As businesses adjust to working remotely, and people adjust to social distancing, many have turned to online video conferencing programs for virtual meetings with clients or patients, and for catching up with friends and family. Businesses and health information custodians continue to be required to comply with their privacy obligations in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Personal Health Information Protection Act (“PHIPA”). It is important to understand the privacy implications of using these online video conferencing services.
I’m going to focus on Zoom, as this appears to be one of the most popular free services (and the one that I have started using to share a glass of wine with my friends and family). However, the concerns discussed below apply equally to, but the specifics may differ with, other service providers.
Zoom collects a considerable amount of Personal Data, which it defines as “any data that can be used to identify or is reasonably linkable to a specific person.” Of concern, is that Zoom collects Personal Data regardless of whether or not a user has an account. It “may” collect Personal Data within the following categories:
- Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
- Information about your job, such as your title and employer
- Credit/debit card or other payment information
- Facebook profile information (when you use Facebook to log-in to its Products or to create an account for its Products)
- General information about your product and service preferences
- Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID such as Unique Device Identifier (UDID), device type, operating system type and version, and client version
- Information about your usage of or other interaction with its Products
- Other information you upload, provide, or create while using the service
Zoom indicates that this Personal Data is collected to provide users with the “best experience with [its] Products.”
The provision of Personal Data for advertising tools would appear to contradict Zoom’s statement in its PIPEDA and PHIPA Whitepaper that there is “no sharing of customer data with third parties”.
Today’s new business reality requires organizations and health information custodians to utilize online video conferencing services in order to continue to operate. However, they cannot ignore their privacy obligations in order to deliver their services. Below are tips on how to utilize online video conferencing tools while protecting client and patient personal information:
- Do not use Facebook to login to the service. Recommend that clients and patients use an email address to access the service in order to limit the amount of Personal Data collected.
- Obtain consent from your client or patient to utilize online video conferencing to communicate with them, specifically advising them of the collection and possible use of their data by the service provider. Confirm this consent in an email.
- Before recording a meeting, even locally, obtain the participants’ consent to do so.
- Inform your clients and patients that their Personal Data may be stored outside of Canada.
The Lerners privacy law team is able to assist you in understanding the privacy implications of using online video conferencing services.