Important information for Zoom users

This from Gateshead Schools Data Protection Office:

The DPO Team are receiving a lot of enquiries from schools about using Zoom for hosting virtual staff meetings and to deliver virtual lessons to pupil during the lockdown. We would advise you do not to use the free Zoom app. There are continuing concerns regarding the security of the application, including:

Whilst Zoom say they are continually working to address privacy and security concerns, due to the risks to the school at this time, the DPO team would not recommend the use of the free app for school meeting or to deliver online lessons on any device – corporate or personal.

Schools considering using Zoom for online staff meetings or to deliver online lessons to pupils are strongly advised not to host a Zoom meeting or online lesson from a free account due to the concerns set out above.  School staff, including teachers, should only host a Zoom meeting or online lesson with a paid-for Education Plan.

Participants do not have to use a paid account to dial into a Zoom meeting or online lesson, but if your staff want to host a Zoom meeting or deliver an online lesson to pupils, it is recommend the school purchases a paid for Education Plan. This will give the school and staff better control over how Zoom is used and includes improved security features to protect individuals and their information.

We have reviewed Zoom’s Global Data Processing Addendum, which forms part of Zoom’s Master Subscription Agreement, Terms of Use and Terms of Service, and it is broadly compliant with GDPR’s data processor prescribed requirements. There will be cost and other contractual implications schools will also need to consider. Advice in relation to pricing and general contractual matters is outside the scope of the DPO Service SLA and schools may wish to seek separate legal advice.

We would ordinarily advise schools considering new methods of communication to carry out a DPIA to identify and assess data protection non-compliance issues and to put in place appropriate risk mitigation measures. However, In these challenging and difficult times, we appreciate schools are considering new ways to communicate with staff and pupils. We think a pragmatic approach is the best way forward and we would advise schools to undertake a light touch assessment to consider and document the data protection, privacy and e-safety risks associated with using Zoom, when deciding whether or not to use the software. We do however have concerns regarding the 500k stolen Zoom user credentials that have recently been discover on sale to cyber criminals on the dark web, which means individuals and their personal data are potentially at significant risk. It is not known whether any of the 500k Zoom users are UK users. In terms of using Zoom, is of course the schools ultimate choice as to whether to accept the risk outlined above and if Zoom is important to your school, you may wish to accept the risk. Alternatively, schools may want to consider finding an alternative provider for similar services.

Schools using, or considering using, Zoom’s paid for education plans should follow the advice set out below and attached to this email to ensure the school and its staff are using Zoom as securely as possible.

    1. Do not use video recording features in Zoom. If you or your staff are using Zoom to meet with an external organisation, for example, a social worker, and they start to record the meeting (you will get a live notification) ask them to stop recording.
    2. Do not use zoom ( even in no record mode) to discuss sensitive personal data such as ECHPs or child protection concerns etc. We have concerns over this function in relation to sensitive meetings about individuals, as the recordings containing this data is then held by Zoom in the cloud, which we are not comfortable with.
    3. The Cabinet Office has produced helpful guidance for Government Depts on how to set up Zoom and use it securely. We’ve attached a copy of the guidance, which you should follow to ensure you are configuring Zoom settings in the most secure way.
    4. Paying Zoom customers can choose which global region their meeting traffic is routed through in the cloud. Given the concerns set out above, the school’s designated Zoom Administrator should ensure they select ‘Europe’ region for routing meeting traffic and ‘uncheck’ all other global data regions.
    5. We would advise to introduce guidance on the procedure to be followed by staff when using Zoom to host a meeting or for delivering online lessons. You should ensure that teachers are aware of and follow recommend guidance published by the Children’s Commissioner on what security settings are available for the app and how best to use them – for more information see https://www.childrenscommissioner.gov.uk/coronavirus/keeping-classrooms-safe-online/
    6. Review your acceptable usage policies and guidance to pupils, parents and staff to ensure they suitably safeguard individuals, school information and reputation. You may want to ensure parents are advised not to leave children unattended during an lesson so that if it is ‘zoom bombed’, the parent can quickly disconnect the call as well as the teacher disconnecting it. 

We wish to remind schools to contact the DPO team for data protection advice when considering, or before using, any new communication applications.

Back

Contact Details

Jesmond Park Academy
Jesmond Park West
Newcastle Upon Tyne
NE7 7DP

Tel: +44(0)191 2818486
Fax: +44(0)191 2810381

SatNav:
Use postcode NE7 7HN, the main entrance is on Newton Road

Job Opportunities:
Current Vacancies and application forms