If your appointment website is for doctors and must collect contact information, you must encrypt stored data.<\/p>\n
At minimum:<\/p>\n
\ud83c\uddfa\ud83c\uddf8 HIPAA<\/strong> (if US healthcare providers)<\/p>\n<\/li>\n \ud83c\uddea\ud83c\uddfa GDPR \/ UK GDPR<\/strong> (if EU\/UK users)<\/p>\n<\/li>\n \ud83c\udde8\ud83c\udde6 PIPEDA<\/strong>, \ud83c\udde6\ud83c\uddfa Privacy Act<\/strong>, etc.<\/p>\n<\/li>\n<\/ul>\n All of them share the same principle:<\/p>\n Use reasonable and appropriate safeguards.<\/strong><\/p>\n<\/blockquote>\n For public-facing medical systems, encryption at rest is considered baseline<\/strong>, not optional.<\/p>\n You should not<\/strong> deploy such a system here without database encryption:<\/p>\n Encryption is not strictly mandatory, but strongly expected<\/strong><\/p>\n<\/li>\n Regulators treat unencrypted personal data as a security failure<\/p>\n<\/li>\n Fines are common after breaches<\/p>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c Not acceptable in practice<\/p>\n Same standard as EU<\/p>\n<\/li>\n ICO expects encryption for stored personal data<\/p>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c Not acceptable<\/p>\n No single privacy law, but:<\/p>\n FTC enforces \u201creasonable security\u201d<\/p>\n<\/li>\n State laws (CA, NY, MA) expect encryption<\/p>\n<\/li>\n Breach notification laws penalize plaintext storage<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c High liability risk<\/p>\n \u201cAppropriate safeguards\u201d required<\/p>\n<\/li>\n Encryption is considered baseline for databases<\/p>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c Not acceptable<\/p>\n Reasonable steps to secure personal data<\/p>\n<\/li>\n Plaintext databases fail audits<\/p>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c Not acceptable<\/p>\n Strong data protection laws<\/p>\n<\/li>\n Encryption considered standard<\/p>\n<\/li>\n<\/ul>\n Verdict:<\/strong> \u274c Not acceptable<\/p>\n Below is a case:<\/p>\n Medical appointment website<\/strong> What the law says<\/strong>, what regulators expect<\/strong>, and real enforcement risk<\/strong>.<\/p>\n Yes.<\/strong> If the site is used by a medical organization<\/strong>, the data is also treated as medical-related personal data<\/strong>, which increases protection requirements.<\/p>\n Is database encryption legally mandatory?<\/p>\n Not explicitly mandatory<\/strong>, but\u2026<\/p>\n Russian law requires:<\/p>\n \u201cNecessary and sufficient organizational and technical measures\u201d<\/p>\n<\/li>\n Protection against unauthorized access, leakage, modification<\/strong><\/p>\n<\/li>\n<\/ul>\n Roskomnadzor guidance and court practice treat encryption as a standard technical measure<\/strong> for internet-facing systems.<\/p>\n \u26a0\ufe0f Formally possible<\/strong>, but high risk<\/strong>, especially if:<\/p>\n Public-facing website<\/p>\n<\/li>\n Medical context<\/p>\n<\/li>\n Cloud or internet-accessible database<\/p>\n<\/li>\n<\/ul>\n After a breach, unencrypted storage is routinely considered inadequate protection<\/strong>.<\/p>\n Medical IT systems are expected<\/strong> to encrypt<\/p>\n<\/li>\n Hosting providers and clinics usually require it contractually<\/p>\n<\/li>\n Fines are modest, but service blocking<\/strong> is possible<\/p>\n<\/li>\n<\/ul>\n Verdict (Russia):<\/strong> Yes.<\/strong><\/p>\n Email and phone number = personal data<\/strong> Is encryption explicitly required?<\/p>\n No explicit encryption mandate<\/strong> in the law.