Business Basics

Risks of Data Storage

Risks of Data Storage

Canadian therapists should be aware of the risks of data storage.

Q: Where can data be stored?

Often the same data is stored in more than one place. It is common to have an automatic back-up system which makes a copy of the information stored on local computers. Storing data in the cloud introduces a privacy risk. Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.

In general, data can be stored on:
  • local computers, in the RAM and on the drive
  • external drives, USB flash drives, memory cards
  • servers
  • the browser you are using to access internet sites, the sites you visit and the software you are accessing online.
Server: A server is a computer program that provides a service to other computer programs. In a data centre, the physical computer which runs the server program is also frequently referred to as a server. If you work for a school district, health authority or hospital, your organization will have servers in specific locations and you will be able to store information on one of those servers rather than on your local computer.
 
LAN: A local area network is a computer network within a small geographical area such as a home, school, computer laboratory, office building or group of buildings. If your place of employment has a LAN, you will have inter-connected workstations and personal computers which are each capable of accessing and sharing data and devices such as printers, scanners and a central server.

Q: Why does data storage entail privacy risks?

The Internet can best be understood as a community of computers that are allowed to connect to each other, and any computer on the Internet can connect to any other computer at any time it wishes. Through infrastructure that spans the globe, there is one single, unified Internet that all computers connect to, allowing anyone connected to share and access all the information that they choose to. Thus, this open availability of data creates a huge privacy risk.

Q: What does terrorism and FBI surveillance have to do with our privacy laws in Canada?

The US passed the Patriot Act shortly after the terrorist attacks on Sept 11, 2001. It allows the US government to eavesdrop on face to face, telephone and electronic communication without cause. This includes banking information and employee records, essentially any personal information. The critical point is that any information stored on servers in the US is available for surveillance by the FBI without the person’s knowledge or consent. 

Here in Canada, that level of surveillance makes our government uncomfortable. 


Q: How would the FBI gain access to data on my clients?

Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.
 
Cloud-Based: This is a term that refers to applications, services or resources made available to users on demand via the Internet from a cloud computing provider's server.
 
Global Server Load Balancing (GSLB): This is the practice of distributing Internet traffic amongst many connected servers dispersed around the world. The benefits of GSLB include increased reliability and reductions in latency. For example, email programs like Gmail, Hotmail, and Yahoo run from global servers.

Q: How do I know where my data is stored?

If you are an employee of a public body in BC, your employer should be in compliance with FOIPPA. A public body is required to store data on a server in Canada, subject to three main exceptions.
 
Client Consent: The client has given consent for the public body to store and access the personal information on a server outside of Canada.
 
The client’s consent must:
 
  • Specify the purpose of storing or accessing the personal information
  • Be in writing
  • Specify the personal information for which the client is providing consent
  • Specify the date on which the consent is effective
  • What date the client’s consent expires (if applicable)
  • Specify who may store or access the personal information from outside of Canada
  • Specify which jurisdiction the personal information may be stored in or accessed from (if practicable) 
Authorized by a Written Agreement: Personal information may lawfully be stored in another jurisdiction in circumstances where, for instance, a written agreement authorizes the disclosure of the personal information in another jurisdiction.
 
For Purposes of Payment: The personal information may be stored or accessed on a server outside of Canada for the purposes of a payment to be made to or by the government of British Columbia or a public body.
 
If you are working in the private sector, FOIPPA does not apply unless you are obtaining data from the provincial government. Instead, your company is expected to comply with PIPA, which does not prohibit the storage of data on global servers and cloud-based applications. Because of Global Server Load Balancing, it is unlikely that you will be able to determine where your data is stored.

Q: Should I use Canadian cloud storage?

If you work for a public employer, find out where your employer wants you to store data. 

If you work alone in private practice and your contracts require you to keep data in Canada, you could just store your data on your local computer and on a local backup drive. 
 
If you work with a treatment team and you want to keep your data in Canada, yes, Canadian cloud storage would be a good idea. There are many options.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


Free Consults

Free Consults

Private practice therapists in Canada should be aware that PIPEDA applies to free consults.

Q: Do private practice therapists need consent to offer free consults?

Private practice therapists  in Canada must be vigilant about getting consent to offer free consults because of PIPEDA, the Personal Information Protection and Electronic Documents Act. This is a Canadian law that shares some of the principles contained in the US law known as HIPAA, the Health Insurance Portability and Acountability Act. The emphasis is on accountability. PIPEDA states that a private business must not collect names, addresses and background reports if the company does not have consent to have that information. Furthermore, a private business must make reasonable efforts to ensure that the individual is advised of the purposes for which his or her information will be used or disclosed, and state the purposes in a manner that the individual can reasonably understand.

Get Written Consent 

Reduce your risk by getting written consent early in your interactions with the public. Create online referral and consent forms for your website. I teach private practice therapists how to do this in the AttractWell platform. People fill these in before they book any appointments. When an agency wants to set up a contract, ask the agency to direct the family to the URL with the consent form.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


Therapists need Consent

Therapists need Consent

Therapists need consent before providing services.

