Encryption and the DPA
Encryption is a vital part not only of an organisation’s security, but with its compliance with the Data Protection Act (DPA). The Information Commissioner’s Office can issue severe fines if data is lost from an unencrypted source which could have been protected.
This page offers encryption information and advice to ensure your data remain safe.
On this page:
What the ICO Says
‘The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress - must be encrypted. Encryption is one of the most basic security measures and is not expensive to put in place - yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily. '
- Sally Anne Poole, Enforcement Group Manager, ICO
Encryption should be applied to laptops, USB sticks and any other portable media that might contain personal data. Encryption should meet at least the FIPS 140-2 standard and, for laptops, the encryption software should provide whole disk encryption and require pre-boot authentication (i.e. it should force you to enter the decryption password before you can log on to the laptop).
FIPS 140-2 stands for Federal Information Processing Standard Publication 140-2, and is a US government standard for accrediting cryptographic modules on all sorts of media. Even though the standard was last updated in 2002, it has been adopted around the world as a clear, credible and internationally recognised standard. It is applied both to laptops and to USB sticks.
We have identified appropriate laptop encryption software which we can supply directly to individuals and to organisations. We have also identified, and can supply in single units or in bulk, USB sticks which are appropriately encrypted and meet CESG security requirements.
Encrypted USB Sticks
We have identified five USB sticks that would be appropriate for most organisations, which are available singly or in larger quantities (bulk discounts are available). They all use 256-bit AES hardware encryption and are designed for enterprise deployment. Optional enterprise features, available with some models as identified below, include remote-wipe, password reset, group policy enforcement, etc.
IT Governance offers a leading range of laptop, desktop and mobile device encryption software. Working with partners such as Sophos and Symantec (PGP), we are sure we have a solution to meet every need. To find out more information on encryption software, please see our Security Products page or email us requesting further information.