Data protection in videoconferences – What you need to be aware of
Video conferencing has proven its worth in the pandemic. Nevertheless, videoconferencing raises questions about data protection. The German „Gesellschaft für Datenschutz und Datensicherheit“ has drawn up a checklist that is very useful to follow. Here we explain what you should look out for.
a) Encrypted transmission
End-to-end encryption ensures the greatest security. This means that the transmitted data is already encrypted on the sender’s computer and decrypted on the recipient’s computer. In the meantime, many providers offer such encryption, but some only offer it for an additional charge. Under certain circumstances, however, transport encryption (TLS) is also sufficient, with the theoretical possibility that the service provider has access to unencrypted content. The rule is: the more sensitive the data, the higher the encryption requirements are. At the latest when it comes to special categories of personal data, such as medical video consultations, end-to-end encryption must be required.
b) Selection options for data protection-friendly default settings
It makes sense for the videoconferencing tool used to provide the option of selecting privacy-friendly default settings, i.e. ultimately deselecting functions that collect data but are not necessary for the videoconference. These include, for example, statistical data and evaluations.
c) Sharing with consent
If the screen can be shared, this must only be possible if the participants actively agree to it.
d) No data use by the provider for its own purposes
The provider should not collect data that is not necessary for the provision of the service.
Data collected during the videoconference should be deleted by the system immediately after the conference. This applies to chat histories but also to exchanged files. It also applies to the data of the participants: who took part, for how long and with which contributions. The less the service stores, the better.
f) Blurr possibilities
Video conferencing systems allow insights into a very private area of the employee. To protect employees from this, the systems used should have the option of a blurr effect, which blurs the background, or the option of choosing their own background image.
g) Access restriction
It must be ensured that the videoconference is not accessible to everyone, but only to those who should actually participate. This can be ensured either by a login function or by requiring the organiser’s consent before a participant enters the conference.
h) Information obligations
The provider should fulfil its information obligations in terms of data protection and provide the information in a transparent manner.