privacy considerations for video conferencing

The Age of Remote Meetings: Privacy Considerations for Video Conferencing.

In the age of remote work meetings, what are the privacy considerations for video conferencing for remote workers and employers?

 

We are in the age of remote meetings and interactions as social distancing became our new normal almost overnight, and this has brought with it a dependence on video meetings and the importance of privacy considerations for video conferencing. It is something we all think about, as we hop onto yet another video call, especially having seen news circulating on the issue. Communication technology companies like Zoom have been in the forefront of news and blog articles on the topic of privacy, as increased use has exposed hidden issues, and companies are forced to make changes to their policies and software to ensure compliance with national and international privacy regulations. Ian Hulme, the ICO’s Director of Assurance recently published guidelines and advice on navigating this new normal – the age of remote meetings for employers, business owners and managers.

 

Privacy and Security Settings.

 

One of the most important privacy considerations with regard to video conferencing is that of transparency. As with any other communication, users need to know how their data will be processed and must have choice and control in the matter. Restricted access, passwords and other privacy and security features like controlling who can share screens should be considered and communicated to employees before starting video conferencing.

 

Phishing Risks

 

Security can be compromised in video chat with phishing links and live chat features. While many of us are able to identify phishing links sent in emails, some people are being introduced to video conferencing for the first time in this era of remote meetings, or are simply not too familiar with video meetings. They are therefore not aware enough to spot phishing which may happen through a remote meeting. It is imperative that we remain vigilant against possible phishing by malicious users. Unexpected links should not be followed, especially when coming from an unrecognised source.

 

Video Conferencing that matches Company Policies.

 

Ian Hulme, director of Regulatory Assurance at the ICO, advises that video conferencing technology is checked against a company’s policies to make sure that they align. While many organisations quickly find solutions to their sudden need to function remotely with several employees spread over the city, country or globe, it is important to double check the tools that we resort to, to make sure that they match organisational policies.

 

Up-to-date Software.

 

Keeping up to date with software is one of the most effective security measures that we can take. Outdated software puts our data at risk. If using video conferencing apps, we need to ensure that all available software updates are applied regularly. If accessing video conferencing software through the web browser, the software for the web browser must also be kept up to date to protect data. 

 

As with any business decision, the organisation’s decision on video conferencing solutions should be re-examined from time to time, to make sure that it is aligned with its policies and needs, and with any updates to laws and external policies.

Do you need assistance with the appropriate safeguards and policies that should apply to organisational video conferencing? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcingContact us today.

EDPB on Health Data

EDPB adopts Guidelines on the Processing of Health Data for Scientific Research Purposes during COVID-19

In the middle of the COVID-19 outbreak, the EDPB adopted Guidelines on the processing of health data for scientific research purposes to clarify some legal questions.

Considering that life may not return to normal until a COVID-19 vaccine becomes widely available, researchers from across the globe are focusing their efforts on producing results as soon as possible. In this context, questions regarding the application of the GDPR keep arising, therefore the European Data Protection Board (EDPB) has released guidelines on the processing of health data for scientific research purposes with the aim of providing basic guidance.

What is “health data”?

Article 4 (15) GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This meaning also covers the following:

  • Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks, such as the assumption of a person being at high risk for severe illness from COVID-19 because of his medical conditions.
  • Information that becomes health data because of its usage in a specific context, such as information regarding a recent trip to a region affected with COVID-19.

The EDPB points out that “processing for the purpose of scientific research” should be interpreted in a broad manner in line with Recital 159 GDPR.

What is the legal basis for the processing?

According to the GDPR, processing of special categories of personal data is only allowed in some scenarios. The ones that may be more relevant when it comes to the processing of health data for scientific research purposes during COVID-19 pandemic are the following:

  • The data subject has given explicit consent.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the purposes of preventive or occupational medicine.
  • Processing is necessary for reasons of public interest in the area of public health.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes based on Union or Member State law.

It should be noted also that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”, subject to appropriate safeguards.

Should the data subject be informed?

Pursuant to Articles 13 and 14 GDPR, the data subjects should be informed at the time when personal data is gathered, or “within a reasonable period after obtaining the personal data, but at the latest within one month” where it is not collected from the data subject.

However, considering that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection, the EDPB recommends to deliver the information to the data subject within a reasonable period of time before the implementation of the new research project. 

There are four exemptions of the information obligation though:

  • The data subject already has the information.
  • The provision of such information proves impossible, would involve a disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing. A controller seeking to rely on this exemption should demonstrate the factors that actually prevent it from providing the information to the data subjects or carry out a balancing exercise to assess the effort involved against the potential impact and effects of not providing the information.
  • Obtaining or disclosure is expressly laid down by Union or Member State law. This exemption is conditional upon the law in question providing “appropriate measures to protect the data subject’s legitimate interests”.
  • The personal data must remain confidential subject to an obligation of professional secrecy.

What other measures should be taken?

In light of the data minimisation principle, the EDPB deems essential to specify the research questions and assess the type and amount of data necessary to properly answer them before proceeding. Additionally, the data should be anonymised where possible.

Proportionate storage periods shall be set as well, taking into account criteria such as the length and the purpose of the research.

As for the security measures that should be implemented, together with pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, the EDPS stresses that a data protection impact assessment should be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons”, and remarks the importance of data protection officers as a key role that should be involved in the process.

What about the exercise of data subjects’ rights?

Together with the information obligation exemptions addressed above, Article 17 (3) (d) states that the right to erasure “shall not apply to the extent that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing”.

