We all know that the quality of the information on the Internet is unreliable. It contains the best and the worst, which requires discernment on the part of the user to choose the online resources and services they consult, and which should lean towards those who have a very good reputation and have proven themselves. This is, of course, all the more important when it comes to health-related information and services.
But beyond the reliability of the content, another critical aspect to be taken into account concerns the protection of users’ personal data, in particular those relating to their health, which are considered sensitive, in order to avoid them being sold and to guarantee a respect for their privacy.
This shocking phrase from an anonymous author sums up the business model that has enabled the free content and services industry on the Internet to generate gigantic profits: free access attracts a ton of users who, by leaving traces of their consultation or by identifying themselves to personalize their use, become the product sold at high prices to advertisers and merchants around the world. The more traces that are left behind, the more the profile of the user becomes complete and valuable, because we then know what temptations he or she might give in to. If some of these traces make it possible to infer the health condition of the user, the risk of invasion of privacy increases; the insurability of the user could be impacted for example.
An additional problem – and not the least – is identity fraud, made possible by the ill-intentioned theft of this personal data and its cross-references. It is easy to imagine the abuses that can occur when this theft succeeds, and reality shows that it is a very real and high risk with potentially serious consequences.
This reality has led the authorities of several countries to regulate the industry to reduce the risks mentioned above. Any company doing business in one or more of these jurisdictions must comply with local regulations.
In Canada, Quebec was the first province to adopt a law to ensure the protection of personal information, more than 25 years ago. The federal government and the other provinces have followed – each on their own – resulting in the fact that there are now a dozen pieces of legislation that are more or less equivalent but are not identical, and with which companies must comply!
In the United States, a similar situation has developed, with the State of California having the most advanced and binding regulations.
The European Union, for its part, has set an example for the world by adopting a modern and unified regulation for all Member States in 2016, known as the General Data Protection Regulation (GDPR), generally considered as a model to follow and which seems to be becoming the international reference standard. This is happening in Quebec with Bill 64, in Canada with Bill C-11 and surprisingly even in the United States with the modernization of the California Privacy Rights Act (CPRA) that will come into force in 2023: In these three cases, there is an alignment towards the European GDPR!
At SOSCuisine.com, we have adhered to full compliance with all Canadian federal and provincial regulations. To do this, we had to put in place administrative, physical, and technical security measures to protect the integrity of the data, as well as the confidentiality and security of our online services.
To give you an idea of the magnitude of the effort, here is a non-exhaustive list of these measures: new work procedures, data access controls adapted to the different roles of our employees, recording of all access to health data, data storage in Canada, ongoing training of our employees on privacy and cybersecurity, systematic testing of the site to detect possible bugs and security vulnerabilities, encryption of all data transferred between our site and users as well as encryption of passwords with robust algorithms, migration towards the best cloud-based collaborative work environment hosting sites from the point of view of security and confidentiality, use of secure messages and emails, verification of our suppliers’ compliance with regulations, as well as periodic meetings to review our methods in the spirit of continuous improvement.
As you can see, ensuring the adequate protection of personal data is neither simple nor cheap, but we consider it our duty to offer professional, reliable, and secure online services for all our users, and in particular for the patients that many doctors refer to us.
Let us be vigilant when we consult online resources and services, not only with regard to the reliability of the content, but also with regard to ensuring that they adequately protect users’ personal data, and in particular health data. Until individual conformity certifications appear on the market, the best way to ensure this is to prioritise well-established resources and services, which have a reputation for seriousness and which explicitly declare the nature and extent of their compliance with the regulations.