Articles

There has been a lot of media coverage of the use of Zoom for online meetings during the Covid-19 lockdown. Charities are asking whether it is safe for them to use Zoom and other alternatives for vital communications during the lockdown.

The key issue for charities is to ensure that they maintain security of personal data, so they are not in breach of the General Data Protection Regulation and Data Protection Act 2018 requirements. It is also important to maintain general confidentiality.

The issues raised in respect of Zoom fall into the following broad categories:

• whether Zoom meetings are capable of being hacked;
• whether Zoom meetings are properly encrypted allowing disclosure of confidential information; and
• whether the coding and research undertaken by Zoom in China allows for disclosure of confidential information to foreign governments.

The UK Government advice is that Zoom can be used for general Cabinet meetings, but not for COBRA meetings due to the level of the security matters discussed. Issues of national security would not be discussed on Zoom and bespoke systems would be used to protect the integrity of secure information.

However, due to the media coverage there is a loss of confidence in Zoom and some organisations are introducing restrictions on how it is used, if at all. So, what position should charities take?

The issues of concern are that:

• whilst Zoom maintains encryption of the system, it uses a bespoke encryption which may not meet the end to end encryption standards of other systems – security experts have been able to see a shadow of images shared using zoom, but not the full image;
• it has been possible for people to access meetings to which they have not been invited, usually because the security settings were not adequately set by the meeting organizers; and
• people have been added to meetings automatically without their agreement.

Overall, it is likely to be safe for charities to undertake online meetings on Zoom. However, it is important that charities:

• use a paid for account to establish meetings;
• train people how to use the Zoom system correctly and put security on meetings;
• properly establish Zoom meetings and ensure that where sensitive matters are being discussed that they set security settings so that the meeting is limited only to those invited;
• properly use the waiting room function;
• that the chairperson actively uses the “Participants” tab to ensure that only those people that should be there are present, if someone that is not expected has joined, they should be asked to leave – it is also possible to lock down the meeting to known participants only; and
• ask people to log in using a room when they are by themselves and to seek to limit other people coming into the physical room being used for the meeting.

Without end to end encryption it is possible that someone may be able to access some Zoom meetings by hacking. However, to hack the meetings is a complex, and illegal, act and with the number of meetings taking place the risk to charities – rather than a UK Cabinet meeting – is low.

Zoom does appear to be actively responding to criticism and has changed default settings to make meetings more secure and is working on its encryption fixes. The issue of working in China appears to be a risk mainly for other governments and not charities. Therefore, the risk to charities in using Zoom appears to be low and any risks are outweighed by the need to undertake most communications in a manner in which all participants can actively hear and see the others in the meetings.

Should charities need to be engaged in meetings which are of a sensitive nature, where a matter touches national security an alternative should be used. Fresh accounts should also be used should a person be at risk, such as in any domestic abuse situation. Using Zoom to discuss a service user or to meet with a service user, provided the proper settings are used should not put a charity in breach of its legal duties on data protection or general confidentiality.

As an alternative, where charities are using Microsoft 365, it is likely that they will be able to access Microsoft Teams which does use standard encryption – however, this is not as easy to use and the limits on only being able to see four participants at any one time, making the meeting much more complex. There are also a number of other options which can be considered.

Our conclusion at this time is that for general meetings and discussions which are not of a high-risk nature, there is no legal reason that charities cannot use Zoom. Should the position change we will provide an additional update.

For more information on how Charities are being affected by COVID-19, please click here.