So why should schools be using email encryption?
As I am sure you are aware the ICO (www.ico.org.uk) has over the past couple of months been updating the material on its site and there is now a lot more information on the education sector which is of interest. A lot of the of the information is about using children’s data for online web services, but they do also talk heavily about email encryption and why it should be used. We know from experience that schools do send a lot of sensitive information about pupils and staff via email to the council, NHS, Police, Social Services or information from SENCOs.
Rather than offering up our answer to GDPR compliance this article simply looks at one aspect of the regulation, that of securing as far as possible the data transmission. Although only mentioned four times in the regulations, encryption is a significant aspect of information flow, GDPR specifically identifies ‘encryption’ as a potential and appropriate technical measure to ensure the security of personal data.
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
GDPR is not prescriptive, it doesn’t define what is meant by encryption nor how it should be implemented. At the most basic level let’s look at securing the transmission of data between your organisation and the recipient organisation.
Transport Layer Security (TLS)
The secureschoolemail encryption Gateway provides support for the use of Transport Layer Security (TLS) as standard when emails are sent between participating schools, as there is a high volume of sensitive data also sent between schools. All schools that join the scheme use TLS when communicating with each other. Emails from schools to external recipients (i.e. non-participants) can use three other types of encryption, S/MIME, PGP or secure Webmail. As more and more external organisations including councils are starting to implement email security (mainly S/MIME), the secureschoolemail service can automatically integrate with these solutions, like we have done in Reading, Wokingham etc., so if a user from one of these organisations sends a secure email using S/MIME or PGP to a school, then the public key from these encryption types is automatically stored on the gateway. So, if a user from a school goes to send a secure email to anyhow, it first checks to see if they are also using the solution, (uses TLS), if not it look internally to see if there is a S/MIME or PGP keys associated with that email account (if it finds one, it uses the public key stored) and if it finds no encryption keys, it then defaults to secure webmail.
Whilst ‘encrypting’ the transmission channel is a laudable first step, it still leaves the content that you are sending in a readable format. True encryption of the content is a natural progression and one that GDPR again references specifically around the mitigation of breach notification requirements.
Article 34 states that a breach notification to individuals is mandatory where it is likely to “result in a risk for the rights and freedoms of individuals”. However, if you can show that you have protected personal data adequately the impact of a breach can be minimised and the potential obligations reduced:
“…the controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”