Woman making a frame around the sun with her hands at sunrise
Woman making a frame around the sun with her hands at sunrise
Woman making a frame around the sun with her hands at sunrise

Privacy Commissioner Releases Tips for Secure Videoconferencing

May 5, 2020 Privacy Law Bulletin 4 minutes read

It goes without saying that organizations’ use of videoconferencing is at an all-time high as many businesses have converted to remote work. Like all technologies, videoconferencing poses unique cybersecurity and data privacy risks.

Recognizing the surge in videoconferencing, the Office of the Privacy Commissioner of Canada (the “OPC”) has published tips to ensure compliance with privacy laws during videoconferencing. Below is a summary of the OPC’s tips, together with some advice from McMillan’s Privacy and Data Protection team concerning best practices while telecommuting.

Do Your Diligence

Prior to selecting a videoconferencing service, businesses should review the service’s privacy policies and terms of use to understand the service’s privacy and data handling practices. In particular, review and understand how the videoconferencing provider may collect, use and disclose personal information from those who set up an account or participate in a videoconference call. Consider whether these policies and terms of use align with your business’ own privacy policy, contractual terms, and other commitments or obligations with respect to privacy and data handling. Your organization may need to revise its privacy compliance program, including its privacy policy, to permit the use of videoconferencing.

Users of the videoconferencing service should be encouraged to implement and periodically update a unique and complex password when setting up a new account with a videoconferencing service. The OPC recommends that users avoid using social media accounts to sign up for such accounts.

Stay Current

Businesses should stay current on news and publications related to privacy concerns and security vulnerabilities associated with their videoconferencing service of choice.

We recommend establishing a Google alert or other means of tracking updates from reputable sources concerning any reported vulnerabilities or breaches in your videoconferencing software. This will allow an organization to act quickly to install any patches or updates needed, or take other steps to minimize any security risks. We also suggest that organizations update their patch management policy or program to include regular testing, updates and patching for all videoconferencing services.

Videoconferencing users should also be encouraged to periodically review their devices’ permissions and ensure that they are up-to-date.

Limit Participants

Videoconferencing users must make sure that meetings are private and limited to invited participants.

Avoid announcing meetings on social media platforms or websites to prevent uninvited participants from joining the meeting and potentially overhearing private discussions. If possible, ensure that videoconferencing calls are secured with a password, particularly if the meetings involve the discussion of sensitive personal information. Meeting hosts should also disable features such as “join before host” and file transfers to limit security risks.

At the outset of a videoconference, we recommend conducting a quick “roll call”, particularly if there are users dialing in who are not visible onscreen. This can help to crosscheck that everyone who is on the call is meant to be there.

Prevent Overhearing & Oversharing

Where the videoconference is held is also important. Participants should ensure that there is nothing in the background of the call that reveals private information, such as a whiteboard or calendar with confidential notations. If using a web browser, users should open a new window for the call and close all other applications, including email, to ensure that confidential information is not inadvertently disclosed if screen-sharing occurs during the call.

The videoconference should be hosted in a private area, ideally a separate room in one’s home. However, for some employees, taking a call in a private room or completely out of earshot of others in their household may not be possible. At the outset of a videoconference, we therefore recommend that the host ask all users to disclose if they may be within earshot of others in their home during the call. Such users should listen in to the call by headset, and should be encouraged to send any input containing confidential information either by follow-up email, private chat feature or on a separate call when they are in a private space.

Meeting hosts should disable participants’ ability to record a call. Ask attendees to switch off personal home assistants (such as Alexa or Siri) or smart speakers during a video call, as these technologies may be triggered or inadvertently record the call.

Takeaways For Your Business

Given the vulnerability of videoconferencing services to security threats, it is important that organizations adopt the suggestions and best practices developed by the OPC.

However, the above tips should form only a part of a broader effort to address any privacy and cybersecurity vulnerabilities caused by remote working.

Times of crisis give rise to an increased risk of cyberattacks and threats. Threat actors exploit security vulnerabilities, employee distraction and unfamiliarity with new technologies as an opportunity to attempt to unlawfully access sensitive business and personal information. Businesses must emphasize a culture of cybersecurity and compliance with privacy and data protection laws in order to minimize such risks. Providing adequate training and frequent reminders to employees about cyber risks, including the proper use of videoconferencing technologies, is an important step in avoiding data breaches.

While we all eagerly await the day we can connect with our colleagues, clients and customers face-to-face again, many suggest that a rise in working remotely may be here to stay. We advise organizations to act now to develop and implement policies and practices that keep confidential and personal information safe and sound during these unsettled times.

by Kristen Pennington and Chiedza Museredza

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020

Related Publications (5 Posts)

Featured Insight

Ontario’s New Excess Soil Regulations – Construction Contract Implications

Ontario’s new On-Site and Excess Soil Management Regulation, O. Reg 406/19 may impact existing and future construction contracts

Read More
May 5, 2021
Featured Insight

End of the Bellatrix GasEDI Saga Marks Beginning of Market Fallout

The Alberta Court of Appeal's dismissal of Bellatrix's appeal leaves substantial uncertainty for natural gas market and all derivatives counterparties.

Read More
May 5, 2021
Featured Insight

Federal Procurement Update #1: Filing a Complaint at the Canadian International Trade Tribunal: A Sprint Rather than a Marathon

A review of when and how to file a federal procurement complaint to the Canadian International Trade Tribunal (CITT)

Read More
May 5, 2021
Featured Insight

April 30 Update: Amendments to Policy Statement 5 and Policy Statement 6- Extension of the Early Marketing Period in Response to COVID-19

This bulletin outlines the recently announced amendments to Policy Statement 5 and Policy Statement 6 by the Office of the Superintendent of Real Estate.

Read More
Apr 30, 2021
Featured Insight

Ontario to Provide for Temporary Paid Sick Leave

Ontario has announced temporary paid sick leave for all employees. Here is what employers should know.

Read More
Apr 30, 2021