The newer generation of office equipment such as digital photocopiers and fax machines can pose a security risk for organizations.
Digital photocopiers and fax machines bought or leased in recent years may contain hard drives or memory chips. Like a computer, those hard drives and memory chips can record and store data that has been photocopied or faxed.
“Increasingly, office equipment has moved toward digital-based technology producing office machines with more features and greater capability,” says Information and Privacy Commissioner Frank Work. “However, this new equipment also comes with some potential security issues regarding how data is handled and stored,” he adds.
Personal information, health information, and other confidential business information of an organization stored on the machine’s hard drive can be at risk for unauthorized access or disclosure when the machine is serviced, returned at the end of a lease or sold. Unauthorized access or disclosure of personal information is a breach of provincial privacy legislation.
To understand and guard against the security risk posed by digital photocopying, fax machines, or multifunction devices (i.e. copier, scanner, printer, fax in one unit), organizations should be aware of this potential security risk, and take appropriate measures to protect their data. Both the organization which puts the personal information on the machine and the vendor of the machine are responsible for the information on it.
The following are general measures that any organization using digital based equipment should consider:
- Understand what type of office machine you have bought or leased. Does it have a data storage device, such as a hard drive, that can store data electronically?
- If the data storage device has some way of capturing and storing electronic data, the user should gain an understanding from the vendor and/or manufacturer of what exactly the device is capturing. For example, is it capturing copy as well as scan and print jobs? Also, how much data is it storing and for what period of time does the data reside on the storage device?
- How easily is the data storage device accessed, and can it be easily removed? If the device is easily accessible, you may want to consider moving the office machine to a more secure area of your office and limit access to the machine.
- If the data storage device is capturing and storing data, inquire as to what your options are for controlling the residual data. Does the vendor and/or manufacturer offer some form of security option, such as data overwrite, delete features, or removal and destruction of the data storage device?
- Look at your servicing contract or lease agreement. Does it explain how any data residing on the data storage device of the office machine is handled when the machine is serviced and/or returned?
- Suppliers and vendors of office machines (such as photocopiers, computers and fax machines that capture and store electronic data) who come across residual data in the course of servicing, repairing, refurbishing or selling a machine are prohibited under the Personal Information Protection Act from using or disclosing the data. Suppliers and vendors should notify the lessor, owner or former owner of the machine about the existence of residual data and jointly determine how the data will be handled. If the supplier or vendor is unable to contact the lessor, owner or former owner, they should then make every effort to completely erase the data from the machine before disposing of the machine or reusing it.
As an example, the Government of Alberta, the Office of the Corporate Chief Information Officer, the Ministry of Restructuring and Government Efficiency and the Alberta Corporate Service Centre have reached an agreement with their suppliers as to how personal information residing on Government-owned or leased office machines will be disposed of.