The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, April 30, 2005

Faxing Tips: Avoiding common privacy incidents 

The privacy incidents that have gotten the most press recently in Canada have been related to misdirected faxes. To name just a few:

I've seen loads of "Faxing Guidelines" produced by organizations and privacy commissioners that include some pretty common sense suggestions to minimise the likelihood of problems. But problems almost always will occur simply because accidents to happen. (Luckily, in most cases it will be a one-off mistake.) Guidelines need to be implemented to make sure that the right people are informed of the issue and know how to practice safe faxing.

Below is a set of faxing tips I've developed over the last little while. A couple, which I've highlighted, do not appear in any other guidelines I've seen and are the results of lessons learned from various incidents I've seen or been involved with.

  • Physically secure the location of any fax machine that receives incoming faxes.
  • Use speed dial functions of your fax machine ... and verify each number by sending a test fax before sending any personal information.
  • If you use a fax machine to send both sensitive and non-sensitive information, consider getting separate fax machines for the different kinds of information. Designate a fax machine for personal or confidential information and program the speed dial functions to include only trusted recipients. (I have heard the story of a physician who regularly faxed letters to the editor, so had the local papers on his speed dials. Unfortunately, one of these buttons was right next to the speed dial button for the local hospitals' records department. You can guess what happened.) If you can't have a separate fax machine, don't have "trusted" and "not-trusted" buttons next to each other.
  • If particularly confidential information will be sent, contact the recipient in advance to tell them to expect the fax.
  • Do not "retire" any of your fax numbers because it may continue to receive faxes from people who haven't updated their records. Phone companies, facing a shortage of numbers, will quickly reassign retired numbers and you have no idea where those faxes may end up.
  • If you have a number of locations, branches or outgoing fax machines, make sure that all fax cover pages have one central number for reporting misdirected faxes and make sure that someone is at that number to keep track of problems. This one, simple and easy to implement precaution would have avoided all of the problems experienced by CIBC. Three faxes with the same error would have been all it would take to notice a pattern and figure it out. Of course, include a cover sheet that indicates that the information is confidential and should not be disclosed to any unauthorized persons.
  • Double check the number before you push the "send" button.
  • Check your confirmation sheets to make sure that the number called was the same as you intended.
  • Use desktop faxing technologies or -- better yet -- scan materials to PDF and e-mail them. The risk of interception is greater with e-mail, but e-mail goes to one designated recipient and does not sit around on a fax machine.
  • Many fax machines have the ability to encrypt or password protect faxes. If the information is sensitive, by all means use it! For internal faxes, as was the case with the CIBC incident, there is no reason why you shouldn't since you have control over both fax machines and you'll prevent the faxes from being read if they end up at the wrong machine.

Implementing all of the above should significantly reduce the likelihood of problems and should also allow you to identify any problems before they get out of control.

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs