As remote working becomes the norm for many businesses, the team at William Fry discusses the data protection issues involved in video conferencing.
The use of video conferencing platforms such as Skype, Microsoft Teams and Zoom has increased significantly with the spread of Covid-19.
This is due to businesses adapting to remote working environments and relying on video conferencing platforms to conduct both internal and external meetings, and individuals seeking to stay connected to relatives and friends following governmental restrictions on physical social interactions.
While these platforms are useful in aiding business continuity and facilitating social intimacy, the rapid uptake has given rise to certain data protection concerns.
These concerns were brought into sharp focus recently when some platforms were reported to have been subject to security attacks affecting many users. Some have announced additional security enhancements that are being made available to users.
In light of these threats, there has been a renewed emphasis on the application of data protection principles to video conferencing. The Data Protection Commission, in recognising the need for specific guidelines, recently published tips for video conferencing, which sets out how businesses should seek to comply with GDPR when utilising these services.
Given the rising concern in this specific area, there are certain steps that businesses and individuals can take to mitigate against security risks when video conferencing.
What should businesses do?
Research supplier options
When engaging third-party suppliers for video conferencing services, businesses should conduct a due diligence exercise and consider the supplier’s level of information security certification, along with the supplier’s reputation, before engaging its services.
They should also consider whether the platform offers end-to-end encryption and ensure that appropriate contractual terms are put in place that contain the data processing clauses set down by GDPR.
Businesses should also consider whether to engage suppliers whose servers are located within the EU to avoid having to implement additional safeguards where personal data is being transferred outside the EU.
Improve employee awareness
To improve employee awareness and standard practices, it is recommended that businesses ensure that employees are using the approved and contracted video conferencing platform provided by the business and not informal channels or personal accounts when discussing work-related matters.
Businesses should also implement a clear procedure for video conferencing that is easily accessible to all employees and, if one already exists, consider recirculating it.
Employers should periodically review the video conferencing software in use and, where necessary, ensure the software is updated to avail of enhanced security features as well as encouraging employees to download antivirus software on all devices in use.
Ensure conference security
When setting up and conducting video conferences, business should restrict access to video calls to those that need to be present for the discussion, remove the meeting ID and password from the conference title to reduce the risk of third parties entering the conference, and ensure any recording of a video conference is communicated clearly to the conference participants before the conference takes place, along with the specific purposes for which the recording will be used or shared.
The GDPR’s transparency requirements mandate that the data subject should be able to determine in advance the scope and consequences of the processing.
What should individuals do?
Separate channels for work and personal use
The Data Protection Commission recommends that social and work-related communication channels are separated to ensure that personal and potentially sensitive information is not captured on company systems, and equally that business-related communications are recorded to company systems rather than employee devices.
Accordingly, individuals should avoid unofficial channels such as WhatsApp or other personal platforms or devices such as iPads and personal phones when video calling for work-related purposes.
They should also use an alternative video conferencing platform to the one provided by their employer for social calls and ensure any device used has all available system updates and antivirus software.
Exercise caution when subscribing to platforms
When subscribing to and using video conferencing platforms for social calls, individuals should be aware of the personal information being requested, assess whether the information is necessary and what its purpose is, and note any permissions granted to the platform and ask whether they are necessary.
Be aware of your physical environment
One of the more invasive features of video conferencing is that it is essentially opening a lens in your home. Because of this, individuals should be careful of what is being captured by the camera and microphone.
When finishing a video call make sure the camera and microphone are turned off, and take into consideration and respect the rights and interests of call participants and those that may feature in the background of the call.
Sharing a screenshot or video taken during a video call may interfere with the individual’s privacy rights, particularly given the relative ease and speed with which this material can be further disseminated.
These best practice guidelines for video conferencing, if followed, can assist in mitigating data protection risks that arise.
While most businesses will be familiar with these platforms, the wider scope and breadth of their use within the business may require organisations to review and update security safeguards and to educate employees on appropriate video conference use and etiquette.
David Cullen is a partner and head of William Fry’s Technology Group. John O’Connor and Leo Moore are both partners in the William Fry Technology Group. Anna Ní Uiginn is an associate in William Fry’s Technology Department, and Jack Feehan is a trainee solicitor at William Fry.
A version of this article originally appeared on the William Fry blog.