Running online classrooms and meetings presents a very real risk of breaching privacy and data protection legislation in many ways and at multiple levels.

The Coronavirus has led to a huge increase in the use of online learning, classrooms, meetings and webinars. Video conferencing as it is known has become mainstream virtually overnight.

Everybody seems to be jumping on the bandwagon and many say nothing will ever be the same again, but what is waiting in the wings?

A few weeks ago I took a call from a trainer, friend, I know who had been asked by one of his clients, a local council, to move his face-to-face training courses to online delivery. A Skype conference called to discuss it further and wanted to test his system.

I called him last week to ask how he was getting on. It was ecstatic, over the moon and glowing in his praise for video conferencing and online classrooms. “It’s so easy, I don’t have to travel, I record the sessions, I have got rid of the paperwork, I just show the verifier the recordings. It’s brilliant”

What about the GDPR, privacy and data protection? I ask ….. The reply, the council will have that covered I don’t need to worry about it. The council may well have it covered, their web site implies they have data protection agreements in place with all suppliers and use impact assessments in place to protect service users’ privacy.

At the end of the day I wasn’t convinced, I got the impression, rightly or wrongly, that privacy and data protection hadn’t even been thought about in respect of the proposed move to delivering training on line.

To be honest I wasn’t overly surprised. Looking at the privacy policies, where you can find them, of other organisations offering online learning many appear to have paid scant regard to privacy.

Couple poor attention to privacy and data protection with the huge uptake in video conferencing and it becomes pretty clear that trouble is in store.

As we said above, for the unwary running online classrooms and meetings presents a very real risk of breaching privacy and data protection legislation in many ways and at multiple levels.

The ICO can impose fines of up Euro 20million for data breaches but more worryingly the “no win no fee” lawyers may well be waiting in the wings too.

To be honest we can understand, but certainly not condone, why people may wish to brush data protection under the carpet. Normal learning and meetings are virtually impossible and video conferencing at first look offers an easy non complicated way to replace it.

But dig deeper into the GDPR, data protection and privacy and a whole raft of potential issues arise.

Below we outline some of the issues anyone planning to run video conferences, online training and meetings needs to consider.

If you don’t understand the questions or know the answers you need to familiarise yourself with the GDPR or ask your Data Prevention Officer to help you complete a privacy impact assessment.

If you identify any lack of knowledge or potential problems with video conferencing, online classrooms and meetings you will probably have problems elsewhere too. Concrew Training’s courses on GDPR and Privacy Impact Assessments may help. We can even tailor content to reflect on the development needed of your own policies and procedures or incorporating a privacy impact assessment of your video conferencing or online learning into the course.

Online Learning Platforms, Data Controllers and Data Processors
It is very important that those organising meetings, webinars and online learning through video conferencing platforms understand what role the platform is taking in respect of controlling processing.

In very simple terms the controller takes responsibility for overseeing GDPR compliance and agrees with the processor what they can/cannot do with the data. In the event of breach the data controller is held liable.

Many online classroom/meeting platforms see themselves as data processors and not as data controllers in the context of their video conferencing service.

This means that the person or organisation hosting the course or the meeting could be deemed responsible for compliance with the GDPR, which may include liability for any illegal processing by the processor. If the platform breaches the GDPR and a user complains the person/organiser of the course/meeting may be held liable and potentially face a fine of up to 20million Euro!

Self-Auditing GDPR compliance
These are the sorts of issues and questions we believe you need to consider to make your video conferencing, online learning and virtual meetings GDPR compliant. If you, your colleagues or your data protection officer need a better understanding of GDPR and data protection privacy impact assessments contact Concrew Training, we deliver training on your premises. Please note the questions below are designed to stimulate thought, not provide a definitive guide on impact assessment.

1.First Steps

• have you discussed video conferencing with your data protection officer and clarified that everything you plan to do is GDPR compliant.
  • Can you evidence this?
• do you understand the GDPR requirements for data controllers and data processors?
• Have you completed/recorded the outputs from a Privacy Impact Assessment
  • Do you know what a privacy impact is and how to complete one for video conferencing scenarios?
  • Did you think about, participant disclosures of confidential or inappropriate information
  • What about information that may be seen via the camera, wall charts etc

2. Platform/Supplier Compliance

• Does the platform/supplier you want to use comply with EU data protection legislation?
• Are they promote themselves as a data controller or data processor?
• Are their privacy policies acceptable to you?
• Do you have copies of their privacy policies?
• Do they share your data with anyone?
  • if so what?
  • Is it clear and acceptable?
• What data do they retain/share?
• Where is the data stored?
  • what about the data that is shared?
  • does any data go outside of the EU ?
    • if so to where?
    • can you evidence appropriate data security for every location?
  • Is more data, than is strictly necessary, being collected, stored or shared?
  • Is the length of time the data is retained for clear and reasonable?
    • do they detail specific time periods for each type of data?
    • “as long as needed” is poor practice.
  • Do they detail the complaints procedure?
    • who their data officer is
    • how they may be contacted?
  • Will you have agreements in place that details all the information relating above and below?

NOTE: if you are accessing the platform via a third party supplier the same questions apply to them equally

3. User Consent

• Has every user been told about all the data that is being collected/processed
  • are you sure?
    • do not forget any hidden data, eg: location, recording, attention tracking, online identifiers etc
  • are they using any form of personal profiling?
  • Is profiling data processing explained and consent gained?
  • do you know what personal profiling is?
• Do you have the users consent to process their data
  • do you know what consent means under the GDPR and how to evidence it?
  • can you evidence consent for all users? That is to say do you have a specific opt record for each user – not generic acceptance
  • what can each user can request happens to their data, at any point in time?
  • will you be able to supply all data to the user if requested to do so?
  • will you be able you delete all the users data if requested to do so?
  • What about recordings or data that is integral to the system?
  • do you know what specific categories means under the GDPR?
  • Is any specific category data likely to be shared ? do you have consent?
  • have all users been made aware of and agreed to the risks associated with online learning and meetings?

4. Your Own Organisation’s Privacy Policy

• Does your organisation have a published privacy policy?
  • If not why not?
  • Is it current?
• Is it easy to read and understand?
• Can it be found easily
• Is it supplied to those joining online training/meetings?
• Does it specifically detail your approach to privacy in respect of online learning, classrooms and meetings etc and the platform/s you may use?
• Does it highlight the potential risks associated with online line learning/classrooms and how you have mitigated them?
• Does it detail data that is being collected in respect of online classrooms/meetings
  • how their data may be used?
  • who will have access to it?
  • how users can request their data be destroyed?
  • how long their data will be retained for?
• Do they reflect the online learning/meeting platform provider or third party suppliers’ own privacy policies?
  • where changes are made in the platform providers policies are these updated in your policies without delay.
• Do you have a clear and easy to follow policy for handling complaints?
• Do they detail who your data protection office is?

5. Minimising Risks
Final thoughts, have you minimised all the risks for the user and thus yourself too?

• Is your video conferencing platform secure?
  • Has it suffered data breaches in the past?
    • If so have these issues been addressed?
  • does it encrypt data?
• Do you or will you have policies and procedures in place for joining and behaviour in the classroom/meeting
  • are they implemented within the system, eg passwords, entrance rooms?
  • are unacceptabe language, equalities, sensitive issues etc covered?
  • have all users agreed to these policies and procedures?
  • does he course/meeting leader know how to respond in the event of an issue occuring?

image credit: WolfVision corporate / telepresence & video conferencing application by WolfVision GmbH used under CC BY2.0 – GDPR related white font text added. Note Concrew Training does not use or endorse this product nor do we recieve any monies for using this image.