Video Conferencing – security and data protection

Video Conferencing - Security and Data Protection

In the dim and distant past, which is any time before March 2020 for the purposes of this blog, video conferencing wasn’t widely used by the majority of businesses for their day-to-day communications. I remember preparing for a video conferencing session by a multi national company many years ago – bulky cameras taken out of cupboards and carefully placed on the board room table, plugging in cables to a slightly cut down version of the Star Trek helm console to control cameras and trying out different sound and picture quality options to get something that would be acceptable. The setup took longer than the video conference!

In 2020, COVID19 has resulted in the widespread use of video conferencing platforms to communicate internally and with clients and suppliers. Security issues with some platforms seem to have been addressed, but security and data protection concerns remain.

Security

Unauthorised users getting access to meetings – aka ‘zoom bombing’ is probably the biggest concern. All platforms should allow you to lock down meetings and/or approve who joins – but you may need to enable these settings; ideally, they should be enabled by default when a new meeting is arranged.

If a platform allows you to upload files, take control of another persons desktop/device or allow a ‘chat’ between attendees on a global or by-person basis then access to these needs to be controlled.

And a facility to review logs about meetings should also be available if you are serious about security; who joined a meeting, what actions did they take etc.

The NCSC has produced a useful guide on securing video conferencing platforms.

Data Protection

Images and details about individuals are personal data, so the GDPR principles and other data protection requirements need to be considered. If meetings are recorded, the recordings may need to be considered when someone submits a subject access request.

A Data Protection Impact Assessment (DPIA) will help you determine what personal data is processed, where (inside or outside the EEA), how long data will be retained, how to support the rights of data subjects and the data protection risks. Recent DPIA’s we have been involved with identified more than 15 risks for the platforms being assessed – mitigation measures were already in place for some risks, new measures were introduced to mitigate the rest. New measures included training for staff on how to set up and manage meetings and what is and isn’t allowed during meetings (general behaviour and what to put in ‘chat’).

Which platform?

Client requirements

Why start with this? One reason – if your main client(s) do not support the use of some platforms there is no point considering them for client communications. However, you may not want to dismiss them as they could be appropriate for internal use. Ask clients if there are any platforms they will not use.

You may find that some clients will ask for your DPIA when you tell them the platform you plan to use, see above.

Functionality

Identify the functionality you need for different purposes – client and supplier communications and internally (small teams and company wide). Here are some criteria to consider for each one:

  • maximum number of attendees
  • is a camera mandatory to use the platform? (some people may not have them, e.g. not allowed by their company)
  • supports multiple organisers/administrators for a meeting
  • file sharing
  • screen sharing
  • instant messenger chat – global and by person or group of people
  • automatic call transcript generation
  • take control of another attendee’s device
  • record meetings and defined where recordings need to be stored
  • admin facilities to lock down access to meetings
  • admin facilities to review logs
  • admin facilities to review uploaded files and text in chats (very useful for dealing with subject access requests)
  • admin facilities to remove recorded meetings and chats after a set period
  • admin facilities to support the rights of data subjects

Selecting the platform(s)

Review the functionality for different purposes against the available platforms to determine which could be suitable. At the time of writing this blog, July 2020, there are more than 20 platforms with different pricing structures.

You may find that multiple platforms are required, e.g. one for company updates to hundreds of people and another with a limited number of attendees. Trial the ones that are shortlisted to confirm the required functionality works in a way that is easy to use, and costs are acceptable.

Get in touch for assistance on selecting a video conferencing platform or doing a DPIA on them.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462

Image https://www.flickr.com/photos/95717549@N07/9783799703