Your Privacy is in the Details
A few years ago, we received a postal letter from one of the investment funds to which we subscribe: a privacy policy change notice with many pages, small font on paper, thick legal jargon seemingly designed to discourage people from reading through them. It was a bank letter designed by lawyers.
There was a ‘deny’ form at the end: only mail the letter back if we disagreed with the financial institution moving the data centre outside of Canada. We read the entire document and strongly disagreed with the international data centre proposal. As Canadians, our data is not as protected on foreign soil as is in Canada. This was definitely not acceptable. This would change the Data Location, where our bank stores our personal information, from Canada to outside of Canada.
“Data location” is also called “data residency”. In principle, everybody should have the ownership of their own personal data: we should have “Data Sovereignty”. But in practice, we are far from there. If you have accounts on Facebook, Google, or Microsoft, then you know your data is very likely in the United States (U.S.).
But what about your financial, and medical data? Once upon a time, your records were on paper, locked up somewhere nearby. Turns out that the Internet is a more convenient place to store those records.
Data Location can Affect Data Privacy
Here is another real life example from a friend.
My friend had a recent encounter with an Ontario psychologist. The psychologist used a free Gmail account. Right off, my friend was put off by the unprofessionalism. Their services were $250/hour, the clinic should at least use a professional domain name.
I had a chance encounter with my friend. After some discussion, it turns out that more clinics use Gmail accounts. My friend decided to go with the flow and sign a contract, book appointments, get invoices to/from the Gmail account. But here is something that my friend, and the clinics, should know:
Fact: in Ontario, healthcare organizations must comply with the Ontario government’s Personal Health Information Protection Act, PHIPA. Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada.
The contract that my friend received had lots of legal jargon, she didn’t read it, but signed it anyway. Reviewing the contract, it does mention a couple of specialized apps that could be introduced to the patient. But there is no mention of Gmail, nor consent to Gmail.
Then the assessment reports started coming in. Medical information was now being sent via Gmail. Now clearly in violation of PHIPA rules, with medical information being sent.
"Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada."
Personal Information (PI) is information that can identify you unequivocally as an individual. An email address by itself is not personal information, but when that email contains a name and street address, that is “Personal Information” as far as the PHIPA rules go. Furthermore, her Personal Health Information (PHI) is being sent via Gmail.
Cybersecurity and privacy concerns simply did not exist in the past. Your doctor, for example, would simply lock away your records in the filing cabinet. But now, we must look out for our own privacy. You can make some assumptions: a big hospital in Ontario is very likely to be following PHIPA rules, but smaller clinics may not be.
You can ask the clinic if they follow PHIPA rules, or maybe where they store their patient’s data. In the case of my friend’s psychologist, we have taken the time to inform him of the rules, the PHIPA rules specifically, that he should be following. Ultimately, that psychologist could have been reported to the College of Psychologists of Ontario, but that would have been an extreme measure.
Bottom line: vigilance is required every day for all interactions on the Internet. Your privacy is always at risk. The more private information you give, the more you have to think about your own cybersecurity. If the information is important to you, then you must consider the location of your information.