<\/p>\n However, the law requires:<\/p>\n \u201cNecessary technical means for protection\u201d<\/p>\n<\/li>\n Prevention of unauthorized access and dissemination<\/p>\n<\/li>\n<\/ul>\n Armenian regulators do not prescribe exact technologies<\/strong>, but rely on a \u201creasonable security\u201d standard<\/strong>.<\/p>\n Can you legally store unencrypted data?<\/p>\n \u2705 Yes, legally possible<\/strong>, if:<\/p>\n Access controls are strong<\/p>\n<\/li>\n HTTPS is used<\/p>\n<\/li>\n Minimal staff access<\/p>\n<\/li>\n Clear internal security policy exists<\/p>\n<\/li>\n<\/ul>\n \u26a0\ufe0f However:<\/p>\n In case of breach, lack of encryption weakens your legal defense<\/p>\n<\/li>\n Medical data increases scrutiny<\/p>\n<\/li>\n<\/ul>\n Enforcement is light<\/strong><\/p>\n<\/li>\n Fines are low<\/p>\n<\/li>\n Focus is usually on absence of any safeguards<\/strong>, not encryption specifics<\/p>\n<\/li>\n<\/ul>\n Verdict (Armenia):<\/strong> Yes.<\/strong><\/p>\n Georgia\u2019s law is now GDPR-aligned<\/strong>.<\/p>\n Email + phone = personal data The law requires:<\/p>\n \u201cAppropriate technical and organizational measures\u201d<\/p>\n<\/li>\n Protection proportionate to risk<\/p>\n<\/li>\n<\/ul>\n The Georgian Personal Data Protection Service explicitly references:<\/p>\n Encryption<\/p>\n<\/li>\n Pseudonymization<\/p>\n<\/li>\n<\/ul>\n as expected safeguards<\/strong> for sensitive or high-risk processing.<\/p>\n \u274c Strongly discouraged<\/strong> and hard to defend<\/strong>, especially for:<\/p>\n Medical appointments<\/p>\n<\/li>\n Internet-facing systems<\/p>\n<\/li>\n<\/ul>\n In a breach, plaintext storage would almost certainly be ruled non-compliant<\/strong>.<\/p>\n Active regulator<\/p>\n<\/li>\n Administrative fines<\/p>\n<\/li>\n Orders to suspend processing<\/p>\n<\/li>\n<\/ul>\n Verdict (Georgia):<\/strong>\n
\u00a0<\/h3>\n
Countries \/ regions where unencrypted storage is explicitly NOT acceptable<\/strong><\/h3>\n
\ud83c\uddea\ud83c\uddfa European Union (GDPR)<\/h3>\n
\n
\n\ud83c\uddec\ud83c\udde7 United Kingdom (UK GDPR)<\/h3>\n
\n
\n\ud83c\uddfa\ud83c\uddf8 United States<\/h3>\n
\n
\n
\n\ud83c\udde8\ud83c\udde6 Canada (PIPEDA)<\/h3>\n
\n
\n\ud83c\udde6\ud83c\uddfa Australia (Privacy Act)<\/h3>\n
\n
\n\ud83c\uddef\ud83c\uddf5 Japan, \ud83c\uddf0\ud83c\uddf7 South Korea, \ud83c\uddf8\ud83c\uddec Singapore<\/h3>\n
\n
\n
Collects age, sex, email, phone<\/strong>
Uses HTTPS<\/strong>
No database encryption at rest<\/strong><\/p>\n<\/blockquote>\n
\n\ud83c\uddf7\ud83c\uddfa Russia (Federal Law No. 152-FZ \u201cOn Personal Data\u201d)<\/h3>\n
Does the law apply?<\/h5>\n
Email and phone number are personal data<\/strong> under Russian law, even without a name.<\/p>\n\n
Can you legally store unencrypted data?<\/h5>\n
\n
Practical reality in Russia<\/h5>\n
\n
\u26a0\ufe0f Technically possible, practically unsafe<\/em><\/p>\n\ud83c\udde6\ud83c\uddf2 Armenia (Law on Protection of Personal Data, 2015)<\/h3>\n
Does the law apply?<\/h5>\n
Medical appointment context = higher protection expectation<\/strong><\/p>\n\n
\n
\n
Enforcement reality<\/h5>\n
\n
\u2705 Legally possible today<\/em>
\u26a0\ufe0f Weak future-proofing<\/em><\/p>\n\ud83c\uddec\ud83c\uddea Georgia (Law on Personal Data Protection, updated 2023)<\/h3>\n
Does the law apply?<\/h5>\n
Medical services = special category data context<\/strong><\/p>\nIs encryption required?<\/h5>\n
\n
\n
Can you store data unencrypted?<\/h5>\n
\n
Enforcement reality<\/h5>\n
\n
\u274c Not realistically acceptable<\/em><\/p>\nSummary Table\u00a0<\/h5>\n