indiscriminate retention may outweigh the reputational advantages of keeping a promise. 21 Even if it were kept, any defects in the supplier’s own security would mean that a third party could gain access to the data before it was erased, and could copy it to another location. 4.8 Ethical implications & some possible partial protections Because the IPA Ethics Code recognises confidentiality as one of the foundations of psychoanalytic practice, and because it requires psychoanalysts to protect patients’ confidentiality, analysts who practice ‘remote analysis’ will need to consider whether they are able to protect confidentiality sufficiently. It is realistic to suppose that by taking adequate precautions, confidentiality can be given partial protection against some possible intrusions upon privacy. Examples of such precautions would include: ● use of dedicated devices for clinical work (that is, devices that are not shared with family members or colleagues, who may inadvertently download compromising software); ● use of strong passwords wherever possible; ● avoidance of public WiFi hotspots; ● use of Virtual Private Networks (VPN) for all communications which are not otherwise encrypted; ● end-to-end encryption for audio and video communication; ● use of encrypted email; ● regular security auditing, with active testing of potential vulnerabilities; 22 ● seeking expert advice about establishing and maintaining an adequate system. For many analysts such measures will not be sufficient because they will feel that incomplete protection, combined with their own inadequate understanding of the nature and extent of its incompleteness, would undermine their capacity to provide and maintain a psychoanalytic setting. These analysts can therefore be expected to avoid remote working, or to abandon the practice if already begun. For others, partial protection may be sufficient, provided the risks are properly appreciated and mitigated. This group will include analysts for whom the acknowledged risks to 21 In a recent series of legal cases, FaceBook has been successfully challenged on these grounds. See: http://www.europe-v-facebook.org/sh2/ES.pdf At the time of writing (early April 2018), information about a massive breach of privacy by FaceBook and the data analytics firm Cambridge Analytica is still in the process of being documented by journalists: https://www.theguardian.com/news/2018/mar/26/the-cambridge- analytica-files-the-story-so-far https://epic.org/privacy/intl/schrems/ 22 This is a complex area involving specialist expertise in a range of techniques such as: vulnerability assessment; penetration testing; advanced persistent threat (APT) analysis. For explanations of the meanings of these and other terms current in computer security, see the glossary provided by the US Dept. of Commerce, National Institute of Standards and Technology (NIST, 2018)
24
Made with FlippingBook - professional solution for displaying marketing and sales documents online