Learning Disabilities Mortality Review (LeDeR)
Programme: Briefing Paper 4
Encryption of Information
Introduction
All personal or sensitive information (data) must be encrypted whenever it is ‘transported’ or ‘at rest’. This
includes data stored on physical media (laptops, CD/DVDs, USB drives, etc.) as well as data transmitted
electronically (University Gmail, Google Drive, etc.). Encryption is a means of preventing anyone, other
than those who have a key (e.g. a password), from accessing data, be it in an email, on a computer or on a
storage device.
Everyone involved with the Learning Disabilities Mortality Review Programme shares a responsibility to
ensure that personal information remains secure and safe. It is therefore essential for local reviewers and
others to understand how to encrypt relevant data.
Briefing notes
Choosing a password
Any passwords you use to encrypt a document or file should be strong. This means they should be
impossible to guess.
Advice on creating a password:
 Make the password at least ten characters long
 Include a mix of upper case letters, lower case letters, numbers and special characters, eg; ! @ # *
 Make it easy for you to remember, but impossible for anyone else to guess
 If you have the slightest suspicion that your password has been disclosed, change it immediately
Sharing a password
If the document needs to be shared with others, then consequently so does the password (only share it
with those authorised to access the data). Share the password using a mechanism which is different to the
way you are sharing the file. For example, if you email an encrypted document, we recommend phoning
someone to give them the password.
If the only copies of your documents are encrypted then you need to consider the security of the
encryption passwords themselves and it is recommended that you lodge these securely with a trusted and
REMEMBER!
AFTER A DOCUMENT IS ENCRYPTED: WITHOUT THE PASSWORD THE DATA IS LOST
AND TOTALLY IRRETRIEVABLE
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
authorised third party (who, preferably, doesn't have access to the documents) so as to ensure their
availability in the event of password loss.
Email encryption
NHSmail includes an encryption feature that allows users to exchange information securely with users of
non-accredited or non-secure email services. Once a message is sent from NHSmail it is encrypted and
protected with a digital signature to assure the recipient that the message is authentic and has not been
forged or tampered with. Formatting of the message is preserved and attachments can be included. In
order to send an encrypted email to an NHSmail user, they must email you first. You can then reply to or
forward their email and it will remain encrypted. You can also include attachments.
NHSmail is one of a number of Government secure email systems. The full list of secure Government email
systems is below. They have email addresses ending:
.cjsm.net (Criminal and Justice)
.gcsx.gov.uk (Local Government/Social Services)
.gse.gov.uk (Central Government)
.gsi.gov.uk (Central Government including Dep’t of Health)
.gsx.gov.uk (Central Government)
.hscic.gov.uk (The Health and Social Care Information Centre)
.mod.uk (Military)
.nhs.net (NHSmail)
.pnn.police.uk (Police)
.scn.gov.uk (Criminal and Justice)
Other than in communication with one of the secure email systems above, you should not use email to
send strictly confidential data (including patient identifiable information and data that is classed as
'sensitive' under the Data Protection Act). Rather than use email, if possible, encrypt files and store them
on a secure local (dept/faculty) or central file server and ensure that only those who should have access do
have access.
Document encryption
If you do need to send confidential data by email, use the 7-Zip software to encrypt them. 7-Zip allows you
to create encrypted copies of your files (they are referred to as archives) in .7z format.
Encrypting using .7z format
The (free) 7-Zip application offers robust encryption facilities. You can use 7-Zip on any computer and you
don't need to register or pay for 7-Zip. To download please visit: http://www.7-zip.org/
1. To use 7-Zip, navigate to the file you want to encrypt. When you've reached the right folder that
contains the file you want to encrypt, right-click on the file. Select 7-Zip and click on Add to Archive.
2. The “Add to archive” screen will appear.
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
3. The only details you will need to enter is the Encryption Password. Enter a password of your choice,
then re-enter to confirm. You need to make sure AES-256 is selected under Encryption Method.
Remember that any encryption is only as good as the password used to encrypt it (please see the choosing
a password section for guidance). If you choose to send this encrypted file to another person, make sure to
provide the password via a different method.
4. Click OK and an encrypted version of the file will be created inside a zip file. By default, you will find this
next to the original file.
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
Decrypting 7-Zip files
1. If you receive an email with a 7-Zip encrypted attachment, or are otherwise given a file encrypted
by 7-Zip, first save the attachment where you can easily find it.
2. Double-click to open the zip file and display the contents.
3. Double-click the document and you will be asked for a password. Enter the agreed password and
the document will open.
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
Word, Excel and PowerPoint 2013 & 2010 offer encryption facilities which meet University encryption
standards. Information about this is given below.
Encrypting a document using Word, Excel or Powerpoint 2013
The file must be in the new file format, eg .docx for a Word document. Files saved in Compatibility Mode, or
the 97-2003 file format do not have adequate encryption facilities.
1. With the relevant document open, click on the File menu
2. If not already selected choose Info, then click on Protect Document, as shown below
REMEMEBER!
IT IS ESSENTIAL THAT THE PASSWORD AND ENCRYPTED FILES ARE SENT SEPARATELY BY DIFFERENT MECHANISMS. FOR
EXAMPLE ENCRYPT A FILE TO SEND VIA EMAIL, THEN PHONE THE RECIPIENT TO GIVE THEM THE PASSWORD VERBALLY
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
3. Enter a ‘strong’ password (see the section choosing a password)
4. Click OK, re-enter the password, then click OK again.
5. Save the document.
6. The document is now encrypted and the password will be required to open it.
Encrypting a document using Word, Excel or Powerpoint 2010
The file must be in the new file format, eg .docx for a Word document.
1. With the relevant document open, click on the File Tab
2. Click on Info, click on Protect Document and then Encrypt with Password, as shown below
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
3. Enter a ‘strong’ password (see the section choosing a password)
4. Click OK, re-enter the password, then click OK again.
5. Save the document.
6. The document is now encrypted and the password will be required to open it.
Encrypting mobile and storage devices
If you transport restricted or ‘sensitive’ data on any mobile or storage device, be that a laptop, notebook,
USB stick, or CD/DVD or similar, then that device must be encrypted. Encrypted mobile devices (laptops and
netbooks in particular) must always be shut down and not simply put into 'sleep' mode when they are at risk
of loss or theft (e.g. when they are in transit). If in sleep mode then encryption is circumvented and the data
can be accessed.
The following secure USB drives are recommended:
 The IronKey (Basic Edition) (which is FIPS 140-2 compliant)
 The SafeStick. (CESG CCTM accredited)
 Integral Crypto Dual memory stick (FIPS 140-2, 256-bit AES)
 Any secure USB drive which is FIPS 140-2 certified or CESG approved, however, would be
acceptable.
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0
Further Information
NHS Information Governance: Guidelines on use of encryption to protect person identifiable and sensitive
information
http://systems.hscic.gov.uk/infogov/security/infrasec/iststatements/dataenc_html
http://systems.hscic.gov.uk/infogov/security/encryptionguide.pdf
University of Bristol: Encryption Advice
http://www.bristol.ac.uk/infosec/uobdata/encrypt/
Guidance on Data Protection
https://ico.org.uk/
This information was correct as of 20/06/2016 and will be reviewed on 20/06/2017
LeDeR Programme Briefing Paper 4.
V 1-0