Fax is not compliant with data protection

Many companies and institutions still use fax to transmit information. This almost always involves personal data: invoices, delivery bills, pay slips, contract documents, (medical) reports, patient files, ...

But does the fax even guarantee the security required by data protection law?

If this is not the case, those responsible may face heavy fines and claims for damages.

Technical development

For a long time, fax was considered a very secure method of transmission. An exclusive telephone line was used, which guaranteed a high level of security. But today this is no longer the case: instead of being sent over an exclusive line with end-to-end encryption, a fax is now sent in individual packets over the Internet. Moreover, it can no longer be assumed that the recipient is also using a real fax machine, which would guarantee the corresponding security. Instead, it is now common to have an incoming fax automatically converted into an e-mail, which is then forwarded to the appropriate e-mail inbox.

Alternatives

So an alternative to the fax is needed. Encrypted emails, cloud solutions or the classic letter post are available here. But with the former, there are also a number of things to consider.

Encrypted email

It is essential that e-mails are encrypted. Otherwise, they can be viewed just like postcards. Although the BDSG recommends encryption (and the DSGVO does not bring any major innovations in this regard), there are two options here: Content encryption and transport encryption.

Content and transport encryption

Content encryption (also known as end-to-end encryption), as the name suggests, encrypts the content of the email. Only the metadata is still readable.

With transport encryption, on the other hand, only the transport is encrypted, while the e-mail is unencrypted at both the sender and the recipient. Transport encryption is necessary in any case to protect data, but it never replaces content encryption.

Correct implementation

It is important that encryption is always carried out correctly. Finally, the accountability obligation from Art. 5 II GDPR also relates to encryption. If a so-called "data breach" occurs, all affected parties must be informed as quickly as possible. This significantly damages the reputation of the responsible party.

There are various options for effective encryption. It is recommended to use standard solutions such as PGP, RMS or TLS encryption.

It is important to ensure that the configuration is correct. Due to the time-consuming configuration in advance, this solution is usually not feasible for B2C traffic, which involves spontaneous and changing communication partners. Here, one should rather rely on a password-based procedure.

If a company sets up encryption, it must be ensured that the procedure is compatible with all common clients. For example, it must also be possible for employees to send encrypted e-mails from their cell phones. It must also be ensured that automated e-mails are also encrypted.

Cloud solutions

Data exchange via cloud solutions is also conceivable. However, this too must be secured by appropriate encryption.

The problem with a cloud solution is usually that the service provider could in principle access the data, since it is usually available there in unencrypted form. End-to-end encryption is again an option here, as long as the underlying business process permits this.

The prerequisite for this solution is therefore always a trustworthy provider in addition to encryption.

Special categories of personal data

The GDPR divides some personal data into the "special category". These are enumerated in Art. 9 I GDPR. In addition to ideological conviction, sexual orientation and trade union membership, these are primarily genetic and biometric data, as well as health data of natural persons. In practice, in the medical sector, these are very often transmitted by fax from one doctor's office to another or to a hospital.

When processing this data, which also includes the transfer, Section 22 BDSG (which takes into account the requirements of Art. 9 II lit. b, g and i DSGVO) must be observed in particular, which prescribes "appropriate and specific measures to safeguard the interests of the data subject" for this purpose. This constitutes a legal obligation.

However, the transmission of such data via fax is not permitted due to the technical changes explained. This was also made clear by Imke Sommer, the Bremen State Commissioner for Data Protection and Freedom of Information.

Here, too, the alternatives listed above must be used. However, it will be several years before a (technical) changeover takes place here.

Conclusion

Each solution holds many data protection as well as technical pitfalls. The more data and the more frequently special category data is processed or transmitted, the greater the risks incurred due to the complexity. Expert and case-by-case advice becomes essential here.