Recently amended provisions of the Regulation of Investigatory Powers Act 2000 could further restrict the rights of organisations and individuals wishing to protect sensitive electronic information.
Part III of the Act covers the encryption of electronic data and requires holders of encrypted data to provide the means of putting this into an intelligible form when required to do so by the authorities. Failure to do so can lead to criminal charges, with a maximum sentence of up to two years in prison or five years in certain cases relating to suspected terrorism.
Many people choose to use readily available encryption programs to encrypt their email, files, folders, documents and pictures. These same technologies can also be used by terrorists, paedophiles and others to hide their criminal activities.
If the police or other public agency suspects that data encryption is being used to conceal any kind of criminal activity, then they have the power to serve a notice on the person in control of that data, be it an individual, company director or anyone else with responsibility. The legislation has already been used to demand encryption keys from several animal rights activists.
However, the Code of Practice governing the use of such powers allows the data owner or controller ‘reasonable time’ to comply.
“Data users can no longer assume that encrypting data means keeping it secret forever,” says <<CONTACT DETAILS>>. “Data encryption is a powerful tool that can and should be used to protect sensitive data from prying eyes, but it does not mean that public authorities cannot get at it if required.”
Partner Note
The new Regulations came into force on 1 October 2007. SIs 2007 Nos. 2196, 2197, 2199 and 2200.
Applicable legislation, Part III of the Regulation of Investigatory Powers Act 2000 – Code of Practice for the Investigation of Protected Electronic Information. The Act can be found at http://www.fipr.org/rip/ripa2000.htm.