Aliuska Duardo (UPV/EHU)
Acknowledgements: The author thankfully acknowledges the useful contributions and comments made by Manuela Battaglini and Jure Lampe in relation to this section. |
Without a doubt, video-conferencing has become an essential communication tool at all levels: personal, social, business…, and, of course, its impact is also notable in the field of scientific cooperation.
This resource allows us to plan joint research and cooperation strategies, to benefit from the experience of other colleagues, thereby saving time and travel costs. Today, it is possible to prepare a research proposal at a distance, monitor the development of the project once it has been achieved, and discuss strategies and results, all via video conference.
However, from the point of view of personal data protection, there are two fundamental aspects to be taken into account when organising a video conference: the security and confidentiality of the communications; and the protection of the personal data of those involved in a video conference. In this section, we deal with the issues related personal data protection, when preparing a video conference.
DOs |
|
DON’Ts |
|
Checklist |
|
The protection of the personal data of those involved in a video conference
Nowadays the market offers a multitude of tools and platforms that provide tailor-made video conferencing services. They can be free or pay-per-use, and allow people to share work documents and make presentations. It is also possible to choose between traditional videoconferencing that uses specific physical equipment dedicated for the purpose, and more basic systems that simply use software installed on a personal computer. There are, in addition, mobile services in the cloud, where we can hire a video conference service without having to maintain or install the classic video conference infrastructure, simply by connecting to the servers of the provider who is in the cloud. Added services, such as chat tools or virtual whiteboards, are also common.
With so many alternatives on the market, how does one choose the right tool to set up a video conferencing service that respects the privacy of the participants?
Actually, most videoconferencing service providers collect a tremendous amount of personal information in the interest of providing the service, improving the user experience, etc. In addition, all of them usually declare their commitment to respecting personal privacy, so how do you distinguish between companies that really make ethical use of personal data? Or, at least, those with which we run less risk?
Firstly, in case of doubt, it is always recommendable to seek the advice of the Data Protection Officer (DPO) of your institution – university, research centre, etc-.
In case of doubt ask to your centre´s DPO.
It is also important to choose ethical apps that respect both your privacy and that of your contacts. In order to do this, the first thing to do is to review the “Privacy policies”. A privacy policy that is too long and convoluted could be the first indication that we are dealing with a provider with non-transparent data protection practices.
A privacy policy that is too long and convoluted could be the first indication that we are dealing with a provider with non-transparent data protection practices.
In this regard, you should pay attention to which Direct Personal Data is collected by the app. Generally, these tools collect direct personal data provided voluntarily: name, email, telephone number, postal address, credit card number, etc. You should start to doubt if more data is requested than strictly necessary to provide the service. In such a case, there would be a breach of European regulation, and its main principles. Especially, the data minimization principle, whereby no more data can be collected than is strictly necessary to fulfil the purposes stated in the Privacy policy. The principle of purpose limitation will also be at stake. According to this principle, any collected data can only be used for the purpose communicated in the privacy policy; if they are used for another purpose, this must be compatible with the initial one.
What is the “strictly necessary” information? Unfortunately, it’s still a lot:
Type of Information | Target | Information | Notes |
User Information | Account | Valid email address or phone number. | |
Transaction Information | Billing | Credit card information, billing email, banking information. | for users who choose to purchase a paid version |
Transaction Information | Location | Location at the time of transaction. | Also billing address. |
Metadata Information | User | IP address, geographical location, | |
Metadata Information | System | Browser type and version, operating system, referral source. | |
Metadata
Information |
Use | Length of visit, page views and website navigation paths. | As well as information about the timing, frequency and pattern of the service use. |
Technical
log data |
Service
Access |
Internet Protocol (IP) address, the address of the web page visited within the Services, | |
Technical
log data |
Access
Type |
Browser type and settings, information about browser configuration and plugins. | As well as language preferences and cookie data. |
Technical
log data |
Use | The date and time the Services were used | |
Device information | Device | Type of device, unique device identifiers and crash data | |
Device information | System | Operating system used, device settings, application IDs |
Companies usually handle more information than this we consider “strictly necessary”, but it is important that they offer at least:
- Clear links to control personal data
- An easy way to access and deletion of personal data
- Opt-out choices.
However, the most worrying thing is whether “Personal Data Observed” is collected. Here, we are talking about personal data provided involuntarily from which various types of information can be extracted.
Within this data you can find:
- IP addresses, which provide our location.
- Device identifiers (together with the IP address, they identify the geographical point where we are).
- Actions performed, date and time, frequency, duration, quantity, quality, network connectivity, performance information related to logins, clicks, messages, message reading, contacts, content sharing, calls.
- Video usage and screen sharing.
- Messages: message content, sender and recipients, date, time and read receipts.
- Shared content: files and file names, sizes and types.
- Whiteboards: whiteboard content, snapshots and background images (Next).
- Status: status information, for example, whether you are active, out of the office, or busy. In other words, with Zoom, we compromise our privacy, that of our contacts, and that of the people with whom we participate in our video conferences.
- IP address, browser type, Internet Service Provider (ISP), referring/exit pages, files viewed on your site, such as HTML pages, graphics
- Operating system, date and/or clickstream data for aggregate trend analysis and website and/or Product management.
At the same time, a non-transparent app frequently has a number of external service providers, and it is often unclear as to who they are, what the legal basis for data processing is, and most worryingly, if they are automatically collecting information through cookies and tracking technologies, without having asked your permission directly. In this case, not only is the legitimacy of the use of the data questionable, but there is also a risk of use incompatible with the purposes notified in the privacy policy.
You should always be wary of ambiguous or empty clauses such as: “any data may be collected or disseminated, or retained indefinitely” or “we collect your data in order to improve your user experience”.
Another issue to consider, when choosing a video conferencing service, is to check the length of time our data will be stored. According to the Principle of storage limitation, this period has to be clearly specified.