Zoom - Privacy & Security

UFV is prioritizing the security and privacy of all faculty, staff, and students while configuring Zoom's system-wide settings, which will be more restrictive to start. As conversations progress and UFV continues adjusting to adopt recommended practices to balance risk mitigation with meeting community needs, changes may occur to the availability of features and functions. Updates will be published on this page as new details are confirmed.

 

Canadian-Based Hosting

Please note that UFV’s Institutional Zoom Account is hosted in Canada. Therefore if your Zoom session is created and hosted by a UFV Zoom User all data from these sessions will flow through Zoom’s Canadian data centre.

 

FIPPA Compliance

Zoom is FIPPA compliant only if you use it in accordance with the Zoom- How To Guide. You must not require students to create free Zoom accounts, as free Zoom accounts would not fall within UFV’s educational license and those accounts will be hosted on US-based servers. In storing and recording Zoom sessions, you must follow the guidance on this page and the Freedom of Information and Protection of Privacy Act to keep recordings confidential and secure.

 

General considerations

With the recent transition to work-from-home environments for many UFV faculty, staff, and students, please be mindful of the type of content being shared, which is now more likely to include personal environments. Participants have the option of either turning off their camera or using a virtual background to hide their personal environment.

Anyone recording sessions in UFV Zoom is required to meet our privacy obligations under the Freedom of Information and Protection of Privacy Act (FIPPA). We advise against recording sessions using third-party applications or non-UFV Zoom accounts without attendees’ knowledge and/or consent.

All recorded content may be subject to a formal access to information request made under FIPPA.

If you choose to upload a chat transcript for a meeting, please note that all chat content for that meeting, including private chat contents, will be included in the transcript.

For added security, you can configure your meetings to allow only users with Zoom accounts to join your meetings. See our Zoom- How To Guide for more information.

 

Recording meetings in Zoom

UFV strongly recommends that Zoom meetings are not recorded. A major concern that is presented by recording Zoom meetings is the potential that personal information may be discussed  even in meetings where it was not planned that personal information would be discussed. FIPPA requires that UFV present a collection notice to an individual when their personal information is collected. In most cases it would be difficult, if not impossible, to provide a collection notice after the collection of personal information has taken place.

Business units that wish to record a Zoom meeting should ensure that they have an appropriate business rationale to do so. Staff meetings, academic advising sessions, student meetings, job interviews, etc. have not been typically recorded at the University in the past and unless a specific rationale exists to justify a recording, it would not, in general, be appropriate to record such events now. Administrative convenience, or ease of recording meeting minutes or notes, would not be an appropriate rationale to record a Zoom meeting.

In the event a Zoom meeting is recorded, business units should be aware of the following requirements of FIPPA:

  1. The storage of recordings must only be in Canada. While Zoom offers the ability to store recordings locally on an individual’s computer, users must guard against improper storage or sharing (e.g., they cannot be copied/moved to a cloud service, such as Google Drive or Dropbox, because the information would be stored on servers outside of Canada). Consider filing recordings with other related departmental records; do not leave recordings on personal devices.
     
  2. A properly formatted collection notice that clearly defines the business purpose for the collection of personal information, the legal authority for the collection, and the contact information of an UFV officer or employee who can answer questions regarding collection. Zoom does not have any built-in capability of delivering such a collection notice; however, a collection notice could be sent as part of a calendar invitation. Information about collection notices is available here. 

    A sample of a correctly formatted collection notice is as follows: 

    This Zoom meeting will be recorded. As a result, the University of the Fraser Valley (“UFV”) may collect your name, image, voice, and any information shared during the course of the meeting. This recording is made under the authority of the University Act, and s. 26(c) of the Freedom of Information and Protection of Privacy Act. The recording of this meeting and any information shared within it will be used for the purpose of [insert rationale for recording meeting]. Please direct any information about this collection of personal information to [name] at [insert department or business unit] at UFV at [insert phone number of person to answer questions] or [insert email address of person to answer questions].

     
  3. Controlled access. Access to recordings can only be granted to university employees when it is necessary for the performance of their work duties. Sharing of the recordings in the absence of a legitimate business need is not authorized.
     
  4. Consistent use. Participants’ personal information can only be used for the purpose for which it was obtained and compiled or for a use consistent with that purpose. Secondary uses of the recordings are not authorized.

 

Zoom Chat Transcripts 

The chat conversations created during a meeting can be saved by any attendee. This refers to:

  • Chats that are public and can be viewed by anyone in the meeting.
  • Private chats between two attendees.
  • Any attendee can save private chats that took place between other participants after a meeting.
  • Chat transcripts are saved on a user’s local computer by default when downloaded.
  • Please note that participants are required to let others know before saving chat transcripts.

 

Zoom Records Management

University records are potentially created through the use of Zoom (and other chat platforms). Chats and recordings in Zoom should be managed in accordance with UFV’s records management practices. Ensure transitory records are appropriately destroyed when no longer of use on chat platforms (see UFV’s transitory records schedule). The value and content of a record determine its retention, not the format of the record. All records, including transcriptions of chat and recordings, are subject to UFV's records retention schedule (under development). Records should not be stored within chat platforms. See UFV records management resources for guidance.

 

Preventing disruptions from unauthorized attendees

Please note that if a Zoom meeting link is shared publicly, anyone (within or outside of UFV) could potentially enter the meeting. As such, other institutions have reported instances of unintended participants causing disruptions in meetings. For larger meetings/events, some recommended practices are as follows:

Avoid using your Personal Meeting ID (PMI) to host the meeting,

Allow only the host to share their screen and/or approve screen sharing requests from attendees

Get familiar with how to turn off (mute) audio/video for attendees, how to remove attendees, and options under the Security toolbar option. Further suggestions can be found on Zoom's blog.

 

System-wide settings

Default settings that have been implemented across UFV Zoom accounts to reduce privacy and security risks include:

  • Requiring a password to join all meetings.
  • Enabling of the "Waiting Room" feature to allow the host to control who enters the meeting.
  • Muting all participants on entry to a meeting.
  • Disabling of file transfers within chats.
  • Disabling of the ability to allow others to take control of a screen share (remote control).
  • Disabling of the ability to allow others to take control of someone’s camera during a meeting