1. Where does this apply?
This routine affects all use of Zoom where red data is used, discussed or processed, as per How to classify data and information.
The routine also affects all use of Zoom at UiO where UiO is the Data Controller or has responsibility for the research project. More about the term ?Data Controller?.
Note that using Zoom outside UiO (https://uio.zoom.us/) for red data is prohibited.
2. Prerequisites
2.1 Technical prerequisites
- Use only the UiO version of Zoom, which has UiO users and SSO using Feide, at the address https://uio.zoom.us/
- The party hosting the conversation must only use computer equipment owned and managed by UiO.
- The equipment needs to be approved for storing and processing red data as per the UiO storage guide.
2.2 Other preconditions
- The party hosting the call needs to be thoroughly familiar with this routine, and follow it in its entirety.
- Any exceptions from this routine, or parts of it, need to be approved by the CISO at UiO.
- If recordings are to be made, approval needs to be given in advance by the Data Protection Officer.
- The responsible party needs to make sure all approvals are in place.
- Note: If the conversation is made to replace a physical meeting in a research project, it may trigger the need for notifying the NSD.
3. How to host a zoom-meeting with red data
You must adhere to the following rules whenever you use Zoom to host meetings, lectures, or recordings with red data. The points that specifically address recordings do not apply if recordings are not made.
3.1 Before the conversation, lecture or meeting starts
- The person hosting the event needs to be familiar with Zoom as a tool. You need to test that everything works as expected with no sensitive content. See our guides for using Zoom.
- Do not use your personal Meeting ID. Use a generated Meeting ID. Use the function ?Generate automatically?. Make sure only the intended participants get to know this ID. Note that if you use Outlook or similar tools to invite participants, the invitation itself cannot be public. It must either be made private, or the Meeting ID must be conveyed in another manner.
- Meetings need to be password protected. Passwords for meetings should not be reused, and should only be sent to the intended participants. See our documentation on how to password protect your meeting.
- In order to make sure only the intended participants join the meeting, you need to ?Enable waiting room?. Note that this is different from ?Breakout rooms?. Read how to use the waiting room function.
- If you need to use screen sharing to show text or images, make sure to shut down e-mail, other documents and other programs to minimize the risk of sharing the wrong content.
- Turn off the chat function for the meeting unless it is deemed strictly necessary.
- Prepare relevant information for the participants prior to starting the meeting.
- Make sure sound cannot be heard by people not attending the meeting. Prevent leaking of sound. Use only headphones whenever possible.
- Make sure only the relevant people can physically see the screen during the event.
3.2 Additional rules that apply if recordings are made
- The hosting party needs to be familiar with the rules for recording at UiO.
- Prepare relevant information for the participants prior to starting the meeting.
- See how to record in Zoom.
- Prepare a suitable place for storing the recording on your local computer. See the guide above for making a good choice.
- Give descriptive names for files and folders, so it is easier to maintain a good structure and order. However, you should not give names that can identify people.
- Consider using the function ?Add a timestamp to the recording? to make navigating or editing the finished recording easier.
- Consider using a ?virtual background? to prevent other people, documents or information from being recorded unintentionally.
3.3 During the conversation or recording
- After all participants have been let into the meeting, make sure there are no people present who are not supposed to be there.
- If there are unwanted people present in the meeting, close the meeting immidiately. Notify UiO-CERT about the unwanted incident.
- Ensure that all settings are adjusted and set as intended – for example disabling chat if it is not needed.
- Lock the meeting.
- Some participants may not want to display their real name visually in a recording. If you use screen sharing or chat, consider asking participants to change their name in the meeting.
- If a recording is to be made, give information about this and other relevant issues.
- Inform whether chat will be used or not. Inform whether the chat will be stored or not.
- If something happens or is said during the meeting which needs to be removed afterwards, make a note of the timestamp for easier editing and removal.
- If recordings are not made, but written notes are made – note that the written notes may have the same classification as the conversation.
3.4 After the conversation or recording
- When the conversation is over – stop the recording.
- End the meeting by clicking ?End? and choosing ?End Meeting for All?. This makes sure all participants exit the meeting.
- If a recording was made, the computer may need some time to process the recording. Allow the computer to finish before you close the lid or turn it off.
- Check that the video file has been stored where you intended. Make sure you know where the video file is located.
- Erase any redundant information. For example – delete the sound files if you only need video. If you used the chat function, but it was not needed, delete the transcript.
- Transfer the video file to a suitable permanent storage as soon as possible. Note that all storage and processing of files containing red data should only be done on equipment approved for such use. See the storage guide for more information on what may be stored where.