ICO reiterates warning over encryption as it fines council £120k over second data protection breach

Out-Law News | 26 Oct 2012 | 1:12 pm | 3 min. read

Organisations that store or send sensitive personal data electronically should always ensure that the information has been encrypted, the Information Commissioner's Office (ICO) has said.

The UK's data protection watchdog reiterated previous warnings about the dangers of failing to encrypt sensitive personal data as it announced that it had fined Stoke-on-Trent City Council £120,000 after a solicitor at the authority sent 11 emails containing details of a child protection legal case to the wrong address. The information sent was not encrypted.

The ICO deemed the incident, which occurred in December last year, constituted a serious breach of the Data Protection Act. The Stoke authority had experienced a similar breach in early 2010 and subsequent signed undertakings to improve their approach to data protection and this was a factor which the watchdog took into account when determining whether and how much to fine the body over the 2011 breach.

"If this data had been encrypted then the information would have stayed secure," Stephen Eckersley, head of enforcement at the ICO, said in a statement. "Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure."

"It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved. The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost."

The ICO said that the emails that the Stoke authority's solicitor had sent "varied in sensitivity". Some of the emails "contained confidential and highly sensitive personal data about the non-accidental injuries sustained by a child together with medical information relating to two adults and two children" as well as "the Brief to Counsel, suggested directions and miscellaneous comments about the conduct of the case," according to the civil monetary penalty notice (11-page / 142KB PDF) issued to the Stoke authority.

The emails should have been sent to a lawyer that was "instructed" on a child protection case, but were instead sent to another "valid" email address, it added. The authority was unable to confirm whether the owner of that email address had deleted the information sent to them in error, the ICO said.

The watchdog found failings with the solicitor and the Stoke authority over their approach to data encryption.

"The ICO’s investigation found the solicitor was in breach of the council’s own guidance which confirmed that sensitive data should be sent over a secure network or encrypted," the watchdog said. "However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training."

The ICO has issued guidance on its approach to encryption. It has said that it may take "regulatory action" in cases where personal data has been lost or stolen "where encryption software has not been used to protect the data".

"Portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information," the ICO's guidance said. "Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation's security policy and using best practice methodologies such as using the International Standard 27001."

"Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information.  This process hides the data and prevents any inadvertent access or unauthorised disclosure of information. Since encryption standards are always evolving, it is recommended that data controllers ensure that any solution which is implemented, meets the current standard," according to the guidance.

Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO has previously said that all personal data stored electronically should be encrypted if it "would cause damage or distress if it were lost or stolen".