Encryption - humans miss the point!
Dr W Kuan Hon
Of Counsel, Dentons; Member, UK International Data Transfer Expert Council; Editor, Encyclopedia of Data Protection & Privacy All views personal only.
Encryption is a great way to secure data confidentiality, but getting people to use it properly is tough like you wouldn't believe.
I'm talking about lacking understanding of the very basic basics, what many would think should be obvious and common sense. So it's no wonder that it's such a challenge to secure personal data and other data properly in practice.
Just three examples:
- London law firm - I agree a password with them by phone. I email them draft encrypted Word documents, to be opened using that password. They email me back the redrafts - without ANY encryption whatsoever. If the document is confidential enough to be encrypted before being emailed to them, why would they think that they needn't encrypt the redraft that they send back to me?!
- Financial adviser - I agree a password with them in person. I email them encrypted PDF documents, to be opened using that password. I ask them to email me some follow-up documents, encrypted but to be opened using the same password. They say they no longer have the password, as they discarded it right after opening the documents I sent them!
- Medical firm - I agree a password with them by phone. I email them encrypted PDF documents, to be opened using that password. They email me an encrypted Word document with health data. But, in their very next email, they send me the password to open that Word document - which is completely different from the password I had agreed with them by phone! I query that. They say: "Oh, you didn't say that the password was for us to send you documents too, not just for you to send us documents!" Yes, it was a healthcare firm, and yes, it was clearly subject to GDPR.
Tearing hair out here. If documents with personal data or private or confidential information are to be encrypted before being emailed, then surely they should be securely encrypted for emails going BOTH ways, following secure exchange of the password in person or by phone (NOT by email), with the agreed password being securely stored. Otherwise, what's the point, really?
Data protection training may need to be expanded to cover even these very basic basics... It's no wonder secure online file upload services are doing well - although the way some of these are being used, don't get me started!