Organising a video conference
Home » Activities » Organising a video conference

Aliuska Duardo (UPV/EHU)

Acknowledgements: The author thankfully acknowledges the useful contributions and comments made by Manuela Battaglini and Jure Lampe in relation to this section.

Without a doubt, video-conferencing has become an essential communication tool at all levels: personal, social, business…, and, of course, its impact is also notable in the field of scientific cooperation.

This resource allows us to plan joint research and cooperation strategies, to benefit from the experience of other colleagues, thereby saving time and travel costs. Today, it is possible to prepare a research proposal at a distance, monitor the development of the project once it has been achieved, and discuss strategies and results, all via video conference.

However, from the point of view of personal data protection, there are two fundamental aspects to be taken into account when organising a video conference: the security and confidentiality of the communications; and the protection of the personal data of those involved in a video conference. In this section, we deal with the issues related personal data protection, when preparing a video conference.

DOs
  • Ask your DPO for recommendations on video conferencing services.
  • In case you have to choose yourself, pay close attention to the provider´s privacy policy.
  • Pay attention to which Direct Personal Data is collected by the provider: You should be suspicious if more data is requested than strictly necessary to provide the service.
  • Be aware of Personal Data Observed collected, and what is the purpose of such gathering.
  • You should always be wary of ambiguous or empty clauses such as: “any data may be collected or disseminated, or retained indefinitely”.
DON’Ts
  • Mobile apps: do not install them without reading the privacy policy.
  • If an app asks you to access content that is not directly related to the service they provide, do not use it.
  • Do not use providers that do not identify in their Privacy Policy the types of data they collect and how they use it.
  • Avoid companies that have a large number of external service providers
Checklist
  • Check if there is a specific platform designated by your institution.
  • Check if your institution has any specific policies in relation to video-conferencing tools.
  • Check the privacy policy before using any tools.

The protection of the personal data of those involved in a video conference

Nowadays the market offers a multitude of tools and platforms that provide tailor-made video conferencing services. They can be free or pay-per-use, and allow people to share work documents and make presentations. It is also possible to choose between traditional videoconferencing that uses specific physical equipment dedicated for the purpose, and more basic systems that simply use software installed on a personal computer. There are, in addition, mobile services in the cloud, where we can hire a video conference service without having to maintain or install the classic video conference infrastructure, simply by connecting to the servers of the provider who is in the cloud. Added services, such as chat tools or virtual whiteboards, are also common.

With so many alternatives on the market, how does one choose the right tool to set up a video conferencing service that respects the privacy of the participants?

Actually, most videoconferencing service providers collect a tremendous amount of personal information in the interest of providing the service, improving the user experience, etc. In addition, all of them usually declare their commitment to respecting personal privacy, so how do you distinguish between companies that really make ethical use of personal data? Or, at least, those with which we run less risk?

Firstly, in case of doubt, it is always recommendable to seek the advice of the Data Protection Officer (DPO) of your institution – university, research centre, etc-.

In case of doubt ask to your centre´s DPO.

It is also important to choose ethical apps that respect both your privacy and that of your contacts. In order to do this, the first thing to do is to review the “Privacy policies”. A privacy policy that is too long and convoluted could be the first indication that we are dealing with a provider with non-transparent data protection practices.

A privacy policy that is too long and convoluted could be the first indication that we are dealing with a provider with non-transparent data protection practices.

In this regard, you should pay attention to which Direct Personal Data is collected by the app. Generally, these tools collect direct personal data provided voluntarily: name, email, telephone number, postal address, credit card number, etc. You should start to doubt if more data is requested than strictly necessary to provide the service. In such a case, there would be a breach of European regulation, and its main principles. Especially, the data minimization principle, whereby no more data can be collected than is strictly necessary to fulfil the purposes stated in the Privacy policy. The principle of purpose limitation will also be at stake. According to this principle, any collected data can only be used for the purpose communicated in the privacy policy; if they are used for another purpose, this must be compatible with the initial one.

What is the “strictly necessary” information? Unfortunately, it’s still a lot:

Type of Information Target Information Notes
User Information Account Valid email address or phone number.
Transaction Information Billing Credit card information, billing email, banking information. for users who choose to purchase a paid version
Transaction Information Location Location at the time of transaction. Also billing address.
Metadata Information User IP address, geographical location,
Metadata Information System Browser type and version, operating system, referral source.
Metadata

Information

Use Length of visit, page views and website navigation paths. As well as information about the timing, frequency and pattern of the service use.
Technical

log data

Service

Access

Internet Protocol (IP) address, the address of the web page visited within the Services,
Technical

log data

Access

Type

Browser type and settings, information about browser configuration and plugins. As well as language preferences and cookie data.
Technical

log data

Use The date and time the Services were used
Device information Device Type of device, unique device identifiers and crash data
Device information System Operating system used, device settings, application IDs

Companies usually handle more information than this we consider “strictly necessary”, but it is important that they offer at least:

  • Clear links to control personal data
  • An easy way to access and deletion of personal data
  • Opt-out choices.

However, the most worrying thing is whether “Personal Data Observed” is collected. Here, we are talking about personal data provided involuntarily from which various types of information can be extracted.

Within this data you can find:

  1. IP addresses, which provide our location.
  2. Device identifiers (together with the IP address, they identify the geographical point where we are).
  3. Actions performed, date and time, frequency, duration, quantity, quality, network connectivity, performance information related to logins, clicks, messages, message reading, contacts, content sharing, calls.
  4. Video usage and screen sharing.
  5. Messages: message content, sender and recipients, date, time and read receipts.
  6. Shared content: files and file names, sizes and types.
  7. Whiteboards: whiteboard content, snapshots and background images (Next).
  8. Status: status information, for example, whether you are active, out of the office, or busy. In other words, with Zoom, we compromise our privacy, that of our contacts, and that of the people with whom we participate in our video conferences.
  9. IP address, browser type, Internet Service Provider (ISP), referring/exit pages, files viewed on your site, such as HTML pages, graphics
  10. Operating system, date and/or clickstream data for aggregate trend analysis and website and/or Product management.

At the same time, a non-transparent app frequently has a number of external service providers, and it is often unclear as to who they are, what the legal basis for data processing is, and most worryingly, if they are automatically collecting information through cookies and tracking technologies, without having asked your permission directly. In this case, not only is the legitimacy of the use of the data questionable, but there is also a risk of use incompatible with the purposes notified in the privacy policy.

You should always be wary of ambiguous or empty clauses such as: “any data may be collected or disseminated, or retained indefinitely” or “we collect your data in order to improve your user experience”.

Another issue to consider, when choosing a video conferencing service, is to check the length of time our data will be stored. According to the Principle of storage limitation, this period has to be clearly specified.

Skip to content