The purpose of this document is to set out guidelines for public bodies and custodians to follow when developing systems and procedures to maintain the confidentiality and integrity of personal information received and transmitted by fax. Private sector organizations may also find these guidelines helpful.
One of the purposes of the Health Information Act is to protect the personal health information of individuals held by custodians.¹ Section 60(1)(c)(i) states:
60 A custodian must take reasonable steps in accordance with the regulations to maintain administrative, technical and physical safeguards that will …
(c) protect against any reasonably anticipated…
(i) threat or hazard to the security or integrity of the health information or of loss of the health information.
Additionally, section 38 of the Freedom of Information and Protection of Privacy Act states:
38 The head of a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction.
How can I reduce the risk of accidentally disclosing personal information when using a fax machine?
- Always confirm that the receiver has taken appropriate precautions to prevent anyone else from seeing the faxed documents;
- Before sending a fax, check that the receiver’s number is correct, then verify in the machine’s display window that you have keyed it in correctly;
- If you must send personal information, always complete the fax cover sheet, clearly identifying both sender and intended receiver. The cover sheet should include a warning that the information is private and confidential and that you should be notified immediately if the information is received in error;
- Call the recipient to verify that he or she received the complete transmission; or check the confirmation sheet to see that it went through to the correct number;
- Any fax machine used to send or receive personal information should be kept in a location where unauthorized persons cannot see the documents. If there is no appropriate location, someone should be watchful of the machine while in operation;
- Consider making one individual responsible for the fax machine. Otherwise, limit the chances that passers-by can see personal documents by sending the documents yourself;
- Try to arrange a time to receive faxes containing personal information so you can be at the machine as they arrive;
- Fax only the personal information which you would feel comfortable discussing over the telephone;
- If your fax machine is equipped, use the feature requiring the receiver to enter a password before the machine will print the fax. This ensures that only the intended receiver can retrieve the document. Similarly, ask the sender to make sure you must supply a password to retrieve the document;
- Security precautions should be taken for faxes received after normal office hours;
- If you are sending personal information by a fax modem (a fax device contained in a computer), confirm that other users of the computer system cannot get access to the fax without a password. Likewise, if you are expecting information by fax modem, ensure that other users of your system cannot access the information without a password;
- If possible, use encryption technology or other technology to secure fax transmissions;
- Be aware that your fax number can be re-assigned once you have given up the number. It is possible to “purchase” the rights to that line so that the number is never re-assigned.
¹ Custodian is defined as an entity or regulated health professional (e.g. physician) in the publicly funded health system who receives and uses health information. Custodians are responsible for ensuring that the health information is collected, used, disclosed and protected appropriately.
This Guideline is based upon and imports many of the practices and guidelines from a number of organizations including: the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of British Columbia, the Office of the Information and Privacy Commissioner of Ontario, the College of Physicians and Surgeons of Alberta, and the Canadian Health Record Association. Their contributions are gratefully acknowledged.
October 2002
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Freedom of Information and Protection of Privacy Act, Health Information Act and Personal Information Protection Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer. |