On 3 March the Information Commissioner published new guidance on its expectations of data controllers in relation to encryption.


It states that, "Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.

"For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format."

Trustees should consider whether their agreements with scheme administrators impose adequate obligations on the administrators regarding data encryption, as well as considering whether their own procedures comply with the Information Commissioner's guidance.

Key contacts

Rachel Rawnsley

Rachel Rawnsley

Partner, Head of Pensions
United Kingdom

View profile
Jade Murray

Jade Murray

Partner, Pensions
United Kingdom

View profile
Catherine McAllister

Catherine McAllister

Partner, Pensions
United Kingdom

View profile
Rachel Uttley

Rachel Uttley

Partner, Pensions
United Kingdom

View profile