Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 103 some way. Some are looking for key words or names. Other sniffers are watching for credit card numbers or login passwords.313 By encrypting emails before they leave the organization, it is possible to prevent unauthorized access to the personal data. There are other benefits to using encryption. For example, the use of mobile devices in the workplace has grown exponentially over the past decade. Personal data of clients and/or customers is leaving the office on mobile devices daily. Large privacy breaches from lost or stolen work laptops, portable memory sticks and work assigned cell phones have become common. If personal data were stored in an encrypted format on the mobile device, the ability to retrieve the personal data for an improper purpose (i.e., identity theft) is significantly reduced. Breaking the code on encrypted data is not an easy task. Therefore, the more advanced the code, the more difficult it is to crack. However, not all encryption software is created equal. Skilled hackers can find the weaknesses in encryption code or through the ‘backdoors’ created by many organizations as a failsafe (i.e., backdoor entry for recovery purposes). In addition, even where encryption is used on a mobile device, a hacker is likely to find clear text echoes of encrypted data left on the device. Only the use of full-drive encryption can prevent that which many organizations are not aware.314 This is highlighted well in the Ontario Information and Privacy Commissioner’s resource, Email Encryption Made Simple: Those people who use some form of encryption system relax comfortably at their keyboards. Nonetheless, they feel a cold chill each time someone reports a new security hole. Some holes are found in the encryption tools. More often though, the application that uses the encryption tool has bugs. Internet browser applications are prone to this due to their large size and complexity. While the cryptographic component might remain secure, back door bugs to the application can nullify the value of the email encryption.315 To assume that encryption will solve all security issues is naive. Security of personal data is an activity that requires constant diligence. Organizations should not be overly reliant on encryption software as the only form of data security. Ensuring the best and most up to date 313 ON IPC resource, E-mail Encryption Made Easy at p. 1. 314 Gizmo’s Freeware, Encryption is Not Enough, available at, updated April 2016. Accessed June 18, 2020. 315 ON IPC resource, E-mail Encryption Made Easy at p. 1.