1. Where does this apply?
This routine affects all use of Zoom where red data is used, discussed or processed, as per How to classify data and information.
The routine also affects all use of Zoom at UiO where UiO is the Data Controller or has responsibility for the research project. More about the term ?Data Controller?.
Note that using Zoom outside UiO (https://uio.zoom.us/) for red data is prohibited.
2. Prerequisites
2.1 Technical prerequisites
- Use only the UiO version of Zoom, which has UiO users and SSO using Feide, at the address https://uio.zoom.us/
- The party hosting the conversation must only use computer equipment owned and managed by UiO.
- The equipment needs to be approved for storing and processing red data as per the UiO storage guide.
2.2 Other preconditions
- The party hosting the call needs to be thoroughly familiar with this routine, and follow it in its entirety.
- Any exceptions from this routine, or parts of it, need to be approved by the CISO at UiO.
- If recordings are to be made, approval needs to be given in advance by the Data Protection Officer.
- The responsible party needs to make sure all approvals are in place.
- Note: If the conversation is made to replace a physical meeting in a research project, it may trigger the need for notifying the NSD.
3. How to host a zoom-meeting with red data
You must adhere to the following rules whenever you use Zoom to host meetings, lectures, or recordings with red data. The points that specifically address recordings do not apply if recordings are not made.
3.1 Before the conversation, lecture or meeting starts
- The person hosting the event needs to be familiar with Zoom as a tool. You need to test that everything works as expected with no sensitive content. See our guides for using Zoom.
- Do not use your personal Meeting ID. Use a generated Meeting ID. Use the function ?Generate automatically?. Make sure only the intended participants get to know this ID. Note that if you use Outlook or similar tools to invite participants, the invitation itself cannot be public. It must either be made private, or the Meeting ID must be conveyed in another manner.
- Meetings need to be password protected. Passwords for meetings should not be reused, and should only be sent to the intended participants. See our documentation on how to password protect your meeting.
- In order to make sure only the intended participants join the meeting, you need to ?Enable waiting room?. Note that this is different from ?Breakout rooms?. Read how to use the waiting room function.
- If you need to use screen sharing to show text or images, make sure to shut down e-mail, other documents and other programs to minimize the risk of sharing the wrong content.
- Turn off the chat function for the meeting unless it is deemed strictly necessary.
- Prepare relevant information for the participants prior to starting the meeting.
- Make sur