Virtual Meeting and Collaboration Platforms
To ensure the protection of personally identifiable information and to meet privacy regulations requirements, special care needs to be taken when using virtual meeting and collaboration platforms (“virtual tools and technologies”).
The following guidance is offered to you by the GW Privacy Office, in Collaboration with GW IT and it aims to assist in minimizing the risk of accidental personal information disclosure, while using virtual tools and technologies.
Faculty and Staff should only use virtual tools and technologies that have university approved contracts, as they are privacy compliant (through appropriate privacy terms and conditions) and configured with adequate security and privacy protections. To protect university non-public information, virtual tools and technologies should be integrated with GW Single-Sign On or two-factor authentication, as well as have the capability for event-specific password protection, encryption and attendance control.
In absence of a contract, virtual tools or technologies should not be used for any university activity where non-public information will be shared.
Information on available university approved virtual tools and technologies can be found on the GW IT Telecommuting page. Additionally, virtual training and personalized guidance on tools and best practices for virtual learning can be found on the Tools for Instructional Continuity page.
Guidelines and Best Practices
To minimize risk of disclosure or breach of non-public data, these guidelines and best practices apply to virtual tools and technologies for administrative operations and virtual learning. Both the organizer (host) and participants should be aware of the privacy risks and exposures that exist when facilitating and participating in online meetings using virtual tools and technologies.
Be familiar with configurations and settings that minimize privacy risks associated with the use of virtual tools and technologies, such as the difference between public and non-public virtual meeting rooms:
- Non-Public Meeting Room: If the virtual event will contain content that is sensitive or includes any personal identifiable information (PII or PHI), a non-public meeting room should be used. A non-public meeting room is one where a one-time password or access code for entry into the meeting room is required; End to end encryption is strongly recommended. All available encryption and privacy modes should always be enabled. Do not record the virtual meeting unless it’s absolutely necessary (e.g. for purposes of records retention or asynchronous learning.) If the meeting is recorded for asynchronous learning purposes, the recording must not be shared outside of the class roster without student consent.
- Public Meeting Room: If the content will not include any personal identifiable information (deidentified PII or PHI or general administrative or academic content), a public meeting room can be used. For example, a Webex personal room is a public meeting room unless a password has been enabled.
The following guidance applies to both non-public and public meeting rooms:
- Use a 'green room' or 'waiting room' to allow the meeting to begin only after the host joins.
Carefully control and monitor who has the ability to invite/share the meeting invite. For example: avoid making the meeting available to anyone with the link.
- Monitor attendees through a dashboard – identify all generic attendees before meeting begins (e.g. Caller X). The host should pay attention to all new/late arriving attendees and ask them to identify themselves. An unauthorized attendee should be expelled or the meeting room may be locked once in progress to prohibit others from joining.
- Before anyone shares their screen, files or other content, remind them not to share sensitive or personally identifiable information during the meeting inadvertently.
Instructors should be aware of the privacy risks and exposures that exist when hosting online classes and lectures and maintain compliance with FERPA with regards to student's personal information captured via virtual tools and technologies.
Instructors should be familiar with configurations and settings that minimize privacy risks, such as controlling attendance by not making the meeting available to anyone with the link. When the online class invite includes a virtual conference link, ensure students do not forward the link to others not in the class, whether by mistake or otherwise.
GW Clinics may seek to conduct telehealth activities. When using virtual meeting applications to provide telehealth services, all state licensing requirements and regulations for health professionals must still be met. If virtual meeting applications will be used for telehealth activities, non-public meeting rooms must be used. This requires the use of a one-time password or access code for entry into the meeting room. End to end encryption is strongly recommended. All available encryption and privacy settings should be enabled.
As a general rule, meetings, events, classes, lectures or health sessions should not be recorded without a legitimate business purpose.
Recording class lectures and presentations is helpful for students who have a necessary, temporary absence and can also assist all students in reviewing materials and preparing for exams.
- End to end encryption
- Use advanced scheduler for additional options when scheduling a WebEx meeting
- Protecting Information while using virtual meeting applications
|GW Privacy Office
|GW IT Support Center
Phone: 202-994-4948, Email: [email protected]
School Instructional Design Support teams
Contact your department or school for school-specific support options.