Uninett Zoom: Facts about GDPR and privacy

• The following text is translated from Uninett's Norwegian website.

The use of video conferencing and video teaching using Zoom has increased dramatically these last few weeks. Many are concerned with GDPR and privacy implications of using this service, and we at Uninett receive many questions. We emphasize that the framework agreement with Zoom provided by Uninett AS complies fully with GDPR and Norwegian privacy laws and regulations.

Please note! Thursday 2 April at 10pm Zoom published an update addressing the vulnerabilities that have received attention the last few days. We recommend that all Zoom users (Microsoft Windows) update their clients. You do this by selecting your profile in the up right corner and clicking ‘Check for updates’.

The following facts apply to Zoom provided by Uninett

• Norwegian universities and university colleges that use Zoom, are provided the service by Uninett AS. 
• Zoom provided by Uninett AS complies with GDPR and Norwegian privcacy laws and regulations.
• Zoom in the U.S. provides a so-called public service. Zoom provided by Uninett AS is not part of this service, but is a closed service regulated through a Nordic framework agreement.
• Data from Zoom users is not stored at Zoom in the U.S. We use dedicated servers in Copenhagen and Stockholm.
• All organizations using Zoom provided by Uninett AS choose how their users should log on. Most us the log-on solution Feide, which is also provided by Uninett AS.
• Private information about users of Zoom provided by Uninett AS is handled inside the EU, in compliance with current data processing agreements. This applies to information necessary for use of the service, such as first name, last name, email address, phone number, position/role etc.
• No credit card information is stored by Zoom provided by Uninett AS. (See above for private information)
• All organizations using Zoom provided by Uninett AS have one or more local administrators.
• Zoom provided by Uninett AS does not enable the option of recording sessions for storage with Zoom USA (cloud recording). Local Zoom administrators have deactivated this feature for their users.
• Zoom provided by Uninett AS does enable so-called local recording. If you record a meeting, attendees are notified of this with a symbol in the video window and in the list of participants. The local administrator can configure Zoom so that all meeting participants have to agree before a meeting can be recorded. The local administrator can also control whether other participants are able to make recordings.
• A risk and vulnerability assessment (ROS) has been carried out for Zoom provided by Uninett. Our customers can also have ROS assessments carried out locally. Contact us at kontakt@uninett.no.
• Zoom has a range of features intended to create safe meetings. Meeting leaders can for example require passwords. They can also lock meetings, so that only invited participants are able to participate (also administrators cannot participate without being invited). All sound and video is encrypted. No one can use meeting rooms created by other users without their permission.
• Zoom has a function called ‘attention tracking’ (normally deactivated). This function notifies the meeting host about whether or not participants keep the Zoom window active when screen-sharing. The meeting host receives no other information from participants’ computers.
• As with other IT services, local Zoom administrators have greater access and insights than normal users. This is necessary in order to ensure sufficient quality of the service, and to assist users. 

Contact
If you have questions, please contact us on kontakt@uninett.no.