Personal data – to encrypt or not encrypt

December 4, 2012

A posting on a well know on-line accountancy web-site discussion board on whether emailing personal information, such as that contained in tax returns or payslips, should be encrypted or not, caused a bit of a stir this week. Paul Holborow, accountant and Head of RMT IT services at RMT Accountants & Business Advisors Ltd, takes a look at the issues.

If you are an employer you will also be a data controller which means you are responsible for keeping personal data on employees secure. This applies whether you outsource payroll or not.

There is nothing in the Data Protection Act (DPA) that says you should specifically encrypt payslips or tax returns sent by email. So if it doesn’t say it in the DPA you don’t have to encrypt, right? Wrong! Let me explain why.

The DPA says: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data…. appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage to personal data”.

Further, you need to look at how the Information Commissioner Office is interpreting the Act. In May 2012 the ICO ruled, in the Holroyd Howe case, that when emailing payslips, for example, they should be encrypted. This is what he said, referring to payslips sent unencrypted, in the undertaking he issued to them: “Appropriate security measures are taken to protect personal data sent by email; in particular, sensitive personal data shall not be transmitted by email across the internet unless encrypted to current standards”. Note he says ‘encrypted’, not the less secure option of password protection.

Further, the ICO has a “top tip” to protect personal data that includes “Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.”

In interpreting and enforcing the Act the ICO has issued hefty fines where data subjects suffer distress knowing personal data may be accessed by third parties (Welcome Financial Services July 2012-£120k) and where sensitive emails go to the wrong recipient (Stoke City Council October 2012-£120k, Prudential Assurance October 2012 – £50k).

So to me the question is simple. You as an employer, your accountants, tax and payroll departments all need to understand that personal information, such as tax returns, payslips, pension details, RTI alignment files – they are all sensitive and personal data. No employee would want their tax affairs in the public domain. They would suffer distress and be open to identity theft in just the same way as the ICO has ruled in these and other cases. Most employers would want to avoid paying a fine and would want to protect their reputation.

Finally, the ICO also look at the technology available and, as protecting the information can cost about the same price as a Mars bar a week to provide an employer with some simple encryption software that gives users options over encryption by email, to USB/DVD, via FTP, and with audit and access controls, he will regard this as “appropriate”.

Paul is an accountant who has worked in developing an information security programme now being rolled out to accountants in Scotland through ICAS and to lawyers in England with Oyez. For more information please contact paul.holborow@r-m-t.co.uk or telephone  0191 256 9550.

More blog Articles

Recruitment

Our key focus is outstanding client service. We are always on the look out for high quality team members in the following areas…

If you would like to be part of a progressive, growing practice please upload your CV here.