Videoconferencing and Recording Meetings
The COVID-19 pandemic has forced many of us to work remotely. As a result, we have quickly adapted to using technologies such as videoconferencing platforms for meetings instead of having such meetings in-person. However, this has also raised new privacy & security risks.
Privacy Laws Still Apply
Even during a pandemic health emergency, the Privacy Commissioner of Canada has reminded us that privacy laws continue to apply. In addition, the Information & Privacy Commissioner of Alberta has posted guidance regarding privacy laws in a pandemic, here. In the Faculty of Medicine & Dentistry ("FoMD"), we are primarily subject to two provincial privacy laws:
- Freedom of Information & Protection of Privacy Act ("FOIP"), which governs "public bodies" such as the University; and
- Health Information Act ("HIA"), which governs "custodians" such as registered physicians and dentists.
Under both laws, we are generally required to only collect, use or disclose the minimum amount of personal or health information necessary for the intended purpose. This remains true when working remotely and using videoconferencing technology, as we will see below.
Videoconferencing
The two University-provisioned videoconferencing platforms available to FoMD members are FoMD Zoom and Google Meets. MedIT has an excellent Help Portal with information you need to securely host or attend an FoMD Zoom meeting. Additional information on using the University's licensed Google Meets and Zoom for Education from the University of Alberta's Chief Information Security Officer can be found at this website.
Reminder: never share IDs and passwords for Zoom accounts - this can represent a significant security risk. MedIT is available to help if you are experiencing FoMD Zoom account issues.
Recording
One feature of these videoconferencing technologies that is different from most in-person meetings is the ability to easily record the sessions. Although recording of a meeting seems extremely convenient, especially for minute-keeping purposes or to allow subsequent review of the discussions, recording meetings may not comply with privacy laws. Before recording a meeting, consider the following:
- Are you collecting more information than is necessary? As described above, we are generally required to collect only the minimum amount of personal information necessary for the intended purpose.
A video recording captures participants' images, and may also capture other inadvertent information, including their location, nonparticipants viewable in the background, or other documents on their workspaces. - Would this meeting have been recorded prior to COVID-19? Ask yourself whether the meeting would have been recorded in-person before the COVID-19 pandemic. If not, you likely do not need to record the virtual version of the meeting.
Alternatively, perhaps in-person meetings previously included audio recordings. If so, ask yourself whether you can simply make an audio-only recording, rather than a video recording so as to not be recording video of meetings simply out of convenience. - What happens to the recording after the meeting? Many new privacy & security concerns begin once a meeting ends. Some considerations include:
- Where will the recording be stored? Will the recording be stored on a personal device? What kind of protection is in place on that device? UAPPOL policy requires appropriate security safeguards to be implemented to protect University records and information. This includes, but is not limited to, encryption, proper access controls, appropriate physical security for the device, network security and updated antivirus software.
- How long will the recording be stored for? If the recording will be used to make a decision about an individual, FOIP requires the University to retain that record for at least one year. It may also be subject to a faculty-specific retention and destruction schedule.
If you are a custodian under the HIA making recordings, you will need to follow your professional regulatory body's rules regarding retention (e.g. the College of Physicians & Surgeons of Alberta generally requires medical records to be maintained for 10 years from the last date of service). - Who will have access to the recording? It is important to maintain access controls over the recording to ensure only those with a need-to-know can access the file. How will such access be discontinued when no longer required?
- Have you provided proper notice under FOIP or HIA? Section 34(2) of FOIP and section 22(3) of the HIA provide that, whenever the University or a custodian collects personal or health information, notice must be provided which includes:
- The legal authority for the collection
- How the information will be used
- The position title, business phone number and business mailing address of an employee or affiliate who can answer questions about the collection.
- The recording may be subject to access requests under FOIP or HIA. If the meeting involves University business, the file of the recording will be a University record. University records are subject to FOIP, meaning that any individual can make an access request for that record, and the University may have to provide it to the applicant.
This is an important consideration, as it is extremely easy to inadvertently capture offhand comments from meeting participants, or other potentially personal or embarrassing moments. Under FOIP, embarrassment does not preclude access to records.
For custodians, patients have similar access rights to their own health information under the HIA, including recordings of patient encounters. You must therefore manage such records accordingly.
The foregoing list of considerations is non-exhaustive, but provide examples of the same considerations that have always applied to the University activities when capturing images or creating recordings. For the University's full guidance please review the Information & Privacy Office ("IPO") website on photographs and recordings, and the recent update regarding the recording of meetings, here.
Note for Custodians
For custodians seeking to use videoconferencing platforms and who are considering recording patient meetings, the HIA still applies in full force. This includes the requirement to implement appropriate administrative, technical and physical safeguards to protect health information, the requirement to submit Privacy Impact Assessments for new technologies, and the requirement to execute Information Management Agreements with parties providing information support services like the University. Please first review the FoMD's guidance document on this subject, here, and contact your FoMD Health Information Privacy Advisor for additional advice.
Most healthcare providers in the FoMD deliver healthcare services as affiliates of AHS, which has implemented its own instance of Zoom for Healthcare. As such, AHS' policies and guidance on providing virtual healthcare apply. The FoMD Health Information Privacy Advisor can assist in determining which tool you should use if unsure.