GDPR for Psychotherapists - Technical issues; protecting hardware and software; backups
/One in a series
This is one in a series of interconnected blogs about applying the Data Protection Act (2018) and GDPR(2016) laws for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context and give background.
No affiliation
I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.
Recommendations for securing your laptop or desktop
If your laptop would ever get stolen, or if you lose it, and it is not encrypted, anyone taking it can in seconds access any information you have on it (bypassing your login password). The answer for this is to encrypt your laptop. For Apple Mac this is easily done, by ticking the box for FileVault in the System Preferences. And in Time Machine, you tick that you want the backups to be done to an encrypted volume.
For Windows complete disk encryption is less easy to arrange. The proprietary system for Windows with a good security reputation is Bitlocker. However, Microsoft do not make this available for free any more for home users. You can get it by upgrading Windows 10 (Home or Personal) to Windows 10 ProPlus. That costs a one-time $99 (approx £75).
There is an alternative to Bitlocker which is at least as secure, Veracrypt, and it is free and open source. But it is technically not as easy to use.
Those are the main fully secure options. As my research goes, all other options are either much less secure, or cost considerably more money.
Encrypted backups
The GDPR insist on good quality backup. The standard way to do that is to have one backup in the same house, and one somewhere else - usually these days that would be a cloud update. A local external hard drive needs to be encrypted. This is easy with Apple (using Time Machine). For a Windows system this can be done by Bitlocker and/or Veracrypt.
Hard drives and SSD drives are easier to protect than USB sticks / flash drives. Be especially cautious about the latter. Many security-conscious organisations stop their staff completely from using them. In principle they can also be satisfactorily encrypted. But it is invisible; the technology is less worked out and solid than for bigger drives; and flash drives are easily lost or taken. In principle, it is safest not to keep any "personal information" on a flash drive, ever.
For cloud backup, or syncing to cloud storage (a possible although technically less satisfactory solution), there are three options:
- No encryption. In my view that would be an unacceptably low level of security
- Encryption with the keys or password in the hands of the provider of the cloud storage. While this is often considered, I wonder how acceptable it is. Essentially this would mean you could accept Dropbox as a medium - though many would indeed be reluctant about that. In any case, if you consider this acceptable, there are a great many options. Storage with Dropbox, Google (G Suite), Microsoft (OneDrive) or Apple (iCloud). Backblaze, a very popular and low-cost product. And others.
- Encryption on a "private encryption" or "zero-knowledge" basis, in which case you are the only person with the keys or password to decrypt the files. This reduces the field to only a few names. There is pCloud with pCloud Crypto, Swiss-owned with servers in the USA. Tresorit, Swiss-Hungarian with servers in the Netherlands and Ireland. Spideroak One, US, with US servers. Backblaze is very well known, very good value, easy to use, and allows good security - though not quite as strong as Tresorit, Spideroak and pcloud. It is worth considering. Tresorit and Spideroak One are more expensive than the others. But if you only use this encrypted backup storage for client material, that probably would not matter, as the cost is per GB, and the volume would be small - sometimes little enough to fit inside the free limit of their lowest-cost package.
Encryption tools
You want full-disk encryption, not file-by-file encryption. And note that you can only encrypt a "drive formatted with a file system". Not a drive as such.
For USB flash drives, the favourite file systems are FAT32 and exFAT, as they are cross-platform - that means that you can use the flash drive on Windows as well as Mac computers. In the somewhat unlikely event your pen drive wouldn't be formatted as exFAT or FAT32, do that first.
For encryption, if a choice of systems is given and you can, use AES - and AES256 in preference to AES128.
The process of full-disk encryption destroys any data you have. So move them out first; then encrypt; then move data in again. Or start afresh with a new flash drive, make sure of the formatting, and then encrypt it.
On a Mac, format, then encrypt with Disk Utility. Be aware that the Time Machine does not allow you to use APFS, but only the older HFS+ (same as "Mac OS Extended Journalled with GUID Partition").
On Windows, format with Disk Management Tool; then encrypt with Bitlocker or Veracrypt (as for hard disk drives; see above). For a nicer paid-for encryption experience on Windows, you can buy Gilisoft USB Encryption.
Special paid options
If you've got money to burn, you can perhaps get a slightly nicer experience with special paid software. But not better security.
For formatting you could use
- Paragon (Mac + Windows)
- Gilisoft USB encryption- only for USB sticks / flash drives
Hardware encryption options for flash drives
Finally, some people love hardware-integrated encryption for flash drives.
A few names:
Apricorn Aegis Secure Key
Kingston Data Traveller Vault
Lepin encrypted flash drive