Recently amended provisions of the Regulation of Investigatory Powers Act 2000 could further restrict the rights of organisations and individuals wishing to protect sensitive electronic information.
Part III of the Act covers the encryption of electronic data and requires holders of encrypted data to provide the means of putting this into an intelligible form when required to do so by the authorities. Failure to do so can lead to criminal charges, with a maximum sentence of up to two years in prison or five years in certain cases relating to suspected terrorism.
Many people choose to use readily available encryption programs to encrypt their email, files, folders, documents and pictures. These same technologies can also be used by terrorists, paedophiles and others to hide their criminal activities.
If the police or other public agency suspects that data encryption is being used to conceal any kind of criminal activity, then they have the power to serve a notice on the person in control of that data, be it an individual, company director or anyone else with responsibility. The legislation has already been used to demand encryption keys from several animal rights activists.
However, the Code of Practice governing the use of such powers allows the data owner or controller ‘reasonable time’ to comply.
RIPA codes of practice.