GW Privacy Office site logo

GW Privacy Office

 

Virtual Meeting and Collaboration Platforms

To ensure the protection of personally identifiable information and to meet privacy regulations requirements, special care needs to be taken when using virtual meeting and collaboration platforms (“virtual tools and technologies”).

The following guidance is offered to you by the GW Privacy Office, in Collaboration with GW IT and it aims to assist in minimizing the risk of accidental personal information disclosure, while using virtual tools and technologies.  

Faculty and Staff should only use virtual tools and technologies that have university approved contracts, as they are privacy compliant (through appropriate privacy terms and conditions) and configured with adequate security and privacy protections.  To protect university non-public information, virtual tools and technologies should be integrated with GW Single-Sign On or two-factor authentication, as well as have the capability for event-specific password protection, encryption and attendance control.

In absence of a contract, virtual tools or technologies should not be used for any university activity where non-public information will be shared.

Information on available university approved virtual tools and technologies can be found on the GW IT Telecommuting page. Additionally, virtual training and personalized guidance on tools and best practices for virtual learning can be found on the Tools for Instructional Continuity page.

Guidelines and Best Practices

To minimize risk of disclosure or breach of non-public data, these guidelines and best practices apply to virtual tools and technologies for administrative operations and virtual learning. Both the organizer (host) and participants should be aware of the privacy risks and exposures that exist when facilitating and participating in online meetings using virtual tools and technologies. 

Be familiar with configurations and settings that minimize privacy risks associated with the use of virtual tools and technologies, such as the difference between public and non-public virtual meeting rooms:

  • Non-Public Meeting Room: If the virtual event will contain content that is sensitive or includes any personal identifiable information (PII or PHI), a non-public meeting room should be used.  A non-public meeting room is one where a one-time password or access code for entry into the meeting room is required; End to end encryption is strongly recommended. All available encryption and privacy modes should always be enabled. Do not record the virtual meeting unless it’s absolutely necessary (e.g. for purposes of records retention or asynchronous learning.) If the meeting is recorded for asynchronous learning purposes, the recording must not be shared outside of the class roster without student consent.
  • Public Meeting Room: If the content will not include any personal identifiable information (deidentified PII or PHI or general administrative or academic content), a public meeting room can be used.  For example, a Webex personal room is a public meeting room unless a password has been enabled. 

The following guidance applies to both non-public and public meeting rooms:

  • Use a 'green room' or 'waiting room' to allow the meeting to begin only after the host joins.

  • Carefully control and monitor who has the ability to invite/share the meeting invite. For example: avoid making the meeting available to anyone with the link.

  • Monitor attendees through a dashboard – identify all generic attendees before meeting begins (e.g. Caller X).  The host should pay attention to all new/late arriving attendees and ask them to identify themselves.  An unauthorized attendee should be expelled or the meeting room may be locked once in progress to prohibit others from joining.
  • Before anyone shares their screen, files or other content, remind them not to share sensitive or personally identifiable information during the meeting inadvertently. 

 

Online Classes

Instructors should be aware of the privacy risks and exposures that exist when hosting online classes and lectures and maintain compliance with FERPA with regards to student's personal information captured via virtual tools and technologies. 

Instructors should be familiar with configurations and settings that minimize privacy risks, such as controlling attendance by not making the meeting available to anyone with the link.  When the online class invite includes a virtual conference link, ensure students do not forward the link to others not in the class, whether by mistake or otherwise.

 

Telehealth Activities

GW Clinics may seek to conduct telehealth activities.  When using virtual meeting applications to provide telehealth services, all state licensing requirements and regulations for health professionals must still be met. If virtual meeting applications will be used for telehealth activities, non-public meeting rooms must be used. This requires the use of a one-time password or access code for entry into the meeting room. End to end encryption is strongly recommended. All available encryption and privacy settings should be enabled. 

 

Recordings

As a general rule, meetings, events, classes, lectures or health sessions should not be recorded without a legitimate business purpose.  

Before recording a virtual meeting or event, you should notify attendees of your intent to record. Provide attendees with details about why you want to record the meeting or event, and ask their consent to the recording being used for that purpose. You may also consider giving attendees the option to participate without having their image and/or voice recorded, such as allowing them to attend with no video or audio, and the option to pose questions only in the text chat window.

Recording class lectures and presentations is helpful for students who have a necessary, temporary absence and can also assist all students in reviewing materials and preparing for exams. 

If a virtual class is being recorded, students in attendance must be notified. If the recordings are only accessible to students in the class, there are no privacy concerns, but if an instructor intends to share the class recording with students outside the recorded class, all student images, names, chat, and other student personal information must be deleted. If all student data is not deleted, students must provide written consent to use or share the recording outside of that class. Further guidance on FERPA compliance when using virtual tools can be found here (in the Photos, Videos and Lecture Recordings section).
Instructors must securely store class recordings in university approved systems and platforms, and dispose of them when no longer needed.
Telehealth virtual sessions can only be recorded if written consent is collected from clients prior to a recording session.  Clients should be notified that the use of third-party applications may introduce potential privacy risks.
Virtual tools and technologies are not approved as university storage systems. Recordings stored in the Virtual Tool (WebEx, Zoom) cloud are automatically deleted, per contract terms and become inaccessible. 
Should there be a business need to retain a meeting, event, class or telehealth session recording, you should save it in a university approved storage system (in accordance with the sensitivity of the information included in the recording, and the storage requirements outlined in the Data Protection Guide) and delete the recordings from the virtual tool's cloud.
As a general rule, recordings should be permanently deleted when no longer needed.
 

Resources

Contacts

Privacy Assistance GW Privacy Office Email us
Technical Assistance GW IT Support Center

Phone: 202-994-4948, Email: [email protected]
Technical Assistance

Instructional Technologies Lab (ITL)

Contact the ITL Lab
Technical Assistance

School Instructional Design Support teams

Contact your department or school for school-specific support options.