It has to be noted that, in the light of the jurisprudence of the CJEU, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary.

Are international data transfers allowed?

In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which transfers of personal data can take place as an exception, such as:

  • The data subject has explicitly consented to the proposed transfer.
  • The transfer is necessary for important reasons of public interest. 

It should be noted, however, that repetitive transfers of data to third countries, part of a long lasting research project in this regard, would need to be framed with appropriate safeguards in accordance with Article 46 GDPR.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

And if you want to be updated about COVID-19 and AI, don’t forget to subscribe to our YouTube channel.

AI systems COVID-19

Are the AI Systems Used for Contact Tracing of COVID-19 Ethical?

Are the AI systems used for contact tracing of COVID-19 ethical? In our latest vlog, we explore the extent to which the use of these systems are ethical, and why.

 

With many European Nations launching the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT), to release software code which can be used to create contact tracing apps, tracking the possible transmission of COVID-19, many wonder about the extent to which this would be ethical. The apps in question would use phone Bluetooth signals to track users’ proximity to each other, and would then inform users if they had been in the proximity of someone who had tested positive for the virus. Last week, we explored the use of AI, in tracking or preventing the spread of COVID-19. This week, we take a deeper look at the ethical implications of the use of such technology in our society.

 

According to Article 9 of the GDPR, certain categories of personal data can only be processed under specific circumstances. These special circumstances include things like vital interests, and public health. With regard to public health as a condition for processing personal data, this condition is met not just by virtue of it being for reasons of public health interests. According to Data Protection Act 2018, the processing would also need to be carried out by, or under the responsibility of a health professional, or by another person who in the circumstances owes the duty of confidentiality under the law. Article 22 of the GDPR states that without the subject’s explicit consent, profiling is only allowed where authorised by Union or Member State law.

 

With all this considered, the ethics of the AI systems used in the fight against COVID-19 would play a vital role in maintaining accuracy and non-discrimination. While these measures seem to be very helpful right now, for the sake of public health, there lies the risk of these measures persisting beyond the COVID-19 pandemic. In our latest vlog, we explore the ethics of the use of these AI systems. 

Please subscribe to our YouTube channel, be updated on future content. Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

 

ICO's Privacy Considerations for COVID-19

ICO’s Privacy Considerations for COVID-19 related Data Processing.

ICO’s privacy considerations for COVID-19 related data processing  and Google-Apple joint contact tracing technology outlined by the Information Commissioner, Elizabeth Denham. 

 

The ICO’s privacy considerations for COVID-19 were recently mapped out in a recent blog by the Information Commissioner, Elizabeth Denham, some weeks after their original statement on Coronavirus was released. While the ICO clarified in their initial statement that data protection laws do not get in the way of the use of innovation in a public health crisis, the legal principles of transparency, fairness and proportionality remain relevant. Last week on our blog,we reported that the ICO released a statement on their approach to regulation during the coronavirus pandemic . This week, the ICO has provided us with some more clarity in the face of emerging technology to be used to combat the spread of the virus, specifically geared towards parties who use or intend to use these technologies. This framework is specific and covers a few key aspects of privacy to be met by any initiative, technology or company wishing to gather public data for the sake of fighting this global pandemic, in order to maintain both the trust of the public, and their social license. 

 

The ICO’s Privacy Considerations for COVID-19 related Data Processing.

 

Through the use of a quick Q and A in the recently released blog, the Information Commissioner has outlined her framework for new technologies to ensure that the privacy implications are properly considered. She states that a privacy impact assessment is required, at the very least, to demonstrate how privacy is built into the processor technology. The planned collection and use of personal data must be necessary and proportionate, even while we as a society accept a few limitations on liberty for the protection of public health. App developers are expected to provide users with clear information on how their information was being used, and any applicable options for avoiding processing. Data minimisation continues to be paramount and there should be ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective. The commissioner also noted in her blog that privacy assessments should be revisited and updated when possible.

 

ICO also published a formal opinion on privacy considerations of Google and Apple’s joint technology.

 

As it relates to the contact tracing technology introduced by Google and Apple in a joint venture earlier this month, The ICO has published a formal opinion speaking specifically to the privacy considerations of this technology. This joint initiative is “‘a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing”, and will utilize apps from public health authorities. In this document outlining the ICO’s formal opinion, the Information Commissioner notes a few key features of this initiative which are paramount to maintaining safe data processing and privacy. The contact tracing framework (CTF) appears to comply with the principle of data minimisation, by not including personal data, or using location data. So far, all CTF proposals appear to be voluntary, and any  post-diagnosis upload of stored tokens to the app developer require separate permissions. In addition users also have the option of disabling Bluetooth on their device, which is the technology used by these apps. They also have the options of disabling or deleting the app altogether. There seems to be several security measures in place for the exchange

of information between devices and the upload of information to the app with the CTF. 

 

The commissioner also noted in this document, that this CTF technology shows signs of possible evolution beyond its current state and use, and must be mindful of the risks of development beyond the stated purpose of contact tracing for COVID-19 pandemic response

efforts. Purpose Limitation is a core principle of data protection on an international scale and as such the Information Commissioner will be keeping a close eye on this framework making sure that it does not fall victim to the phenomenon known as “scope creep”.

 

According to Cristina Contero Almagro, partner at Aphaia, “these apps should be especially careful with data breaches, as data subjects may be potentially identifiable by matching the encrypted codes with their IP addresses, which are personal data that may be stored in the server”.

 

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.