The latest Ofcom annual Online Nation report highlights the increase in video conferencing with more than seven in 10 of the UK population taking part in a video conference at least weekly1.
The biggest growth was seen by Zoom, the virtual meeting platform, which grew from 659,000 users to reach 13 million users between January and April 2020 – a rise of almost 2,000%.
The DPO Centre, the UK’s market leading provider of data protection resources, warns that whilst video conferencing tools have become essential for both employers and employees, like many technologies, the adoption of video conferencing tools can pose a threat to the privacy and security of our communications.
Covid-19 has forced the adoption of video conferencing tools upon many organisations and consequently, their employees. However, it is still within the power of both parties to secure communications and maintain privacy by ensuing there is good guidance in place.
Many organisations rushed into home working and are having to now backfill establishing organisational guidance on how to use video conferencing and having a video conferencing policy to outline the expectations and requirements on employees. Both employers and employees need to understand the risks involved to avoid future problems and below are our key tips:
Mitigating risk for companies
Prior to the adoption of a video conferencing tool your company should seek to consider the following measures/actions:
- Data Protection Impact Assessment: if a video conferencing tool is likely to increase the existing privacy risk inherent during remote communication, such as the transmission or recording of particularly sensitive information on data subjects, then a data protection impact assessment (DPIA) should be performed to understand the impact that the use of such a tool will have on the protection of personal information.
- Terms of Service review: while you may not have the bargaining power to re-negotiate terms of the agreement, you can shop around and review the terms of service agreements offered by different tools to determine which technology best suits your requirements. As the software is acting as a ‘data processor’ on behalf of your organisation, you should ensure there is an adequate data processing agreement in place either as part of the Terms of Service or as an acceptable accompanying document.
- Creation of Staff Guidance: employees should be provided with an organisation’s policy on the use of video conferencing technology; so that they are aware of the measures that have been implemented to protect their personal data and the rules governing usage.
- The reality of the last several months has often resulted in the immediate adoption of the most convenient video conferencing tool available. However, the above measures can be performed retrospectively, enabling an organisation to determine whether they should continue using the current video conferencing tool.
Mitigating risk for employees
As an employee you can:
- Know your controls: video conferencing tools often offer end users the option to configure controls that can improve security. As a user of video conferencing tools, you should know what these are for example ‘Zoom Bombing’ could have been prevented by following a few simple steps or using a background image can prevent other personal data being visible during a video call.
- Ensure your home router is not using the default administration password and IP address: Many domestic routers including those from Linksys and Cisco use default administrator passwords such as “admin” or “cisco”. Worse still, the admin interface can be accessed using the default IP address (i.e. 192.168.1.1). This makes it easy for anyone within range of your router to login and change your DNS settings, meaning that all your browsing activity (including passwords entered) can be rerouted and recorded without you being aware. You should change your default settings now.
Covid-19 has forced the adoption of video conferencing tools upon many organisations and consequently, their employees. However, it is still within the power of both parties to secure communications and maintain privacy by following the steps outlined above, i.e. selecting a secure tool; configuring the tool to ensure secure communications; and, establishing organizational guidance on the use of the tool. Having a video conferencing policy to outline the expectations and requirements on employees is a key step to ensure all involved understand the risks involved.