Videoconferencing privacy and security

Legislation and data residency

Since many video communication platforms store data in the United States, using these platforms in B.C. may not comply with section 30.1 of the Freedom of Information and Protection of Privacy Act (the data residency provision).

Video communication platforms

The video communication platforms that have been approved at a corporate level for use within government are:

• Skype
• Microsoft Teams

If the intended use case involves sensitive information, ministries should seek internal legal advice. Other tools may become available, and employees are encouraged to check here regularly for updated information.

Security best practices and tips

Identify your shared information type

• How sensitive is the information that I will be sharing or processing over my intended platform or tool?
• Is it okay if other people, aside from my intended audience, have access to this information without my knowledge?
• Who would want to steal this information and does my intended platform or tool protect this information from them?
• What are the risks to sharing this information, and is my organization willing to accept those risks to achieve our business objectives? Are there any risks that must be addressed in order to ensure compliance with legislative requirements?

If your information is personal, sensitive or confidential, ensure the tool you are using has sufficient security controls in place to protect the information.

Select a service provider with strong security and privacy measures

• Consider how the service provider responds to privacy breaches and security incidents. Look for a reliable provider who proactively engages their customers to address privacy and security issues
• Be familiar with and comply with the service provider’s customer use and responsibility policy
• Seek advice from your organization’s privacy and security experts and legal advisors before using any tool or agreeing to any terms and conditions. That way, you can avoid inadvertently accepting terms and conditions that breach your organization’s security requirements. For example, if the service provider claims ownership of any recorded conversations, content, metadata or files shared over their platform
• Consider the service provider’s encryption standards. They should be encrypting data while it is in transit and at rest. Strong encryption, such as Transport Layer Security (TLS), is necessary
• Find out what personal and potentially sensitive information the service provider collects about meeting participants. For example, do they collect names, roles, organizations, email addresses, usernames, passwords or the devices used? Learn how the service provider will use this information and let participants know what to disclose during registration
• Use different passwords and credentials than the ones you use for your work accounts
• Compare the privacy and security features offered between providers and between subscription plans. You may discover a paid-for plan offers better security than a free one

Set up a secure video conference or meeting

• Modify the meeting’s settings when the default settings do not meet your organization’s security requirements
• Send invitations securely. Use email or encrypted messaging apps to send links to your meeting. Do not share links or access credentials over public websites or social media
• Update your access credentials periodically to reduce the risk of uninvited guests at your future meetings

Choose a secure physical setting

• Host your video conference from a private location. If you can’t find one, use headphones so that only meeting participants can hear the full discussion
• Consider muting participants. This eliminates background noise and prevents nearby private or confidential discussions from being overheard
• Consider what others can see behind you. Remove or conceal anything that should be kept private. Some video communication tools like MS Teams let you blur the background or use a virtual background
• Check that meeting participants have also secured their physical setting and devices

Limit and monitor meeting participants

• Consider who you allow to join your meeting. You can restrict access by requiring participants to enter a password to join. You can also allow authenticated users only, or registered or domain-verified users only. For example, people whose email addresses include approved domains. On some tools, you can make participants wait in virtual lobbies before they join the meeting
• Watch or listen for cues that someone has joined the meeting. Ask participants to identify themselves when they join by phone. Do not share information if unidentified participants are in your meeting
• Lock the meeting once all participants have joined
• Learn how to eject unwanted participants quickly and prevent them from re-joining
• Invite a participant to co-host the meeting. Having two people in control means you can deal with unwanted participants or content faster

Provide a collection notice, if required, and conduct due diligence whenever personal information will be collected or disclosed

• If a public body is using a video communication tool to collect personal information directly from individuals, then the Freedom of Information and Protection of Privacy Act requires each individual to be informed of:
  • The purpose for which the information is being collected
  • The legal authority for collecting it
  • The title, business address and business telephone number of an officer or employee of the public body who can answer questions about the collection
• If you are using a video communication tool to disclose personal information between public bodies, no collection notice is required; however, there may be other legislative requirements that must be met
• Public bodies are encouraged to conduct appropriate due diligence, including seeking legal advice where appropriate, for use of any video communication platform in situations where personal information will be collected or disclosed, particularly where the platform provider is based in the U.S.

