The Data Protection Commission has shared their tips for secure video conferencing.
In light of the recent increase in remote working, necessitated by COVID-19 mitigation measures, as well as the increased numbers keeping in touch online with friends and family, the number of people video-conferencing and video-calling has increased dramatically. This has also resulted in people using apps and services which they might not have used before, or are now using for different reasons – i.e. using an app they usually use for personal purposes now for work purposes or vice versa.
Concerns have been raised about how to use these technologies to keep in touch with colleagues and loved ones in a way that is safe and secure, and ensures an adequate standard of data protection.
Here are some tips to help both individuals and organisations (such as employers who might introduce new or increased videoconferencing arrangements for employees) use these services in a safe manner.
Tips for Individuals
Make sure that the device you use for video-calling has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates (and make sure it has antivirus/online security software in the first place).
Try to use services which you know and trust, have done some research on, and/or have been vetted and suggested by your employer, etc., for video-conferencing or video-calling.
Take some time to read over the service’s privacy or data protection policy to be sure who your personal data is being shared with, where it will be stored or processed, and what purposes it will be used for, amongst other information.
Think twice about what permissions for data or sensors you are being asked for: Do you really need to share your location or your list of contacts for instance? What will that data be used for?
If the data protection or privacy information is inadequate or too much information, or access to your device is being sought, you should be wary of sharing personal data with this service, and may want to take further steps, or consider another service.
Ensure your device is used in a safe location, for example keep an eye on what (or who) can be seen from your camera, and be sure to log out, mute, or turn off video, as appropriate, when you leave or take a break.
Consider the data protection and privacy rights of others before you post or share a picture or video of a video-call that contains their image, voice, and/or contact details.
Have a read of the general tips on staying safe online during a pandemic.
If you would like some extra support staying safe online while at home, ICS is now offering free IT security training in the form of an ICDL course. Find out how to sign up here.
Tips for Organisations
Employees should be using your contracted service providers for work related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media details.
Make sure that clear, understandable, and up-to-date organisational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
Where video-conferencing services need to be used for organisational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.
Read DPC guidance on Protecting Personal Data When Working Remotely and our guidance on data security and make sure the points contained within are made clear to employees.