Security Safeguards
In a seashell
PIPA requires you to implement appropriate safeguards against potential risk that the personal information that you hold may be exposed to.
Section 13, Security safeguards, states that:
(1) An organisation shall protect personal information that it holds with appropriate safeguards against risk, including—
(a) loss;
(b) unauthorised access, destruction, use, modification or disclosure; or
(c) any other misuse.
(2) Such safeguards shall be proportional to—
(a) the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information;
(b) the sensitivity of the personal information (including in particular whether it is sensitive personal information); and
(c) the context in which it is held, and shall be subject to periodic review and reassessment.
Although PIPA does not specify what such appropriate safeguards protecting the personal information an organisation holds are, encryption is often a best practice and highly recommended.
Consider having an encryption policy in place that governs how and when you implement encryption, and also training your staff in the use and importance of encryption.
When storing or transmitting personal information, it is good practice to use encryption and ensure that your encryption solution meets current standards. You should be aware of the residual risks of encryption, and have steps in place to address these.
Encryption: checklist
☐ We understand that encryption can be an appropriate technical measure to ensure that we process personal information securely.
☐ We have an appropriate policy in place governing our use of encryption.
☐ We ensure that we educate our staff on the use and importance of encryption.
☐ We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal information we store and/or transmit.
☐ We understand the residual risks that remain, even after we have implemented our encryption solution(s).
☐ Our encryption solution(s) meet current standards (such as FIPS 140-2 and FIPS 197 as of July 2023).
☐ We ensure that we keep our encryption solution(s) under review in the light of technological developments.
☐ We have considered the types of processing we undertake, and whether encryption can be used in this processing.
Organisations ask
What types of encryption are there?
How should we implement encryption?
What is encryption?
-
Encryption is a mathematical function that encodes data in such a way that only authorised users can access it.
-
It is a way of safeguarding against unauthorised or unlawful processing of personal information and may be one way in which you can demonstrate compliance with the security principle.
-
Encryption can protect information stored on mobile and static devices and in transmission.
-
There are a number of different encryption options available.
-
You should consider encryption alongside other technical and organisational measures, taking into account the benefits it can offer and the risks it can pose.
-
You should have a policy in place governing the use of encryption, including appropriate staff education.
-
You should also be aware of any sector-specific guidance that applies to you, as this may require you to use encryption.
Encryption and data storage
-
Encrypting data whilst it is being stored often provides effective protection against unauthorised or unlawful processing.
-
Most modern operating systems have full-disk encryption built-in.
-
You can also encrypt individual files or create encrypted containers.
-
Some applications and databases can be configured to store data in encrypted form.
-
Storing encrypted data still poses residual risks. You will need to address these depending on the context of your processing, such as by means of an organisational policy and staff training.
Encryption and data transfers
-
Encrypting personal information whilst it is being transferred often provides effective protection against interception by a third party.
-
You should use encrypted communications channels when transmitting any personal information over an untrusted network.
-
You can encrypt information prior to transmission over an insecure channel and ensure it is still protected. However, a secure channel provides assurance that the content cannot be understood if it is intercepted. Without additional encryption methods, such as encrypting the information itself prior to transmission, the information will only be encrypted whilst in transit.
-
You should look to use HTTPS protocol across your entire website. While there are some circumstances that can make this difficult, you still need to take appropriate steps such as ensuring that all areas of user input are protected.
-
Encrypted data transfer still poses residual risks. You will need to address these depending on the context, such as by means of an organisational policy and staff training.
What types of encryption are there?
-
The two types of encryption in widespread use today are symmetric and asymmetric encryption.
-
With symmetric encryption, the same key is used for encryption and decryption. Conversely, with asymmetric encryption, different keys are used for encryption and decryption.
-
When using symmetric encryption, it is critical to ensure that the key is transferred securely.
-
The technique of cryptographic hashing is sometimes equated to encryption, but it is important to understand that encryption and hashing are not identical concepts, and are used for different purposes.
How should we implement encryption?
-
When implementing encryption, it is important to consider four things:
-
choosing the right algorithm,
-
choosing the right key size,
-
choosing the right software, and
-
keeping the key secure.
-
Very important! Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
-
It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the information. You should therefore assess whether your key sizes remain appropriate.
-
The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards, such as FIPS 140-2 and FIPS 197 (as of July 2023).
-
Encryption solutions are widely available and can be deployed at relatively low cost.
-
You should also ensure that you keep your keys secure and have processes in place to generate new keys when necessary to do so.
Encryption is just one example of a security practice. Be sure to consider all practices that are reasonable in your circumstances.