Advice on data protection when using video conference services

Basically, please work with the local solutions offered by the ITMZ (as of 30.04.20: "BigBlueButton" and "jitsi"). This ensures that the University of Rostock has full control over the scope and recipients of the processed personal data. Furthermore, it can be ensured that no more data is collected than necessary to achieve the purpose and that the processed data is not passed on to third parties. The ITMZ also provides continuous and personal support for the users. Employees are "at hand" and can actually be instructed to make certain settings, delete data, etc. in an emergency. And last but not least: The local systems are based on open source software, so that errors in the code can be detected by the community and, if necessary, by the ITMZ itself and, if necessary, closed. All this does not apply to external services/software (e.g. "Zoom") or only partially (e.g. "DFNConf").

Using external (cloud) services/software should therefore only be considered if the above-mentioned on-premise variants are proven not to "work" for technical and/or content reasons. This must be documented.

Regarding the (theoretically) available external solutions, the staff unit Data Protection and Information Security recommends using those services that are provided centrally by the ITMZ and whose IT infrastructure is located entirely in Germany or Europe. "DFNConf" (alone) fulfils these two conditions. If you decide to use this service, the ITMZ will provide you with extensive technical support. In addition, the European data protection standards are observed. The latter is often not the case with (web-based) (cloud) services that operate their IT infrastructure mainly outside the EU, or at least not to the required extent, which is why the Data Protection and Information Security Unit expressly advises against their use. This also and above all concerns the US product "Zoom". This service cannot be used in a privacy-compliant manner.

The Berlin Commissioner for Data Protection and Freedom of Information recently reviewed a whole range of video conferencing services in detail from both a technical and a legal perspective. You can find the handout at the following link: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/orientierungshilfen/2020-BlnBDI-Hinweise_Berliner_Verantwortliche_zu_Anbietern_Videokonferenz-Dienste.pdf. This handout supplements the above recommendations of the Data Protection and Information Security Unit and is intended to make it easier for you to select a suitable video conferencing service.

1. Please make sure that you do not start the videoconferencing software/service automatically when you start the computer.
2. Please use different passwords for registration/login to the videoconferencing software/service and not the password associated with the user ID.
3. Please make sure that the microphone is automatically muted when entering a VC room.
4. Please check your own video image beforehand to see if it contains objects that should not be seen (e.g. confidential information on a pinboard).
5. If possible, choose your Meeting ID or Meeting URL cryptically and not at all verbally (e.g.: your name or your telephone number), so that it cannot be guessed.
6. Provide a password to enter the meeting room.
7. Provide the access data for the meeting only to the planned participants.
8. As the host of the meeting, observe the participants. React immediately if an uninvited participant appears.
9. Ensure that you keep the videoconferencing software/service (or the browser you are using to join the videoconference) up to date.
10. The agreement of all participants is required to record a videoconference.
11. In case you use a chat channel in the software parallel to the video conference, you should only express yourself in such a way that an accidental publication of the chat does not cause any damage to you or the University of Rostock.
12. Please clarify before inviting to a meeting whether the expected contents of the meeting are suitable for the medium. In particular, if consultations on sensitive topics are to be conducted via video conference (e.g. discussions in the personnel area such as job interviews and staff interviews as well as discussions in appointment procedures), you must clarify in advance whether and under what conditions these are permissible.