As an extension of yesterday’s post on the Association of School and College Leaders (ASCL) data breach: The UK’s Information Commissioner’s Office remarked that encryption software is a basic security measure (link at the end of this post).
Acting Head of Enforcement Sally Anne Poole said all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. “This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily,” added Poole. [cbronline.com, my emphasis]
Despite the fact that the UK’s Data Protection Act does not require the use of encryption software, the ICO is hinting otherwise. Well, “hinting” requires a certain degree of subtlety, so perhaps it’s not the right word.
One might wonder, why doesn’t the ICO just come out and make it a legal requirement to use laptop encryption? The answer might lie in that the ICO doesn’t really have the ability to create new requirements (i.e., it doesn’t have the ability to pass legislation); all it can do is enforce the rules.
As such, it can only pass on a requirement as part of an agreement with an entity after there has been a breach. For example, instead of fining a company a gazillion dollars, the company agrees to install encryption software on all of its computers. This way, funds that would have gone to the ICO are instead diverted back to the breached company and used in a practical, constructive manner.
Related Articles and Sites: