GDPR for Psychotherapists - Technical issues; encrypting the communication of personal data
/One in a series
This is one in a series of interconnected blogs about applying the GDPR(2016) and DPA(2018) laws for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context.
No affiliation
I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.
Using a VPN
If you like using one of your portable devices, mobile phone, laptop, tablet, in a public place (café, train, airplane, underground, library, hotels (!), station, museum, shopping centre), you need to take into account that the Wifi there is almost always completely unsafe. As regards surveillance and checking, and as regards the possibility of even very amateur hackers hacking into your communication. That very much introduces extra dangers; even when browsing or using unencrypted email for non-client related purposes, as soon as someone gets access to your device, a lot of your defences, including encryption, are gone...
There are an enormous number of VPN offerings on the market, some paid, some free. The paid ones can vary from £40 to £80 per year. You pay for actual services, servers that need to be installed and maintained; not just for a programme. The general advice of security-conscious people is not to bother with free VPNs. They may be low-quality security wise, or very slow, or unreliable, or make money on the data that they connect despite promises. Any reasonable VPN provides safety and means that when you are on public Wifi you have a reasonable level of safety, instead of an unacceptably low one.
In no particular order, a number of well-known VPNs are ExpressVPN, PIA, Personalvpn from Witopia, TunnelBear, ProtonVPN. Many of these also have apps on iPhone and android phones, to protect your data and the integrity of your hardware.
If you dislike another thing to do, software to install and learn, money to pay, there is one very easy solution: don't use any device that in any way is connected with personal data in a public place, using Wifi.
Messaging encryption
This is well researched, and a lot is known about the relative security of different apps, with SMS texting and Facebook Messenger at the weakest end, and wire and Signal two of the strongest. I would say that three apps are solid and reliable, wire, Signal and Threema. WhatsApp, although encrypted, has a more doubtful reputation, somehow, that is not really going away. Signal is based in the USA. wire and Threema are based in Switzerland. This makes a difference for possible subpoenas. There are several evaluations with broadly similar outcomes.
Email encryption
These are some high-level policy choices you could make, all with their advantages and disadvantages:
- not using email with any of your clients
- using email with a significant number of your clients; but without having end-to-end encryption in place
- having encrypted emails with some clients, unencrypted with others (but how to decide and police? how to justify under GDPR?)
- insisting to your clients that IF they would want to have email interaction with you, any email contact you have is fully encrypted, and that they have to follow your technical lead on that
You can discuss / agree your policy with your clients, or decide unilaterally - but under GDPR, you still need to disclose what you decided, or what you will do, to clients, and get them to accept, consent, agree, or opt in.
What are the technical options and constraints? Unfortunately they are much more complex than for messaging, and none of them are completely satisfactory. Technically it would be easy to make the whole email world encrypted and fully secure. It is useful to speculate why this does not happen. I believe that the reason is that the major players involved would not like complete privacy and secrecy. Governments don't like it, as they like to spy on everyone they can spy on. The big tech players and the professional experts believe (rightly) that the current state of chaos and uncertainty produces excellent opportunities for marketing and profit-making business, and drives millions of non-technical people into the hands of professionals who can charge for their services and make a good living. It is important to see this, as it explains some of the structures that are in place.
I will simplify, and leave out some little-used possibilities, sticking with ones that have a strong reputation and have proven themselves through years of experience.
Most commonly used options depend on sender and receiver both using the same system. Encrypted email brand A is secure when emailing with another person using brand A. But this product does not provide any protection when emailing with anyone else. So for therapist-client confidentiality this means agreeing with a client that they use an email brand that the therapist already has. And the client will typically then have to install it, register, choose a (hopefully adequately strong) password, ideally adding Two-Factor Authentication, and will usually have to pay for it - not much, but still.... Some of the brands have a small-scale lowest-tier package which is free. But often this means restrictions.
Email is inherently insecure - in the way it is implemented today. There are a whole range of options to have encrypted email solutions that you can trust. (Note that if you have data encrypted, but others, especially a large compamy, have the keys / password, and you don't, you only have moderate security.)
