Data Protection Commission publishes tips for video conferencing

With the significant increase in the number of people working from home due to the COVID-19 pandemic, the use of video-conferencing technologies and applications (VC Technology) by businesses for both internal and external meetings has seen a sharp increase. Similarly, there has been a surge in individuals relying on the various VC Technologies available to make sure they can still have their Friday after-work drinks, attend their weekly quiz nights, continue their monthly book clubs or simply stay in touch with family and friends, from a safe, online, distance.

To assist both individuals and organisations with navigating this new online working and socialising way of life, the Irish Data Protection Commission (DPC) has published some tips on how to ensure that any use of this Technology is carried out in a safe manner.

Regardless of how familiar organisations and individuals are with the VC Technology available, their familiarity with whether that VC Technology offers an adequate standard of data protection and security may be another story. This may well be overlooked when setting up an account for yet another video-conferencing app on their personal mobile phone because a friend has recommended it or dialing into another conference call using a different video-conferencing platform sent by an attendee outside their organisation.

Thinking about the safety and protection of your organisation as a whole and the safety and security of your employees’ personal data, your own personal data and that of your family and friends has perhaps never been as critical as in the current worldwide situation.

Organisations should carefully consider and on-board the DPC’s recommendations as much as possible, and ensure that they are communicated clearly to employees.

Recommendations

The DPC recommends that organisations take the following steps to ensure compliance with data protection laws:

  • Where possible, employees should be encouraged to only use the contracted service provider of their organisation for work related communications, which the organisation is satisfied has adequate privacy and security features in place. Where VC Technology needs to be used, organisations should have a consistent policy on which services can be used and how.
  • Work email accounts and contact details should be used for work-related emails involving personal data to reduce security risks and for work-related video-conferencing to reduce unnecessary collection of personal contact details.
  • Employees should be provided with clear, up-to-date, and easily understandable guidance and policies on how to use video-conferencing platforms (including any controls available from the service provider), to help protect their data and security.
  • Organisations should consider implementing additional security controls, such as multi-factor authentication, and limit the use and sharing of data to what is absolutely necessary.
  • Laptops, computers and other devices should be used in safe, private locations, particularly if working with sensitive personal data.
  • Devices should be locked or turned off when not in use.
  • Effective access controls (e.g. multi-factor authentication) and where possible, encryption to restrict access to the device, should be used to minimise the risk if a device is lost or stolen.
  • Where possible, only trusted networks or cloud services should be used, and any locally stored data should be adequately backed up in a secure manner.
  • Paper records should also be used in safe locations, and when not in use should be kept somewhere secure, such as a locked filing cabinet, and disposed of securely. Where special categories of personal data are involved (such as health data) extra care should be taken to ensure their security and confidentiality.
  • Any device being used for accessing VC Technology should have antivirus/online security software and all the necessary updates in place.
  • The VC Technology’s privacy or data protection policy should be read to be sure who personal data is being shared with, where it will be stored and what purposes it will be used for.
  • Thought must be given before permission is granted for a VC Technology to access data and/or access to other information/applications contained on the device.

The DPC has also issued more general guidance on how to protect personal data when working from home, as well as guidance on data security for organisations. The DPC’s tips and guidance serve as an important reminder for organisations and individuals alike of the practical steps that can be taken to protect personal data when using VC Technology.

For more information contact any member of the A&L Goodbody Commercial & Technology team.  

Date published: 29 April 2020