The Durham data breach from last week (and reported earlier this week) has been met with incredulity by the Ontario Information and Privacy Commissioner. A directive to use data encryption has been issued, prohibiting the transfer of sensitive data if encryption is not used.
As you’ll recall, the loss of a USB key meant the breach of 83,000 patients who had received flu shots in the Durham Region.
The Commissioner has pointed out that the Personal Health Information Protection Act (PHIPA), passed in 2007 expressly for Ontario, directs that “health information custodians not…transport personal health information on laptops or other mobile computing devices unless the information was encrypted.”
You’ll notice that this implies PHIPA is much more strict that PIPEDA when it comes to the encryption of sensitive data. While, per the above, PHIPA requires the use of encryption, PIPEDA, under 4.7.3 (c) only seems to recommend it (“the method of protection should include…” is how it reads. “Should include” is not the same as “must include”).
What To Do If You’re Not In Compliance In Ontario
The easy answer–perhaps even flippant–is to go ahead and encrypt your laptops and other portable devices that contain sensitive data (such as external hard disk drives). Granted, depending on the solution used, you may have to wait for someone to visit you after you sign up for the service (but not so in other cases).
But if you must really, really transport those unencrypted sensitive files using something like a USB memory stick, the Commissioner has “advised that any unencrypted personal health information that needs to be transported,must be in the physical possession of the person responsible, at all times, until it reaches its secure location. This is only an interim measure until full encryption processes can be put into place.”
Hold on to that thing really, really tight. Or, you could just set yourself up with encryption right away.