
Compliance with Privacy Laws
In 2007 a laptop, and in 2010 a mobile stick were stolen from workers at downtown Toronto Hospitals compromising thousands of patient’s personal information. In both cases, the health care information custodians (the hospitals) were found at fault because the data was not “highly encrypted” on the mobile devices. PHIPA section 13(2) and the findings HO-004 and HO-007 are clear, data in transit or on mobile devices must be highly encrypted.
Email servers and third-party upload sites are no different than a mobile device. In fact, they may be worse because there is no physical limitation to prevent people breaching their security. Even though a cloud site will encrypt the transmission of the data (https settings), once the data reaches their servers it is unlikely to be encrypted. Although it may be protected by a password, that password is held by the server owner (often a website developer) and not the information custodian of record.
Read what the information custodian was found guilty of when a USB stick was stolen,
- Section 13(1) (secure retention, transfer and disposal) – the records were not retained, transferred or disposed of in a secure manner.
- Section 15(3)(b) – (agents’ of duties) – the custodian did not ensure that all agents of the custodian are appropriately informed of their duties under the Act.
- Section 30(2) (reasonably necessary) – the custodian did not limit the collection to that which was reasonably necessary to fulfill the identified purposes, as required by the Act.
Canadian and Ontario laws are representative of those around the world. They place the requirement to safely transfer data with the professional who holds it.
SafeReferral uses 2 private keys, each held by the information custodians (the doctors offices). Without both keys, the data and files remain highly encrypted and indecipherable. SafeReferral also deletes all data from our servers after you download it or it reaches a stale date.
Think twice before uploading your patient’s data to the cloud.