Raising Awareness of the Facts about Fax
The ongoing use of traditional fax machines to send personal information and personal health information by government institutions and trustees continues to raise privacy concerns. My office and Canada’s other privacy commissioners and ombudspersons called for a concerted effort to phase out the use of traditional fax machines in a September 2022 resolution which can be found here. We understand that developing this plan will require broad consultations and additional resources. However, we continue to urge organizations to address this problem on an urgent basis. Public trust and confidence in organizations’ ability to protect Saskatchewan residents’ personal information and personal health information hangs in the balance.
In the meantime, we continue to receive complaints and reported breaches of misdirected faxes that are caused in part by human error. Staff may enter a number in the fax machine incorrectly, fail to comply with policies that require the use of pre-programmed fax numbers or rely on fax numbers found through unverified sources, such as Google. These errors are often caused by inattention, or lack of awareness or training on applicable policies. Our latest misdirected fax investigation report was issued in November 2022. It involved two Saskatchewan Health Authority (SHA) employees who entered an incorrect fax number in the fax machine. They sent one of the faxes to a Town instead of a public health office. They sent the other fax to the Parole Board of Canada’s office instead of a physician.
In September 2020, my office issued guidance on the safeguards to prevent misdirected faxes titled, Faxing PI and PHI. While plans are being developed to discontinue the use of traditional fax machines, every effort must be made to ensure that appropriate safeguards are in place to prevent faxes from going astray. We encourage all organizations to revisit this guidance.
To help ensure that staff are aware of their need to comply with existing policy and to exercise caution when using fax machines, we have developed a poster that you can download and place in key areas near fax machines.
Remember that a policy is not enough! Creating a privacy sensitive culture requires that organizations raise levels of awareness of privacy risks and provide appropriate training.
To stay up to date on the latest news in access and privacy, please follow us on twitter @SASKIPC.