Information security in E-meetings
E-meetings refers to all meetings conducted through an e-meeting service (IT tool/software), including situations such as regular operational meetings, lectures, or workplace conversations. Regular work activities can often be replaced by e-meetings, but information security must always be considered.
Summary
- E-meetings are often a suitable and easy way of replacing physical meetings.
- However, you must always consider which activities and what types of information that are appropriate for e-meetings.
- Only services provided by KI shall be used for e-meetings, e.g. Teams and Zoom.
- Regular principles for handling of sensitive information/personal data must be followed.
- There are technical settings for decreasing the risk of unauthorised access to e-meetings, specially important for meetings deemed to contain sensitive information.
Background and conducting your own initial suitability assessment
Replacing ordinary work activities with e-meetings is often appropriate and rather straightforward. “E-meetings” relates to all types of meetings conducted through an e-meeting service, and includes regular operational meetings, lectures, conversations, etc. Note that these instructions primarily target situations where e-meeting services are used for real-time conversations – not e-meetings that are recorded nor e-meetings where previously recorded material is streamed.
A common question is whether meetings can or should be recorded. If recordings were not made previously, then recordings should generally not be made now either. An important reason is the fact that recordings, e.g. recorded lectures, become official documents according to the Swedish openness principle. You should therefore always assess whether the situation can be solved without recording.
If recordings are, nevertheless, made – you must ensure that the processing of personal data that this in fact entails, is necessary and proportionate for its purpose. Individuals being recorded shall always be informed of the processing of personal data (why they are being recorded, how long the recording will be saved, etc.). Prior information also gives participants, if they are to be filmed, an opportunity for placing themselves in a more neutral environment so as to reduce the risk of experienced intrusion of their privacy. Services for e-meetings usually notify participants when a recording is being started. You can find more information on the rights of the data subject here, including their right to information.
Before an e-meeting is conducted, it is vital to apply a security-conscious and risk-based mindset. As a meeting host you need to make an initial suitability assessment of the activities and information involved. Certain activities or types of information may be less appropriate for e-meetings and should, if you choose to proceed, to the furthest extent be protected through security settings. In your assessment you should consider at least these questions:
- Could the meeting contain sensitive information?
- If you proceed with an e-meeting, use recommended security settings for increased protection.
- Participants can still photograph sensitive material being screen shared.
- If you proceed with an e-meeting, use recommended security settings for increased protection.
- Is postponing the meeting an option, without any (too) big operational consequences?
- Thus, devoting occasional physical meeting for dealing with postponed matters, e.g. deemed too sensitive for e-meetings, is still a viable option.
If you are still unsure, talk to your closest supervisor about the appropriateness of conducting an e-meeting. You can also contact the information security team at infosec@ki.se for advice.
Use services supported by KI
As a starting point, e-meetings should be conducted through services provided by KI. Free services are to be avoided as they prevent KI from making any requirements on, or assessments of, the security of the service in question or how it handles KI’s data.
You can find more information about services provided at KI here as well as easy-to-follow manuals. You can also find more information on recommended security settings for each service. As a rule, you should push for KI’s services to be used for e-meetings, also with external parties. This is important as it ensures compliance with the data flow that KI has approved as well as our pre-set security settings. This is done by you hosting the meeting, using KI’s version of the e-meeting service in question.
IT tools and tools for distance teaching
If you work from home or on other premises, you need some IT tools to access KI's resources:
Handling sensitive information and sensitive personal data in e-meetings
E-meeting that will or may contain sensitive information must follow KI’s guidelines. These guidelines and other security rules are found in the Guidelines for information security at KI.
When using e-meeting services, participants’ personal data is automatically processed. This could e.g. involve their first and last names, their username in the service and their IP addresses. If the participants are from KI or any other organization with a corresponding Personal Data Processing Agreement with the service provider in question (e.g. Sunet in the case of Zoom), this is generally no concern – as long as you do not record the meeting. This is because all technical processing of personal data already is regulated in the agreement with the service providers.
If you, on the other hand, are going to discuss sensitive personal data (Personal data is information relating to an identified/identifiable individual (‘data subject’), e.g. names, addresses or social security numbers – even a photo of someone is considered personal data) in an e-meeting, it is important to apply the same approach as you would in other work activities. This means that the principles relating to processing of personal data must be followed. The Guidelines for information security at KI mentioned above also provide rules for handling sensitive personal data.
Sensitive personal data is any information related to one of the special categories in GDPR: Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Health data, Sexual orientation, Genetic data and Biometric data.