Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on Pandemic and Virtual Meetings
I read an article today saying over 7,000 Crown Corporation workers are working from home. In addition, thousands of executive government workers are doing the same. Many in businesses are also working from home. It is amazing how quickly this province was able to switch to an at home work environment.
Working at home requires workers to talk to one another and there is a need for meetings to occur. Zoom, over night, has become a way of holding a virtual meeting. There is other software such as Microsoft Teams, Skype video and Google’s Hangout to facilitate virtual meetings.
To get work done, we need to meet. We also will gravitate to the most convenient way of meeting, but decision-makers in public bodies need to consider privacy and security issues.
We have seen some headlines about hackers hacking into a Zoom meeting. Therefore, the first thing we need to consider, is our meeting restricted to just those authorized to be there? Organizers need to set things up to ensure the correct settings are in place to prevent intrusion by the unauthorized.
Zoom asks whether you want the session saved. Another decision, will the organizers have the meeting saved. If so, it is a record and at that point, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), The Health Information Protection Act (HIPA) and The Archives and Public Records Management Act come into play. If minutes of a similar meeting are normally kept, then I would suggest the minutes of the virtual meeting need to be kept. If meetings were previously recorded then organizers need to decide whether the virtual meeting will be recorded. If an ordinary meeting or virtual meeting is recorded, that recording becomes a record. Organizers from public bodies need to decide whether the recording is an official record or transitory record under The Archives and Public Records Management Act. If it is an official record, organizers need to arrange for storage and preservation in its electronic filing system. If it is a transitory record, decisions have to be made as to when it is destroyed. If any access request under FOIP, LA FOIP or HIPA is received and the recording of the virtual meeting exists, at that time the record may have to be disclosed under FOIP, LA FOIP or HIPA (subject to appropriate exemptions).
If you are recording the virtual meeting, the question is who is recording it? If it is the service provider, then is it being stored on the service provider’s server? Is that where you want it stored? How do you get that recorded meeting downloaded to your organization’s file records system? Does the provider routinely save/store copies of meeting recordings? Can you ensure that it is deleted off the service provider’s system?
If your meeting has discussion of issues which involve personal information or personal health information what additional precautions can you take to ensure that information is not being accessed by unauthorized persons?
As a practice, a public body might indicate you do not want the meeting recorded. Can an organization be sure the service provider is not saving a copy anyway? This is why it is also important to understand the risks of working with any particular service provider in advance of using that system. If you do not have the appropriate agreements in place or at least an intimate understanding of the risks and benefits, your meeting sessions could be hijacked, information kept and used for purposes that you did not anticipate, and privacy breaches could occur for which the public body would be responsible.
Organizers need to think carefully about the platform they select for virtual meetings. They will want the one that best protects their confidential information and the one that allows them to comply with FOIP, LA FOIP and HIPA. To assist organizers, here are some questions they should ask before selecting a platform:
- Does the service provider offering the platform reside in Canada or the United States?
- Where geographically is the virtual meeting stored? If so, where is the server located (Canada or the United States)?
- Are virtual meetings going to be recorded and saved and if so, by whom?
- Will your meeting involve possible confidential information? If so, do you want it recorded?
- Who has possession/custody or control of the information?
- If saved, can the organization download the recording into its file management system?
- How long will the service provider retain the recording?
- Can the organization request deletion of the recording at any time?
- Does the service provider share the recording or other information with anyone else? If so, who and under what authority?
- Does the service provider have end to end encryption?
- Does the service provider have a privacy policy and a security policy?
- What settings can the organization set to maximize privacy and security?
- Does the organization consider the recording an official record or a transitory record?
- Has a service provider had a privacy or security assessment done by an independent third party and, if so, request a copy?
The pandemic has forced many public bodies to embrace the virtual meeting. Once restrictions are lifted, I expect virtual meetings will continue to be a way of doing business. Public bodies should approach virtual meetings and platforms as both a short term matter and a long term change. Thus, establishing public body policies regarding virtual meetings is an important step that we should take now.
Ronald J. Kruzeniski
Information and Privacy Commissioner
Media contact:
Kim Mignon-Stark
Kmignon-stark@oipc.sk.ca