What Canadian physicians can do to protect patient information when travelling across international borders
In brief
- Border agents can inspect business information, including medical records stored electronically on a mobile device (such as a smartphone, laptop, USB drive, or tablet).
- The CMPA encourages physicians who travel across international borders to consider whether their devices contain identifiable patient information.
- Any confidential information that is not required during the trip should be removed from devices, even if the information or the device is password-protected and encrypted.
- Keep your mobile devices in airplane mode when submitting to a border search.
Travel to international destinations
Border agents in all countries have the right to search travellers and their belongings. Their goal is to identify and prevent terrorist activity, financial and commercial crimes, child pornography, and immigration offences.
Since travellers now routinely carry mobile devices including smartphones, USB drives, tablets, and laptops, border agents are expanding searches to include these devices. Searches may include inspection of the physical device for evidence such as compartments that may be used for smuggling. Travellers might also be required to allow border agents access to information stored on devices, including electronic documents, emails, and contacts.
Travel to the United States
Authority to search mobile devices
United States Customs and Border Protection (CBP) officers can conduct a routine, non-invasive search, without a warrant or reasonable suspicion, of the information accessible on a traveller’s mobile phone, computer, camera, and other electronic devices.
All travellers crossing the United States border are subject to CBP inspection. The Canadian federal government’s United States travel advice states that CBP authorities strictly enforce entry requirements and to expect scrutiny at ports of entry, including examination of electronic devices. It further advises Canadian travellers to comply and be forthcoming in all interactions with border authorities.
Although a 2018 CBP directive [PDF] states that medical information and other possibly sensitive information will be handled "in accordance with any applicable federal law and policy," it does not preclude a search of the device and the information stored on it or seizure of the device by the government.
CBP officers conducting routine searches cannot use the electronic device to access information stored only remotely. For example, medical records accessible on a smartphone only through a remote server and not stored on the device itself should not be subject to search by border authorities in the normal course. To prevent inadvertent or unauthorized access to such confidential information, the border agent should ask you to disable network connectivity or put the device into airplane mode. If not expressly asked, you should do so before submitting to a search.
Searches that are more extensive can be conducted only if the border agent has reasonable grounds to suspect illegal activity or a national security concern. An advanced search often involves connecting external equipment to the mobile device to review, copy, and analyze its contents. Border authorities may seize the device for a potentially significant period to perform an advanced search, although the 2018 directive states that detention should not ordinarily exceed five days.
When the inspection is complete and no further action is being taken, CBP must destroy copies of any information taken from a device and return the device to the owner.
Password and encryption
If asked, you are obligated to give CPB officers your device and the information stored on it in a condition that allows the agent to search it. If the device is password-protected or encrypted, you may be required to give the officer the password or the encryption key, or both. Officers can also demand passwords for applications on the device, which may allow them to access your social media accounts and emails.
CPB must delete passwords and encryption keys obtained during a search once they are no longer required for that purpose.
If you fail to cooperate with CPB border authorities, they could seize the device and refuse you entry into the United States.
Privacy breach notification
Border searches raise complex legal issues, including whether the physician’s local privacy commissioner, College, or patients should be notified of the search. Members are encouraged to contact the CMPA to discuss possible notification requirements when identifiable patient information is accessed during a border search.
Additional reading
