Advice on data protection when using video conference services
Dr. Katja Fröhlich
Data Protection Officer of the UR
Please observe the following basics and - as far as possible - make the appropriate presettings in the videoconferencing software.
Please note: This translation was made with DeepL. No guarantee can be given for the content.
Basically, please work with the local solutions offered by the ITMZ (as of 30.04.20: "BigBlueButton" and "jitsi"). This ensures that the University of Rostock has full control over the scope and recipients of the processed personal data. Furthermore, it can be ensured that no more data is collected than necessary to achieve the purpose and that the processed data is not passed on to third parties. The ITMZ also provides continuous and personal support for the users. Employees are "at hand" and can actually be instructed to make certain settings, delete data, etc. in an emergency. And last but not least: The local systems are based on open source software, so that errors in the code can be detected by the community and, if necessary, by the ITMZ itself and, if necessary, closed. All this does not apply to external services/software (e.g. "Zoom") or only partially (e.g. "DFNConf").
Using external (cloud) services/software should therefore only be considered if the above-mentioned on-premise variants are proven not to "work" for technical and/or content reasons. This must be documented.
Regarding the (theoretically) available external solutions, the staff unit Data Protection and Information Security recommends using those services that are provided centrally by the ITMZ and whose IT infrastructure is located entirely in Germany or Europe. "DFNConf" (alone) fulfils these two conditions. If you decide to use this service, the ITMZ will provide you with extensive technical support. In addition, the European data protection standards are observed. The latter is often not the case with (web-based) (cloud) services that operate their IT infrastructure mainly outside the EU, or at least not to the required extent, which is why the Data Protection and Information Security Unit expressly advises against their use. This also and above all concerns the US product "Zoom", which continues to have IT security deficiencies and, moreover, does not sufficiently take into account fundamental aspects of data protection law such as the principles of necessity and minimisation of the processing of personal data (Art 5 para. 1 lit. c DSGVO). One example is the large number of third party recipients - almost all of them outside the EU - to whom "Zoom" passes on personal data.
- Please make sure that you do not start the videoconferencing software/service automatically when you start the computer.
- Please use different passwords for registration/login to the videoconferencing software/service and not the password associated with the user ID.
- Please make sure that the microphone is automatically muted when entering a VC room.
- Please check your own video image beforehand to see if it contains objects that should not be seen (e.g. confidential information on a pinboard).
- If possible, choose your Meeting ID or Meeting URL cryptically and not at all verbally (e.g.: your name or your telephone number), so that it cannot be guessed.
- Provide a password to enter the meeting room.
- Provide the access data for the meeting only to the planned participants.
- As the host of the meeting, observe the participants. React immediately if an uninvited participant appears.
- Ensure that you keep the videoconferencing software/service (or the browser you are using to join the videoconference) up to date.
- The agreement of all participants is required to record a videoconference.
- In case you use a chat channel in the software parallel to the video conference, you should only express yourself in such a way that an accidental publication of the chat does not cause any damage to you or the University of Rostock.
- Please clarify before inviting to a meeting whether the expected contents of the meeting are suitable for the medium. In particular, if consultations on sensitive topics are to be conducted via video conference (e.g. discussions in the personnel area such as job interviews and staff interviews as well as discussions in appointment procedures), you must clarify in advance whether and under what conditions these are permissible.