive), the UK’s DPA regulates the processing of “personal data”. As to what constitutes “personal data”, the situation is complex enough that even with a definition of the matter, the ICO felt compelled to publish a personal data flowchart to make things clearer, which I’ll explore in an upcoming post.
While the above are interesting to read, it might make more sense to take a look at a FAQ published by the ICO, the government body charged with upholding the DPA. In that FAQ, the following question is asked and answered (my emphases):
Q: Must I encrypt all the information I store on computer?
Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction. Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices. On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements. Read more about complying with these requirements in the section about information security.
As the above shows, the data protection laws in the UK cannot be called “encryption laws”. This is especially true if one is able to find, say, “appropriate security measures” other than laptop encryption to secure a portable computer. For example, a windowless, double-locked room with the notebook computer fixed to a counter via a cable lock is, arguably, just as good as encryption since it would prevent the theft of the computer to begin with.
On the other hand, there is no guarantee, for example, against an employee stealing this same device or the laptop disappearing during a move. And this poses a problem because the ICO’s passage above notes that security measures must also “guard against unauthorized use or disclosure…or its accidental loss or destruction”. All of a sudden, the claims of “you don’t have to use encryption” ring kind of hollow.
But, that’s because we’re talking about laptops. Remember, data can be stored in a variety of digital devices, including mainframe computers and blade servers (which generally tend to be behind several locked doors in a guarded facility). So, it makes no sense for the law to require the use of encryption for all computer data when there are clearly instances where exceptions can be made (it also doesn’t make sense to list out all the exceptions when technology progresses at the pace that it does).
Whole Disk Encryption a Good Horse to Bet On
There are oddities in the DPA that makes safeguarding data a nightmare. Here’s a taste. From the ICO’s personal data flowchart I mentioned before:
Information may be recorded about the operation of a piece of machinery (say, a biscuit-making machine). If the information is recorded to monitor the efficiency of the machine, it is unlikely to be personal data (however, see 8 below). However, if the information is recorded to monitor the productivity of the employee who operates the machine (and his annual bonus depends on achieving a certain level of productivity), the information about the operation of the machine will be personal data about the individual employee who operates it. [section 7.2]
Remember, you’re not actually recording personal data in the above example. You’re recording biscuit machinery efficiency data that will be used later to evaluate someone’s performance. If you lose a laptop with this information (and, say, a name), you’d technically be in violation of the UK’s DPA, something most people don’t take into consideration.
The more I read about issues like these, the more I understand why the ICO’s Undertakings (signed promises by a breached organization’s data controller to the Information Commissioner) include the promise to use encryption for laptops and portable devices.
Despite assertions to the contrary, the use of encryption is pretty much de rigueur if you’re looking to comply with the DPA when it comes to data in a computer.