Simplifying considerably, I limit my recommendation to two options, Protonmail and tutanota. They both have limited free options - limited as regards storage space. If you would have a separate email system for clients only, which has a lot to be said for it, you can probably last for quite some time. If you also use the email for the contact form on your website, you have a closed system. However, the encryption is only there if your clients also use the same email system, i.e. Protonmail with Protonmail, or tutanota with tutanota. Given that they can almost certainly suffice with the free plan, it is not a financial sacrifice for your clients. You would need to insist on it, and state that you are only prepared to have email contact with them if they use your secure system. Any other options that would be more flexible, tend to become rapidly a lot more challenging technically. There is currently no really attractive solution for this. Sticking with gmail means that you could have the emails encrypted everywhere, but Google itself could, and typically would, access the content. Same for the other big names like Microsoft and Apple.
There are specialised commercial options available. They typically are fairly expensive; and most of them, like with Google, allow the providing company and its staff to see the plain text of your emails. Is trusting them not to do so enough protection for client material? Some of these providers provide more than only email (e.g. hosting, data storage). Zix corporation is an example of this type. They are US based.
Your chosen secure email system for clients would also be used for the contact forms on your website.
Technically one more solution exists, which has been around for over 20 years, and has withstood all attempts to break it, as it is mathematically so sound. This one is known as PGP (alternatively called GPG, a nuance which is not important here). This allows two people on different email systems - any email systems really -, to communicate using encryption, in a way that cannot be hacked into. And the information necessary for decryption is asymmetrical; thanks to some mathematical magic it can be made publicly available without any risk. Many investigative journalists use this. And media / newspapers as well as lawyers who invite whistle-blowers or international activists to contact them, usually offer them to write in using PGP/GPG (though offering an encrypted "portal" is also done; except in that case you need to trust them, as you cannot check that indeed the portal is secure, or who has access, etc.) PGP/GPG is very secure. And it is free.
So why is PGP/GPG not used much more? Unfortunately, the practice of it (and I've had quite a bit of practice myself and with others) isn't so easy technically. Sometimes there is a problem. Sometimes it doesn't work and you need to find out why. You have to be meticulous in how you protect your own confidential key - otherwise all protection is lost. So for many people - who may already be challenged by the idea of using a password manager -, this is not realistic. Nevertheless, it does exist. It is eminently usable, and, if correctly used, is very secure. Apple Macs have a special implementation of it which is easier to use. So does the Thunderbird mail client, which is a free equivalent of Microsoft Outlook and Apple Mail.
All these systems, but especially GPG/PGP, suffer from one inescapable weakness: when you use it on your computer or laptop, you want of course yourself to have a decrypted version available to read and consult. So if your own computer is not secure and protected, if it could be stolen or hacked into, then someone who is inside your computer can read all of it. This re-emphasises that you need to encrypt your laptop.
All of this is not so different from having old-fashioned paper files with therapy notes in a locked-up file cabinet. If you are away on holiday, and burglars break in who want to get your files, if they are professional they would usually be able to break into most "normal" filing-cabinets, too - and be able to read your notes. Physical protection is difficult to arrange that can withstand all attacks. But a "reasonable" level of security is possible - that's why we have locked filing cabinets, and don't let our notes lie on our table. In the same way clients and the GDPR expect a "reasonable" level of information security in your digital environment.
One final aspect. If you use a system like PGP/GPG, and use a "normal" email supplier such as Gmail (Google) or hotmail (now Microsoft), you will decrypt the emails you receive, and have them as part of your email - they will be kept on a server - which probably means that they would be available in decrypted state on the computers of Google and Microsoft. That is reasonable protection, but not against employees of those companies, or research systems (Cambridge Analytica!!) of these or related companies. Because of that, just using PGP/GPG may still not be a good-enough solution; a separate encrypted system is more secure.
Overall I think there is a lot to be said for Protonmail and tutanota - operating from countries with a strong tradition of privacy legislation.
Gmail have not done anything to make it easier to use PGP/GPG on their usual system - one can only guess why (!). The only encryption they facilitate are three systems, one of which is a Google system, and another one which is based on Zix. So that is another obstacle to using PGP/GPG in an easy way.
If your response is that you’re using Gmail (probably market leader in email and technically very good), would like to stay with them, and change as little as possible, as I stated, you can use one or more of the official Google-presented options for encryption. However, these only work if your client installs the same, i.e. also uses Gmail, and also installs the encryption system you’ve chosen, and pays for it (typically about £5/month). The three main options are GAME, zixmail and virtru.
Here are two links with more details about these gmail solutions: Email Encryption in Google Apps
These are some general links: