Frequently Asked Question: FAQ:

What is data sovereignty and what does it have to do with clinical photos?

Other FAQs

Data Sovereignty is the idea that data are subject to the laws and governance structures within the nation it is collected. Where data are deemed to be collected can become a little murky when you factor in the location of servers that store data. Here we will try and clear this all up concerning sending and storing clinical photos using PicSafe.

There are many ways in which patient data can, inadvertently, end up travelling internationally. The most common of which are:

  1. Photos in your phone gallery. You take a photo on an iPhone, the photo is stored in the gallery, and the gallery is backed up to Apple's servers. Or, you take a photo on an Android phone, the photo is stored in the gallery, and the gallery is backed up to Google's servers.
  2. Photos in an email. You send an email with a photo in it to someone using a mail provider based in another country (Gmail, Yahoo, Microsoft, etc.).
  3. Photos in messaging apps. You send an SMS or WhatsApp message with a photo in it to someone. It is not sitting on their phone. This phone may be taken internationally.
  4. Photos in third-party storage services. You use a file storage service such as Box, Dropbox, Google Drive or OneDrive.

None of these things needs to be avoided, and indeed they provide valuable services. Depending on how you use then you can, however, fall foul to privacy laws when using them with patient data.

There are over 100 national data privacy laws in effect with a dizzying array of requirements under specific circumstances. As a general rule, we have found that all patient data should not be accessible to those outside of their home legal jurisdiction except where explicit consent is given on a per usage basis. See National Comprehensive Data Protection/Privacy Laws and Bills 2018.

Specifically, in Australia, the Privacy Act has this to say:

"Before [a doctor] discloses personal information about an individual to a person" … "who is not in Australia" … "[you] must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles."

Section 8.1. The APP Guidelines

"In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken," … "to have been done, or engaged in, by the APP entity."

Section 8.1. The APP Guidelines

Let us go over how you can protect yourself and your patients' data under each scenario.

1. Photos in your phone gallery.

Don't use the default camera app on your phone for taking patient photos. Further, when you take a photo from within many messaging apps (WhatsApp included), the photo appears in the phone's gallery. To avoid photos from getting uploaded to Google/Apple's servers, you can turn off auto upload, but that is difficult and inconvenient.

PicSafe has been designed in such a way that as soon as you send/store photos, they are removed from your phone. They never appear in your gallery.

2. Photos in an email.

There are special encrypted email services, however they often expensive and rely on both parties using the service. There is also the issue of who has access to the keys used to decrypt the email.

PicSafe allows you to attach an encrypted file to an email meaning that no patient data is visible to prying eyes and the email is sent over the Internet. The keys used to encrypt the files are distributed through a "Key Server". PicSafe hosts a "Key Server" that any PicSafe user can use, or an institution can choose to run their own. Either way, the key to decrypt a file is not stored on the same server that stores the email and the data, and then the key to decrypt can't be accessed without permission being granted and access being logged.

3. Photos in messaging apps.

Much the same as with photos stored in email, photos stored in messaging apps can be accessed in transit or when being stored. Many services encrypt messages but still about end-to-end encryption is not safe. Further, once photos are viewed on a recipients phone, they are stored on the phone. You have no control over where that phone goes or who has access to it.

PicSafe's solution here is not to embed the photo in a message, instead, have a link to the photo in the message. The link points to a file hosted on My PicSafe. My PicSafe has servers in Australia, Canada, Ireland, the UK, and the USA. This means that for users in these countries, patient data will not leave the country. PicSafe users, therefore, send photos securely.

  1. Take a photo.
  2. The app fetches a key and encrypts the data into a file.
  3. The app uploads the file to "My PicSafe" and generates a link.
  4. You can send the link via a messaging app.
  5. The recipient opens the link (either on their phone on their computer).
  6. The recipient is prompted to either create a PicSafe account or sign in (thereby verifying who they are).
  7. The app or browser fetches a key to decrypt the file. Every time a key is fetched it is logged.
  8. The app or browser decrypts the file and displays the contents.

4. Photos in third-party storage services.

Each of the four primary third-party storage services is owned by a US company. The issue over who has access to what data is murky. PicSafe supports all four as we feel that each can be used securely. See the relevant FAQs for how to set up each of Box, Dropbox, Google Drive, and OneDrive. Specific discussion around the data sovereignty for each follows.


In November 2106 Box announced "Box Zones in Australia” which enables Australian customers to store their data locally. Box says that by storing customer data in-country, it “can help address Australian Privacy Principles for organisations with data residency concerns and help companies meet the Australian Signals Directorate's strong recommendation that cloud providers handling sensitive data be located in Australia”.

Unfortunately, you must have a Box Enterprise account to use Box Zones. The Box website asks that you contact them to get a quote. Expect to pay around $35 per month for this service.

Box provides a HIPAA-compliant secure storage option, and while HIPAA is a US-based standard for protecting patient privacy, it is viewed by many around the world as the gold standard in patient privacy regulation. Box provides a page called: "Box HIPAA and HITECH Overview and FAQs" to assist with implementation.

This "Is Box HIPAA Compliant?" article gives an excellent summary of what Box does and what you should do to comply.


According to Dropbox's VP of Enterprise Strategy, Ross Piper, "Dropbox stores its Australian customer files in Amazon Web Service's Sydney data centre". This is despite their website saying all data is stored in data centres across the United States. Technically speaking, then, it sounds like you can use Dropbox. However, they state that they hold related metadata in the US, thereby raising the accessibility spectre once again. The fact that this issue is conspicuously not addressed on its website raises some doubt about using Dropbox here in Australia.

If you decide to use Dropbox, the "Dropbox Basic" free plan, may be all you need for a while. That gives you 2GB of storage which should be enough for roughly 400 photos. If you require more storage space, you can upgrade to various paid plans starting at AU$11.60 a month.

Dropbox provides a HIPAA-compliant secure storage option, and while HIPAA is a US-based standard for protecting patient privacy, it is viewed by many around the world as the gold standard in patient privacy regulation. Dropbox provides a help page called: "Dropbox Business and HIPAA / HITECH—an overview" to assist with implementation.

This "Is Dropbox HIPAA Compliant?" article gives an excellent summary of what Dropbox does and what you should do to comply.


Google can’t guarantee is that data will be stored in Australia. However, they claim their approach is more secure than keeping everything in a local data centre.

Google provides a HIPAA-compliant secure storage option, and while HIPAA is a US-based standard for protecting patient privacy, it is viewed by many around the world as the gold standard in patient privacy regulation. To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a "Guide for HIPAA Compliance with G Suite" to assist with implementation.

This "Is Google Drive HIPAA Compliant?" article gives an excellent summary of what Google does and what you should do to comply.


Microsoft stores OneDrive data in data centres in Australia for Australian users.

Microsoft's OneDrive provides a HIPAA-compliant secure storage option, and while HIPAA is a US-based standard for protecting patient privacy, it is viewed by many around the world as the gold standard in patient privacy regulation. Microsoft's Trust Center has a "HIPAA and the HITECH Act" page that states that is it capable of providing HIPAA-compliant secure storage.

This "Is OneDrive HIPAA Compliant?" article gives an excellent summary of what Microsoft does and what you should do to comply.