The use of video conferencing platforms such as Skype, Microsoft Teams and Zoom has increased significantly with the spread of COVID-19. This is due to:
- businesses adapting to remote working environments and relying on video conferencing platforms to conduct both internal and external meetings; and
- individuals seeking to stay connected to relatives and friends following governmental restrictions on physical social interactions.
While these platforms are useful in aiding business continuity and facilitating social intimacy, the rapid uptake has given rise to certain data protection concerns. These concerns were brought into sharp focus recently when some platforms were reported to have been subject to security attacks affecting many users. Some have announced additional security enhancements that are being made available to users.
In light of these threats, there has been a renewed emphasis on the application of data protection principles to video conferencing. The Data Protection Commission (the DPC), in recognising the need for specific guidelines, recently published Tips for Video Conferencing, which sets out how businesses should seek to comply with the EU General Data Protection Regulation (the GDPR) when utilising these services.
We have previously set out practical tips to address the Data Protection and Cybersecurity risks presented by the pandemic. Taking into consideration the DPC’s publication and the rising concern for businesses in this specific area, we have summarised below certain steps that businesses and individuals can take to mitigate against security risks when video-conferencing.
Practical Steps for Businesses
1. Do Your Homework on Suppliers
When engaging third party suppliers for video conferencing services, businesses should:
- conduct a due diligence exercise and consider the supplier’s level of information security certification, along with the supplier’s reputation before engaging its services. Businesses should also consider whether the platform offers end-to-end encryption;
- ensure that appropriate contractual terms are put in place that contain the data processing clauses set down by the GDPR; and
- consider whether to engage suppliers whose servers are located within the European Union to avoid having to implement additional safeguards where personal data are being transferred outside the European Union.
2. Improve Employee Awareness
To improve employee awareness and standard practices, it is recommended that businesses:
- ensure that employees are using the approved and contracted video conferencing platform provided by the business and not informal channels or personal accounts when discussing work-related matters;
- implement a clear procedure for video conferencing that is easily accessible to all employees (if such a procedure already exists, consider recirculating it);
- periodically review the video conferencing software in use and, where necessary, ensure the software is updated to avail of enhanced security features; and
- encourage employees to download antivirus software on all devices in use.
3. Ensure Conference Security
Additionally, when setting up and conducting video conferences, business should:
- restrict access to video calls to those that need to be present for the discussion;
- remove the meeting ID and password from the conference title to reduce the risk of third parties entering the conference; and
- ensure any recording of a video conference is communicated clearly to the conference participants before the conference takes place along with the specific purposes for which the recording will be used/shared. The GDPR’s transparency requirements mandate that the data subject should be able to determine in advance the scope and consequences of the processing.
Practical Steps for Individuals
1. Separate Work and Social Communication Channels
The DPC recommends that social and work-related communication channels are separated to ensure that personal (and potentially sensitive) information is not captured on company systems and equally that business-related communications are recorded to company systems rather than employee devices. Accordingly, individuals should:
- avoid unofficial channels such as WhatsApp or other personal platforms or devices (i.e. iPads and individual phones) when video calling for work-related purposes;
- use an alternative video conferencing platform to that provided by your employer for social calls; and
- ensure any device used has all available system updates and antivirus software.
2. Exercise Caution When Subscribing to Platforms
When subscribing to and using video conferencing platforms for social calls, individuals should:
- be aware of the personal information being requested, assess whether the information is necessary and what its purpose is; and
- note any permissions granted to the platform and, ask whether they are necessary.
3. Be Conscious of Your Physical Environment
One of the more invasive features of video conferencing is that it is essentially opening a lens in your home. Accordingly, individuals should:
- be careful of what is being captured by the camera and microphone. When finishing a video call make sure the camera and microphone are turned off/muted; and
- take into consideration and respect the rights and interests of call participants and those that may feature in the background of the call. Sharing a screenshot or video taken during a video call may interfere with the individual’s privacy rights (particularly given the relative ease and speed with which this material can be further disseminated).
These best practice guidelines for video conferencing, if followed, can assist in mitigating data protection risks that arise.
While most businesses will be familiar with these platforms, the wider scope and breadth of their use within the business, may require organisations to review and update security safeguards and to educate employees on appropriate video conference use and etiquette.
We are available to advise businesses with any issues they face. Please contact Anna Ní Uiginn, David Cullen or your usual William Fry contact with any queries. We also have a specific COVID-19 Hub to help you.
Contributed by: Anna Ní Uiginn and Jack Feehan
Follow us on Twitter @WFIDEA and @WilliamFryLaw