Consider the risks: Faxing personal information
Revised: March 7, 2023
Faxing personal information may increase the risk that highly sensitive details will fall into the hands of people who should not receive them.
Despite rapid digital advancements in health, finance and law, breaches of personal information continue to occur in those and other sectors because of the use of insecure communication technologies such as traditional fax machines.
The Office of the Privacy Commissioner of Canada (OPC) encourages organizations to phase out traditional fax machines and replace them with more modern, secure and interoperable digital alternatives. This is especially important for organizations handling personal health information. These organizations should replace old technologies with newer ways of transmitting personal health information such as encrypted email, secure patient portals, electronic referrals and electronic prescribing. See our joint resolution with our provincial and territorial counterparts on securing public trust in digital healthcare to learn more.
Phasing out faxes can reduce the likelihood of privacy breaches that require an inordinate amount of time and effort to contain and remediate – time that could be better spent on other business activities.
Although the OPC recommends against using fax machines to transmit personal information, we are aware that in some regions, digital infrastructure problems like poor internet connectivity make it hard to transition to more secure alternatives. If your organization continues to use the technology, consider these tips to reduce privacy risks.
Tips to reduce privacy risks
- Choose a machine that encrypts transmissions and requires users to key in a password to access and print the fax
- Keep fax machines used to send or receive personal information in a secure area to prevent unauthorized people from seeing faxed documents
- Before sending a fax, check that the receiver's number is correct, then verify in the machine's display window that you have keyed it in correctly
- Only fax personal information that you would feel comfortable discussing over the telephone
- If you are sending or receiving personal information by fax modem (a fax device contained in a computer), confirm that other users cannot access the fax without a password
- Call the recipient to verify that they received the complete transmission
- If somebody asks you to send them their personal information by fax, explain the privacy and security risks, what steps you have taken to mitigate those risks and obtain their informed consent before proceeding with the fax
- Date modified: