The privacy incidents that have gotten the most press recently in Canada have been related to misdirected faxes. To name just a few:
- Incident: Canadian bank's internal faxes went to West Virginia for three years
- Canadian Privacy Firsts: Misdirected faxes leads to joint investigation and report by Alberta and Federal Commissioners
- BMO investigating faxes sent to wrong machine
- Alberta hospital faxes patient information to Edmonton newsroom
I've seen loads of "Faxing Guidelines" produced by organizations and privacy commissioners that include some pretty common sense suggestions to minimise the likelihood of problems. But problems almost always will occur simply because accidents to happen. (Luckily, in most cases it will be a one-off mistake.) Guidelines need to be implemented to make sure that the right people are informed of the issue and know how to practice safe faxing.
Below is a set of faxing tips I've developed over the last little while. A couple, which I've highlighted, do not appear in any other guidelines I've seen and are the results of lessons learned from various incidents I've seen or been involved with.
- Physically secure the location of any fax machine that receives incoming faxes.
- Use speed dial functions of your fax machine ... and verify each number by sending a test fax before sending any personal information.
- If you use a fax machine to send both sensitive and non-sensitive information, consider getting separate fax machines for the different kinds of information. Designate a fax machine for personal or confidential information and program the speed dial functions to include only trusted recipients. (I have heard the story of a physician who regularly faxed letters to the editor, so had the local papers on his speed dials. Unfortunately, one of these buttons was right next to the speed dial button for the local hospitals' records department. You can guess what happened.) If you can't have a separate fax machine, don't have "trusted" and "not-trusted" buttons next to each other.
- If particularly confidential information will be sent, contact the recipient in advance to tell them to expect the fax.
- Do not "retire" any of your fax numbers because it may continue to receive faxes from people who haven't updated their records. Phone companies, facing a shortage of numbers, will quickly reassign retired numbers and you have no idea where those faxes may end up.
- If you have a number of locations, branches or outgoing fax machines, make sure that all fax cover pages have one central number for reporting misdirected faxes and make sure that someone is at that number to keep track of problems. This one, simple and easy to implement precaution would have avoided all of the problems experienced by CIBC. Three faxes with the same error would have been all it would take to notice a pattern and figure it out. Of course, include a cover sheet that indicates that the information is confidential and should not be disclosed to any unauthorized persons.
- Double check the number before you push the "send" button.
- Check your confirmation sheets to make sure that the number called was the same as you intended.
- Use desktop faxing technologies or -- better yet -- scan materials to PDF and e-mail them. The risk of interception is greater with e-mail, but e-mail goes to one designated recipient and does not sit around on a fax machine.
- Many fax machines have the ability to encrypt or password protect faxes. If the information is sensitive, by all means use it! For internal faxes, as was the case with the CIBC incident, there is no reason why you shouldn't since you have control over both fax machines and you'll prevent the faxes from being read if they end up at the wrong machine.
Implementing all of the above should significantly reduce the likelihood of problems and should also allow you to identify any problems before they get out of control.