Risks of Data Storage

Risks of Data Storage

Canadian therapists should be aware of the risks of data storage.

Q: Where can data be stored?

Often the same data is stored in more than one place. It is common to have an automatic back-up system which makes a copy of the information stored on local computers. Storing data in the cloud introduces a privacy risk. Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.

In general, data can be stored on:
  • local computers, in the RAM and on the drive
  • external drives, USB flash drives, memory cards
  • servers
  • the browser you are using to access internet sites, the sites you visit and the software you are accessing online.
Server: A server is a computer program that provides a service to other computer programs. In a data centre, the physical computer which runs the server program is also frequently referred to as a server. If you work for a school district, health authority or hospital, your organization will have servers in specific locations and you will be able to store information on one of those servers rather than on your local computer.
 
LAN: A local area network is a computer network within a small geographical area such as a home, school, computer laboratory, office building or group of buildings. If your place of employment has a LAN, you will have inter-connected workstations and personal computers which are each capable of accessing and sharing data and devices such as printers, scanners and a central server.

Q: Why does data storage entail privacy risks?

The Internet can best be understood as a community of computers that are allowed to connect to each other, and any computer on the Internet can connect to any other computer at any time it wishes. Through infrastructure that spans the globe, there is one single, unified Internet that all computers connect to, allowing anyone connected to share and access all the information that they choose to. Thus, this open availability of data creates a huge privacy risk.

Q: What does terrorism and FBI surveillance have to do with our privacy laws in Canada?

The US passed the Patriot Act shortly after the terrorist attacks on Sept 11, 2001. It allows the US government to eavesdrop on face to face, telephone and electronic communication without cause. This includes banking information and employee records, essentially any personal information. The critical point is that any information stored on servers in the US is available for surveillance by the FBI without the person’s knowledge or consent. 

Here in Canada, that level of surveillance makes our government uncomfortable. 


Q: How would the FBI gain access to data on my clients?

Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.
 
Cloud-Based: This is a term that refers to applications, services or resources made available to users on demand via the Internet from a cloud computing provider's server.
 
Global Server Load Balancing (GSLB): This is the practice of distributing Internet traffic amongst many connected servers dispersed around the world. The benefits of GSLB include increased reliability and reductions in latency. For example, email programs like Gmail, Hotmail, and Yahoo run from global servers.

Q: How do I know where my data is stored?

If you are an employee of a public body in BC, your employer should be in compliance with FOIPPA. A public body is required to store data on a server in Canada, subject to three main exceptions.
 
Client Consent: The client has given consent for the public body to store and access the personal information on a server outside of Canada.
 
The client’s consent must:
 
  • Specify the purpose of storing or accessing the personal information
  • Be in writing
  • Specify the personal information for which the client is providing consent
  • Specify the date on which the consent is effective
  • What date the client’s consent expires (if applicable)
  • Specify who may store or access the personal information from outside of Canada
  • Specify which jurisdiction the personal information may be stored in or accessed from (if practicable) 
Authorized by a Written Agreement: Personal information may lawfully be stored in another jurisdiction in circumstances where, for instance, a written agreement authorizes the disclosure of the personal information in another jurisdiction.
 
For Purposes of Payment: The personal information may be stored or accessed on a server outside of Canada for the purposes of a payment to be made to or by the government of British Columbia or a public body.
 
If you are working in the private sector, FOIPPA does not apply unless you are obtaining data from the provincial government. Instead, your company is expected to comply with PIPA, which does not prohibit the storage of data on global servers and cloud-based applications. Because of Global Server Load Balancing, it is unlikely that you will be able to determine where your data is stored.

Q: Should I use Canadian cloud storage?

If you work for a public employer, find out where your employer wants you to store data. 

If you work alone in private practice and your contracts require you to keep data in Canada, you could just store your data on your local computer and on a local backup drive. 
 
If you work with a treatment team and you want to keep your data in Canada, yes, Canadian cloud storage would be a good idea. There are many options.