UNITED KINGDOM:

The Rise of Video Conferencing – What ICO and NCSC Should Look For

December 11, 2020

Kemp IT law

To print this article, all you need to do is be registered or log in to Mondaq.com.

The coronavirus outbreak has taken advantage of video conferencing, which is spread around the world. For many, it’s still the most important means of keeping in touch with colleagues and customers. Expressing the popularity of the practice, it was recently widely reported that in the three months ended July 31st alone, Zoom’s revenue increased a staggering 355% to $ 663.5 million (£ 496.3 million) during the Profits rose to $ 186 m and its customer growth increased a whopping 458% compared to the same period last year.

However, the increased demand and ubiquitous use of this type of communication has raised some concerns that privacy and security are compromised for convenience. The ability to look into people’s homes and record video and voice calls clearly has privacy and security implications.

In April, Ian Hulme, Director of Assurance for the ICO, published a blog highlighting the top privacy issues businesses should be aware of when using video conferencing1.

First of all, he recommends checking and using the privacy and security settings so that users are transparent, that is, they should know how their data is being processed. Users also need choice and control over how their data is used.

Other suggestions include restricting who can join meetings with passwords, controlling when people can join, and restricting who can share screens during the video conference. The Director of Assurance also suggests that organizations review the way meeting passwords and IDs are shared. These decisions should be made before the meeting starts, and employees should be given clear advice on which settings to use and how.

The ICO also recommends that companies remain vigilant about the risks of video conferencing phishing. This can be in the form of a link or attachment sent through a live chat feature. Therefore, it is recommended that users only click the links and attachments that they expect from meeting participants they recognize.

Companies should also ensure that their privacy policies correctly reflect the use of video conferencing platforms to process personal data. If calls are recorded, this should be taken into account in the policy. It is recommended that attendees receive a short message and a link to the privacy notice on the meeting invite and registration page.

Ensuring that video conferencing software (and indeed all software) is up to date is also mentioned as an effective way of ensuring the security of the system. This includes that updates are applied regularly. If video conferencing is accessed through a web browser, the browser must also be kept up to date.

There should also be an ongoing assessment of the video conferencing tools or services used to ensure that the tool or service is appropriate for the job at hand.

Separately, on April 21, 2020, the NCSC published security guidelines for organizations to select, configure and implement video conferencing services2. As with the ICO blog, this guide emphasizes the need to choose the right service to ensure that the calls and any other data shared in meetings are protected. The guidelines recommend companies:

  • Follow the NCSC’s Cloud Security Principles3 when meetings are sensitive and organizations fully understand the encryption model used by their chosen service provider.
  • Make sure that the service actually works as the service provider describes it.
  • Understand where data is going and who has access to it when cloud-based video conferencing services often store and process data in their data centers in multiple countries;
  • Whenever possible, when deploying and configuring the service, set company-wide defaults and controls, and ensure that the correct settings are applied while balancing user needs with security.
  • give employees clear instructions on how to use videoconferencing safely;
  • Ask staff to test that the service is working before using it for real meetings, and make sure they are familiar with how to mute the microphone and turn off the camera.
  • Ask staff members to keep the details of meeting contributions as confidential as the meeting itself, blurring the background or using a wallpaper for privacy and to see when their webcam is on and when calls are being recorded.
  • Make sure the meeting organizers / hosts consider what features are appropriate for the meeting and whether they should be limited to a subset of attendees. and
  • Make sure organizers and hosts restrict access to meeting details to only attendees.

Footnotes

1 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/video-conferencing-what-to-watch-out-for/

2 https://www.ncsc.gov.uk/guidance/video-conferencing-services-security-guidance-organisations

3 https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles

Originally published December 2020

The content of this article is intended to provide general guidance on the subject. A professional should be obtained about your particular circumstances.

POPULAR ARTICLES ABOUT: UK Privacy Policy