NORDUnet Zoom: GDPR and Privacy Facts
The use of video conferencing and teaching via Zoom has grown as a result COVID lock-down and the increased need for remote teaching and learning. Many people are concerned about GDPR and privacy issues when using the video service, and NORDUnet receives numerous inquiries on this subject. To address this matter, we have listed privacy related facts pertaining the Zoom service, including an outline of what NORDUnet has done to be in compliance with GDPR and European privacy directives.
The following facts apply to Zoom provided by NORDUnet:
• Service Delivery: Colleges and universities in the Nordic countries that use Zoom have this service operated by NORDUnet. The service is provided by the national NREN in each country.
• GDPR compliance: Zoom operated by NORDUnet is GDPR compliant and in accordance with other European privacy directives. This is secured through the individual contracts entered into and the chain of Data Processing and sub-processing agreements. University->NREN->NORDUnet->Zoom->sub-providers
• User account data: Data from users of NORDUnet's Zoom service is not stored with Zoom in the United States. The account data is stored in Zoom datacentres in Europe.
We use dedicated servers installed in Copenhagen, Denmark, Stockholm, Sweden, Helsinki, Finland and Oslo, Norway, for all meetings and meeting data.
• Logging in: All organizations that use Zoom provided by NORDUnet decide for themselves which login solution their users should use. Most use the National identity federation login (SWAMID, FEIDE, HAKA and WAYF), or directly the local institution Single Sign-On solution (SSO).
• Personal information: Personal information about users of NORDUnet's Zoom service is processed within the EU in accordance with the applicable data processing agreement. This applies to personal information necessary for using the service, such as first name, last name, email address, role, etc. Typically, as released by the home institution, using the national identity federation, through SAML attributes. No credit card details, telephone numbers or other similar information is stored in the Zoom instance provided by NORDUnet. (See section above for storing of personal data)
• Zoom public service: Zoom in the US provides a so-called "public" or public service. Zoom from NORDUnet is not part of this public service. NORDUnet provides a private Zoom service, regulated by a separate agreement.
• Zoom local administrators: All organizations that use Zoom provided by NORDUnet have one or more local institution administrators. As with other ICT services, local Zoom administrators have a higher degree of access and use of control tools than ordinary users. Such access is necessary to keep good quality of service and to suppport users if they need assistance.
• Local recording: NORDUnet's Zoom service allows for local recording. If a meeting is recorded, participants in the meeting are automatically notified with a symbol in the video window and in the attendee list. The local institution administrator can set up Zoom so that all attendees must approve any recordings. The local administrator can also control whether other participants can record the meeting.
• On-prem Cloud recording:
Zoom operated by NORDUnet has support for so called Cloud Recording.
The Cloud Recordings are processed and stored temporally on local servers placed with the Zoom zones in the Nordic.
After the meeting has ended, the recording is transferred to one of the NORDUnet on-prem media management services (Kaltura MediaSite and Panopto), or directly to the NORDUnet central storage platform and a download link to retrieve the recording is provided.
The recordings are stored in video/audio format.
- The on-prem Cloud Recording feature must be activated by the local Zoom administrator.
- For integration with the on-prem media management services the user name/email must be the same in both Zoom and Kaltura/MediaSite/Panopto. (the integration with MediaSite and Panopto is currently being finalised)
Further details about the implementation can be found here..
• Public Cloud recording: Zoom operated by NORDUnet does not contractually provide for the option to have meetings recorded with Zoom in the United States, the so-called cloud recording. Local Zoom administrators have been instructed to disabled this option for all of their users.
If your license type is set to "Licensed" and you start a cloud recording, this is not covered by a contract nor by the mentioned GDPR regime for the NORDUnet service.
• Safe meetings: Zoom offers a number of mechanisms for creating safe meetings. For example, waiting rooms, and the possibility for the meeting hosts to password protect the meeting. Meeting hosts can also “lock” meetings, then no one but the invited participants can participate, this also applies to administrators. No one can use meeting rooms created by other users without permission.
You can find more information here.. https://explore.zoom.us/en/trust/security/
Or read this guide on how to secure your meetings https://nordunet.zendesk.com/hc/article_attachments/4407216402706/Securing_Your_Zoom_Meetings.pdf
• Encryption: All video and audio traffic and data are by default encrypted, too and from the meeting servers. Real End-to-End encryption is only acheivable directly between two meeting participants.
• Data overview