Q: What does informed consent entail?

Informed consent entails informing the client about what will be collected and details about the type and number of services that will be provided. For SLP’s, it is a good idea to use the words assessment and therapy since this is how funders define SLP services.

Q: Should my clients give consent for telepractice service delivery?

Yes, your clients need to know what to expect. Your referral process, your consent forms and your contracts should provide all the necessary details in writing.

Q: What does consent for the release of information entail?

This consent is for collecting information and for disseminating information. The client should indicate which people or agencies are permitted to receive information from you. This applies to verbal, written and electronic communication. 
 
Likewise, if you want to obtain information about a client from another professional or agency you need to provide a Consent for Release of Information form when you request the information. Even if the client wants a copy of their own data, they must request it formally and provide signed consent.

Q: When is a consent for services needed by clients accessing services from a public organization?

Consent for basic services offered by a public organization is assumed. For example, if a member of the public arrives at a hospital or if a child is enrolled in a school, it is assumed that the person wants the basic services offered by that organization. It should be noted, however, that non-residents may not be eligible for publicly funded services. They may need to pay privately in order to access those services.
 
Because the data collected belongs to the organization, the employees within that organization can collaborate and make decisions. For example, hearing screening is conducted in newborn nurseries and follow up is determined. Reading readiness screening takes place in schools and students are given learning assistance. Often screening programs have internal follow-up but no reports. The client or family may not even be aware that an assessment has taken place and treatment decisions have been made.
 
Essentially, the process of narrowing enquiries down to qualified prospects occurs seamlessly inside many public organizations. They might not call it by this name.
 
It is important for public organizations to define the services that go beyond basic services. Simply put, these are services that members of the public are not expecting. These are services that are only offered to people who need them, qualify for them and give consent for them. The client or family members should be made aware of the risks and benefits, and they should be involved in the decision. This is referred to as informed consent for services.
 
A hospital might require consent to do surgery. A school might require consent to do a psycho-educational assessment. 
 
Does this mean that public agencies should ask for consent to offer telepractice services? Yes, if the client is expecting face to face services and the service provider is recommending telepractice services, this change requires consent. In addition, the client should be informed of the benefits, the risks and the safeguards in place to protect the confidentiality of the data.

Q: Can a teacher ask me questions about a student who is not on my caseload? Can I provide advice about a client if I have not asked for consent?

Professional communication within a workplace is normal; however, you are not permitted to reveal personal information about a client to anyone outside of your public organization or private business without consent. Be very careful about all your interactions. Privacy laws apply no matter what form of communication you use.
 
I was a service provider for a number of distance learning schools. The schools had contracts with my company. I was not their employee. Some of my students had large treatment teams which included teachers, assistants and other private service providers.
 
All phone calls that came to my office automatically went to voicemail. I asked team members to use my online scheduler to book phone calls. This helped me avoid phone tag and gave me a chance to ask the family for consent before I spoke to the person.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


 
Read Older Posts Read Newer Posts

Free Workshop

The 3 Biggest Website Mistakes made by
 Private Practice Therapists


Free Mini-Course

Discover the 3-Part Formula that Attracts Niche Clients and Boosts SEO Instantly! 


Free Ebook

Discover How to Comply with Canadian Privacy Protection Laws in your Therapy Practice


Blog Categories

Business BasicsMarketing MindsetPaperless OfficeTherapy Career

Recent Posts

Frustrations for Therapists
Financial Risks
Contractor Pros and Cons
Entrepreneur Pros and Cons
Employee Pros and Cons
Be an Employed Therapist
Be a Contract Therapist
Legal Obligations
Skills Needed by Therapists
Be an Entrepreneur
A Resentful Employee
Three Career Paths
Billing for Therapy
Sending Marketing Messages
Privacy Protection during Marketing
Risks of Email

Anna Krueger, MSc

From Clinician to Strategy Consultant

If you are a private practice therapist, Therapy Biztech has step-by-step courses and tools customized for you. I spent more than 35 years as a private practice therapist in Canada. I gradually moved my caseload online and narrowed my business model to asynchronous therapy - online curriculum paired with consultation.  
  • Asynchronous therapy gave me the freedom and flexibility that I had always wanted. My income was no longer based on selling my time by the hour. My consultations session were for problem-solving and encouragement, not for delivering the curriculum.
  • My clients worked on their goals consistently. The curriculum was available to them 24/7 behind a login. Their time and effort produced meaningful clinical outcomes, without the high cost of traditional therapy.
  • Asynchronous therapy gave me a higher level of fulfillment as a therapist because I could attract a niche caseload, build confidence in using my methods with a large caseload that had similar needs, and gradually acquire expertise.
I closed my clinical practice and founded Therapy Biztech because I want to empower other therapists to offer asynchronous therapy. Learn how to streamline your website, marketing and curriculum so you can sell your expertise instead of your time.

Photo of Anna Krueger

Let's Connect

Send Message