Aliuska Duardo (UPV/EHU)
|Acknowledgements: The author thankfully acknowledges the useful contributions and comments made by Manuela Battaglini and Jure Lampe in relation to this section.|
Without a doubt, video-conferencing has become an essential communication tool at all levels: personal, social, business…, and, of course, its impact is also notable in the field of scientific cooperation.
This resource allows us to plan joint research and cooperation strategies, to benefit from the experience of other colleagues, thereby saving time and travel costs. Today, it is possible to prepare a research proposal at a distance, monitor the development of the project once it has been achieved, and discuss strategies and results, all via video conference.
However, from the point of view of personal data protection, there are two fundamental aspects to be taken into account when organising a video conference: the security and confidentiality of the communications; and the protection of the personal data of those involved in a video conference. In this section, we deal with the issues related personal data protection, when preparing a video conference.
Nowadays the market offers a multitude of tools and platforms that provide tailor-made video conferencing services. They can be free or pay-per-use, and allow people to share work documents and make presentations. It is also possible to choose between traditional videoconferencing that uses specific physical equipment dedicated for the purpose, and more basic systems that simply use software installed on a personal computer. There are, in addition, mobile services in the cloud, where we can hire a video conference service without having to maintain or install the classic video conference infrastructure, simply by connecting to the servers of the provider who is in the cloud. Added services, such as chat tools or virtual whiteboards, are also common.
With so many alternatives on the market, how does one choose the right tool to set up a video conferencing service that respects the privacy of the participants?
Actually, most videoconferencing service providers collect a tremendous amount of personal information in the interest of providing the service, improving the user experience, etc. In addition, all of them usually declare their commitment to respecting personal privacy, so how do you distinguish between companies that really make ethical use of personal data? Or, at least, those with which we run less risk?
Firstly, in case of doubt, it is always recommendable to seek the advice of the Data Protection Officer (DPO) of your institution – university, research centre, etc-.
In case of doubt ask to your centre´s DPO.
What is the “strictly necessary” information? Unfortunately, it’s still a lot:
|Type of Information||Target||Information||Notes|
|User Information||Account||Valid email address or phone number.|
|Transaction Information||Billing||Credit card information, billing email, banking information.||for users who choose to purchase a paid version|
|Transaction Information||Location||Location at the time of transaction.||Also billing address.|
|Metadata Information||User||IP address, geographical location,|
|Metadata Information||System||Browser type and version, operating system, referral source.|
|Use||Length of visit, page views and website navigation paths.||As well as information about the timing, frequency and pattern of the service use.|
|Internet Protocol (IP) address, the address of the web page visited within the Services,|
|Browser type and settings, information about browser configuration and plugins.||As well as language preferences and cookie data.|
|Use||The date and time the Services were used|
|Device information||Device||Type of device, unique device identifiers and crash data|
|Device information||System||Operating system used, device settings, application IDs|
Companies usually handle more information than this we consider “strictly necessary”, but it is important that they offer at least:
- Clear links to control personal data
- An easy way to access and deletion of personal data
- Opt-out choices.
However, the most worrying thing is whether “Personal Data Observed” is collected. Here, we are talking about personal data provided involuntarily from which various types of information can be extracted.
Within this data you can find:
- IP addresses, which provide our location.
- Device identifiers (together with the IP address, they identify the geographical point where we are).
- Actions performed, date and time, frequency, duration, quantity, quality, network connectivity, performance information related to logins, clicks, messages, message reading, contacts, content sharing, calls.
- Video usage and screen sharing.
- Messages: message content, sender and recipients, date, time and read receipts.
- Shared content: files and file names, sizes and types.
- Whiteboards: whiteboard content, snapshots and background images (Next).
- Status: status information, for example, whether you are active, out of the office, or busy. In other words, with Zoom, we compromise our privacy, that of our contacts, and that of the people with whom we participate in our video conferences.
- IP address, browser type, Internet Service Provider (ISP), referring/exit pages, files viewed on your site, such as HTML pages, graphics
- Operating system, date and/or clickstream data for aggregate trend analysis and website and/or Product management.
You should always be wary of ambiguous or empty clauses such as: “any data may be collected or disseminated, or retained indefinitely” or “we collect your data in order to improve your user experience”.
Another issue to consider, when choosing a video conferencing service, is to check the length of time our data will be stored. According to the Principle of storage limitation, this period has to be clearly specified.