Only share what is appropriate and necessary

• Review your settings for screen sharing, annotation or private messaging, or chat. Limiting or disabling these channels will avert unauthorized content and other distractions
• Share an application rather than the entire screen, if you need to show your screen to others
• Do not click on suspicious links or attachments sent via chat or emails about the platform or tool
• Before you upload or share a document, consider whether it is appropriate. For example, documents where the copyright is owned by a third party should not be shared, unless your organization has a license that permits this
• Notify participants in advance if you will be recording or transcribing the meeting and manage recordings in accordance with your organization’s policies
• Do not use private messaging for confidential information, as hosts may have access to chat logs

Free Zoom and security

When communicating with individuals outside of government, you may be asked to use the free version of Zoom to videoconference. Be aware of the privacy and security vulnerabilities, primarily weak encryption that generally falls short of B.C. government standards. This vulnerability means information is not adequately protected. If you are sharing confidential information, do not use Zoom if you have access to a secure alternative.

Other vulnerabilities include the ability for hackers to steal your Windows login credentials, and for uninvited participants to join and disrupt your Zoom meetings called “Zoombombing.”

It is up to each broader public sector entity to determine whether Zoom is appropriate for use within that organization. Broader public sector entities are encouraged to consult with their privacy and security experts and legal advisors to assess the risks associated with their intended use of Zoom. Where a broader public sector entity has determined that the use of Zoom is appropriate within its organization, the following steps can be taken to improve the security of the free version of Zoom.

General tips

• Use the web version of Zoom on your desktop or laptop
• Ensure the Zoom client app is the current version and regularly check for updates. For more information on installing apps, read the Applications and Software Guide
• Use your full first and last name for your Zoom account. For example,  firstname_lastname, or Jane_Smith. This helps the meeting host verify participants against the invitation list
• Do not use your organization credentials to log into Zoom
• Choose a strong password (see Password Best Practices) and change your password immediately if you think someone may have access to your account
• Do not use the “Personal Meeting ID” option to host events Instead, allow Zoom to automatically generate a random meeting ID for you
• Do not share your meeting link on social media or other public forums, and ask participants not to share the link as well
• Password protect your meeting when possible

Setting up a meeting

• Set screen sharing to “Host Only.” This allows you, as the host, to reject any unwanted content from participants
• Disable “Join Before Host.” Instead, use the “Waiting Room” feature to admit participants and keep out uninvited guests
• Enable “Co-Host” if you (as the host) want to assign moderating duties to other participants
• Be aware of everything your camera can see around you. For example, family photos and sensitive documents

During a meeting

• Verify participants by comparing names against the invitation list
• Lock the meeting once all attendees have joined to prevent uninvited guests
• Disable “Allow Removed Participants to Rejoin”
• Disable “File Transfer” and do not click on links or open attachments
• Do not use Zoom’s cloud storage. You can stream or edit documents that do not have any personal, sensitive or confidential information, but do not upload or save documents onto Zoom’s cloud storage
• Do not record meetings unless necessary and with proper authority under the Freedom of Information and Protection of Privacy Act. If you do record a meeting, save the recording locally and never in Zoom’s cloud storage
• Disclose personal information only if your organization has determined that it is appropriate and lawful to do so, and limit any disclosure of personal information to the minimum amount reasonably necessary for performing your duties as an employee, officer or minister of the public body. In other words, consider what personal information is needed to get the job done and only share that information via Zoom
• Turn off video and/or audio by default when joining a meeting (in Zoom settings) to protect your privacy

Miscellaneous

• Zoom collects account information, including IP addresses, usage analytics, names, email addresses, credit card information for the host account, product interaction analytics, content uploaded provided or created on Zoom, and metadata
• Zoom is based in the United States and may store data outside Canada. Your organization will need to assess whether the use of Zoom, including for meetings that may include the collection and/or disclosure of personal information, is appropriate and lawful

You can find training and tutorials on Zoom’s website in A Message to Our Users.

Use of Zoom in B.C. schools

The B.C. Ministry of Education has secured and funded licences for the enterprise version of Zoom for all K to 12 public and independent schools in B.C. This version of Zoom has many features to enable secure meetings.

Find more information and resources for teachers and school administrators on the ministry’s Keep Learning website.

Contact information

This guidance is not exhaustive. You are encouraged to research the latest updates to ensure protection of information.

• For Broader Public Sector Entities: Privacy and Access Helpline 250-356-1851 privacy.helpline@gov.bc.ca
• For Government Ministries: OCIO.Communications@gov.bc.ca