Although fax machines are often considered to be a convenient mechanism for transmitting information, it should be noted that they have certain vulnerabilities which could result in information being sent to the wrong person.
While this may not present a problem when sending routine business information, it could have far more serious implications when personal data or other confidential information is involved.
The disclosure of personal data to unauthorised persons, whether accidental or intentional, constitutes a breach of the Data Protection Act and may lead to action being taken against the university.
For this reason, the use of fax machines to convey personal data is strongly discouraged, especially where this involves sensitive personal data such as medical information.
However, where there is absolutely no other option but to use a fax, the following procedure should be followed to reduce the risk of unauthorised disclosure of any personal information:
-
Confirm you have the correct fax number for the recipient.
-
Confirm that the receiving fax machine is located in a secure area or that the intended recipient is waiting by the fax machine to receive the transmission.
-
Use a St George’s, University of London cover sheet which includes an explanation of what to do if a message is received.
-
Visually check the destination number on the machine display before starting the transmission.
-
Do not leave secure faxes unattended in a machine, and make sure all sheets are removed from the machine once the fax has gone through.
-
Contact the recipient to ensure the fax has been received OK.
-
Keep a log of all ‘secure’ faxes that you send and receive.
It is also a good idea to use pre-set ‘autodial’ numbers, rather than entering numbers manually, and to audit all stored numbers regularly for accuracy.
Disposal of fax machines
Fax machines should be considered as any other piece of IT equipment and must be decommissioned appropriately to ensure any stored data is removed.