ENISA: Recommended Cryptographic Measures for Personal Data

November 7, 2013

The latest report from the European Union Agency for Network and Information Security, Recommended cryptographic measures – Securing personal data, addresses ways to protect sensitive and/or personal data that has been acquired legitimately. The clear link between privacy and cryptography is underlined. ENISA claims that this demonstrates how cryptography can play a role in protecting personal data and safeguarding legitimately collected sensitive or confidential data.

The report presents a mapping of security requirements for personal data and basic cryptographic techniques. It suggests that, while information security measures and mechanisms can be deployed for the protection of personal data, information security does not cover all the issues regarding personal data protection and privacy. It takes the view that personal/sensitive data requires different protection measures in different stages of the life-cycle. Therefore, the report presents a short version of such a life-cycle description. The report also identifies security measures and an introduction to basic cryptographic techniques.

The report is complemented with a set of technical recommendations for algorithms, key sizes, parameters and protocols. The target audiences of these recommendations are system developers and maintenance engineers in commercial environments who are faced with the need to deploy or replace protective measures for data.

Amongst the top three findings and recommendations are:

  • The cryptographic measures are only one piece of a puzzle when referring to privacy and data protection. However, cryptographic measures can provide an important layer of protection for data protection, which may reduce the impact of breaches. The relevant stakeholders (Data Protection Authorities, EU Member States authorities, and service providers) should recommend users and others to implement security measures for protecting personal data, as well as should rely on state-of-the-art solutions and configurations for this purpose.
  • All these stakeholders could use the technical cryptographic measures and recommendations proposed in another recent ENISA study, addressed to decision makers and specialists as a reference.
  • Specialised personnel are needed for the correct implementation of updated cryptographic protective measures.