The Information Commissioner’s Office has published updated guidance on encryption, “featuring several scenarios designed to help you consider when and how you should use encryption”.
While the Data Protection Act does not specify the use of encryption, it does say that appropriate measures should be used to keep personal data secure. ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data.
From the guidance overview:
Organisations should consider encryption alongside other technical and organisational measures, taking into account the benefits and risks that it can offer.