On 23 July 2018, the Agency published a statement concerning a stricter practice in relation to encryption of e-mails. It appears from the statement that both public and private parties must use encryption when transferring confidential or sensitive personal data via e-mail. This change of practice will, as regards the private sector, come into force on 1 January 2019. Read more about the Danish Data Protection Agency’s statement: Stricter practice concerning encrypted e-mails (article in Danish)
PREVENTION OF PERSONAL DATA LEAKS BY ENCRYPTION OF E-MAILS
Some of the risks relating to personal data law when using e-mails are that an e-mail is sent to the wrong recipient by mistake, or that non-encrypted e-mails are compromised during transmission, i.e. intercepted by unauthorised persons who wish to get access to the e-mail. Both risks may potentially result in a leak of a larger amount of personal data.
Encryption of e-mails is a security measure - and a result of the requirement in the GPDR that controllers and processors must initiate appropriate technical and organisational security measures when processing personal data. There are, however, various ways of encryption.
To determine which technical and organisational security measures are appropriate, you will have to assess the risks that processing of personal data will have for the data subject. Two factors are important:
1. Assessment as to whether an e-mail contains confidential or sensitive personal data
The requirement for encryption of e-mails applies to e-mails containing confidential or sensitive personal data.
Article 9 of the GPDR exhaustively lists sensitive personal data, whereas confidential personal data are not defined or listed in the GPDR. It is therefore not that clear when data are considered confidential and therefore need to be encrypted.
Examples of confidential data are civil registration numbers, sensitive personal data and, in some situations, non-sensitive personal data which may be considered confidential taking the situation into consideration, including, for instance, data on income and estate, work, training and employment terms.
To assess whether data are confidential, the Agency has stated that it is necessary to assess whether the data ought to avoid publicity according to the general opinion, see section 152 of the Criminal Code compared to section 27 of the Public Administration Act.
2. Assessment of the kind of encryption to be used
In the guidelines at the website Transmission of personal data in e-mails, the Agency distinguishes between two kinds of encryption: encryption on the transportation layer and end-to-end encryption.
To select which kind of encryption to use, you will have to assess the risks that processing of personal data will have for the data subject.
It is the Agency’s opinion that there may be processing where encryption on the transportation layer will be appropriate, and processing with a high risk for the data subject where the more secure end-to-end encryption will be appropriate (for instance, when sending health data on a large number of data subjects).
End-to-end encryption requires that the parties exchange keys. In the guidelines, the Agency mentions NemId as an example when using end-to-end encryption.
The guidelines also include a section on responsibilities from where it appears that the controller is responsible for the secure forwarding to the recipient’s e-mail server when an e-mail is forwarded from the controller.
Read more about the Danish Data Protection Agency’s newsletter on technical specifications in relation to encryption: Technical specification in relation to encryption of e-mails (article in Danish)