Last updated: October 1, 2020
Privacy and Security with Zoom
SFU is prioritizing the security and privacy of all faculty, staff, and students while configuring Zoom's system-wide settings, which will be more restrictive to start. As conversations progress and SFU continues adjusting to adopt recommended practices to balance risk mitigation with meeting community needs, changes may occur to the availability of features and functions. Updates will be published on this page as new details are confirmed.
- With the recent transition to work-from-home environments for many SFU faculty, staff, and students, please be mindful of the type of content being shared, which is now more likely to include personal environments. Participants have the option of either turning off their camera or using a virtual background to hide their personal environment.
- Anyone recording sessions in SFU Zoom is required to meet our privacy obligations under the Freedom of Information and Protection of Privacy Act (FIPPA). We advise against recording sessions using third-party applications or non-SFU Zoom accounts without attendees’ knowledge and/or consent.
- All recorded content may be subject to a formal access to information request made under FIPPA.
- For added security, you can configure your meetings to allow only users with Zoom accounts to join your meetings. See instructions at www.sfu.ca/itservices/technical/videoconferencing/zoom/using-zoom/how-to-guides.html
Your participation in a Zoom meeting will result in the disclosure of personal information to Zoom Video Communications. You may consent to this disclosure in one of two ways:
- If you are an SFU student, staff or faculty member, by signing into your SFU Zoom account, you have provided consent as part of the sign-in process.
- If you are a meeting/webinar participant without an SFU Zoom account, you can consent by filling out this form: https://www.surveymonkey.ca/r/zoomprivacy
Recording meetings in Zoom
Privacy considerations for recording
Notable requirements for compliance with FIPPA include:
- The storage of recordings only in Canada. While Zoom offers the ability to store recordings locally on an individual’s computer, users must guard against improper storage or sharing (e.g., they cannot be copied/moved to a cloud service, such as Google Drive or Dropbox, because the information would be stored on servers outside of Canada). Consider filing recordings with other related departmental records; do not leave recordings on personal devices.
- A properly formatted collection notice that clearly defines the business purpose for the collection of personal information, the legal authority for the collection, and the contact information of an SFU officer or employee who can answer questions regarding collection. Zoom does not have any built-in capability of delivering such a collection notice.
- Controlled access. Access to recordings can only be granted to university employees when it is necessary for the performance of their work duties. Sharing of the recordings in the absence of a legitimate business need is not authorized.
- Consistent use. Participants’ personal information can only be used for the purpose for which it was obtained and compiled or for a use consistent with that purpose. Secondary uses of the recordings are not authorized.
- Minimum retention. Recordings containing personal information must be retained for a minimum of one year if they are used to make decisions that directly affect participants. Examples include academic advising sessions, job interviews and exam invigilations.
- Authorized disposal. The University will dispose of recordings only with an approved Records Retention Schedule and Disposal Authority. Departments may or may not have applicable RRSDAs already in place. Visit the Directory of University Records for more information at http://www.sfu.ca/archives2/dur/dur.html.
- A business rationale for the need to record content. Staff meetings, academic advising sessions, job interviews, etc. have not been typically recorded at the University in the past. We strongly advise against recording Zoom sessions for the purposes of administrate convenience or as a means of compiling meeting minutes and notes.
Zoom Chat Transcripts
The chat conversations created during a meeting can be saved by any attendee. This refers to:
- Chats that are public and can be viewed by anyone in the meeting
- Private chats between two attendees
Any attendee can save private chats that took place between other participants after a meeting.
Chat transcripts are saved on a user’s local computer by default when downloaded.
Please note that participants are required to let others know before saving chat transcripts.
Can I record a lecture that I am delivering?
See Privacy and Copyright Guidelines for Instructors for Recording Zoom Lectures for measures to take when recording lectures.
Can I record a staff meeting?
Staff should not record meetings, especially if individual third parties will be discussed (e.g. job candidates, students, members of the public, etc.). If you must record a meeting then you should refrain from disclosing personal details about yourself or third parties. If you need to discuss specific third parties, anonymize the individuals by using pseudonyms (e.g. Applicant 1, Applicant 2, Applicant 3).
Can I record a meeting with a student or other private individual?
When meeting virtually with students or other private individuals using Zoom, you need to inform the individual about how they can anonymize their identity. In addition, we strongly recommend that counsellors, doctors, advisors, and others who are discussing sensitive personal information (e.g., medical history, academic history, disability accommodations, financial history) do not use Zoom's recording feature. Meeting hosts are responsible for notifying participants if they are recording a meeting. Meeting participants will generally hear a notice or see an on-screen notification when recording is in progress.
How do I anonymize my identity when attending a Zoom session?
If you have been invited to a Zoom meeting as an attendee, you can join the Zoom meeting via the web application without signing into a Zoom account. The Zoom web application allows you to use a pseudonym (e.g. first name only or a nickname).
If you prefer to use your SFU Zoom account to participate in sessions, you can change your display name before joining the session. Please note that you will have to make this change every time you sign into SFU Zoom, as your display name will revert to your first and last name with every login.
You can anonymize yourself further by not using the audio and video conferencing features, and by not revealing any personal information about yourself or third parties during online discussions.
Can I change my display name?
Preventing disruptions from unauthorized attendees
Please note that if a Zoom meeting link is shared publicly, anyone (within or outside of SFU) could potentially enter the meeting. As such, other institutions have reported instances of unintended participants causing disruptions in meetings. For larger meetings/events, some recommended practices are as follows:
- Avoid using your Personal Meeting ID (PMI) to host the meeting,
- Allow only the host to share their screen and/or approve screen sharing requests from attendees, and
- Getting familiar with how to turn off (mute) audio/video for attendees, how to remove attendees, and options under the Security toolbar option. Further suggestions can be found on Zoom's blog.
Default settings that have been implemented across SFU Zoom accounts to reduce privacy and security risks include:
- Requiring a password to join all meetings,
- Enabling of the "Waiting Room" feature to allow the host to control who enters the meeting,
- Turning off the usage of profile pictures (only a person’s name will be shown when their camera is off),
- Muting all participants on entry to a meeting,
- Disabling of file transfers within chats,
- Disabling of the ability to allow others to take control of a screen share (remote control),
- Disabling of the ability to allow others to take control of someone’s camera during a meeting, and
- Disabling of the ability to calendars and contacts with Zoom, as this feature requires the entry of your SFU Computing ID and password to establish the sync with SFU Mail.