Note: This guidance is intended primarily to provide broader public sector entities with information on video communications platforms during the COVID-19 pandemic. This information should not be considered exhaustive.
Information for government ministries can be found under the heading “Video Communications Platforms – Information for Government Ministries” below.
This is a rapidly changing space, and you are encouraged to research the latest updates to ensure protection of information.

Getting started

When you can’t meet with your coworkers or clients face-to-face, communicating with them by video can be the next best thing. Fortunately, there are many options available for video communication platforms or tools, many of which can also be used for instant messaging or chat, screen sharing and transferring files.

These options vary by:

  • Cost
  • Compatibility (some may require a download, while others work in a web browser)
  • Capacity (the maximum number of people who can join a meeting)
  • Privacy and security.

Video Communication Options

Options with a star (*) have strong privacy and security features. (Please note this information was current as of May 2020. Service providers may be modifying their service plans and features based on increased demand and changing user needs.)

Skype *

  • Cost: Free
  • Platform: Browser (Edge or Chrome), desktop or mobile
  • Capacity: Up to 50 participants
  • Features: Instant messaging, screensharing, recording calls (stored up to 30 days), no account required for external users

Microsoft Teams *

  • Cost: Free and paid versions (Essentials and Premium), bundled with Microsoft 365
  • Platform: Browser, desktop or mobile app
  • Capacity: Up to 300 participants (free) or 10,000 (paid)
  • Features: Screensharing, instant messaging, recording, document collaboration, user management tools

Cisco Webex

  • Cost: Free and paid versions (Starter, Plus and Business)
  • Platform: Browser, desktop or mobile app
  • Capacity: Up to 100 participants (free) or 200 (paid)
  • Features: Screensharing, whiteboard, mute and remove participants at free level; edit users, recording, and transcriptions at paid levels

Mattermost

  • Cost: Free and paid versions (Enterprise E10 and E20)
  • Platform: Desktop or mobile app
  • Capacity: Unspecified
  • Features: Messaging, screensharing, file sharing, guest accounts, integration with applications

Slack

  • Cost: Free and paid versions (Standard, Plus and Enterprise Grid)
  • Platform: Video calls only via desktop
  • Capacity: 1:1 video calls (free) or up to 15 participants (paid)
  • Features: Screen sharing, streaming, annotations (mostly for desktop), integration for G Suite, Office 365 and others

GoToMeeting

  • Cost: Paid only (Professional, Business and Enterprise)
  • Platform: Browser, desktop or mobile app
  • Capacity: Up to 150 (Professional), 250 (Business), 3000 (Enterprise)
  • Features: Screensharing, recording, transcripts, user management, integration with Microsoft 365, G Suite, Slack and others

Zoom

  • Cost: Free and paid versions (Pro, Business, Enterprise)
  • Platform: Browser, desktop or mobile app
  • Capacity: Up to 100 participants for 40 minutes maximum (free), or up to 100, 300 or 500 participants (paid)
  • Features: Annotation, screensharing, chat, local recording, user management, transcripts

WhatsApp

  • Cost: Free
  • Platform: Desktop or mobile app
  • Capacity: Up to 16 participants; no external users allowed
  • Features: Instant messaging, sharing images and documents

Google Meet

  • Cost: Paid only (Basic, Business and Enterprise)
  • Platform: Browser, desktop or mobile app
  • Capacity: Up to 100 participants (Basic), 150 (Business), or 250 (Enterprise)
  • Features: Screensharing, instant messaging, document sharing, recording, integration

Privacy and Security

Video communication platforms are crucial to working remotely, but it is important to ensure that use of these tools addresses privacy, security and legal risks. Here we provide some general considerations and information  to assist broader public sector entities in determining which platforms may be suitable for their particular needs.  Broader public sector entities are encouraged to consult their privacy and security experts and to seek legal advice as appropriate based on their intended use of a particular tool.

B.C. legislation and data residency

Since many video communication platforms store data in the United States, using these platforms in B.C. may not comply with section 30.1 of the Freedom of Information and Protection of Privacy Act (the data residency provision). However, Ministerial Order 085 – issued during the COVID-19 public health emergency – allows disclosure of personal information outside Canada in specific circumstances. One of these circumstances allows public bodies to use third-party tools or applications such as video communication platforms, which may be hosted outside Canada, to support and maintain the operation of programs or activities of the public body where such use supports public health recommendations or requirements related to minimizing transition of COVID-19 (e.g., social distancing, working from home, etc.).

Ministerial Order 085 also outlines conditions for the use of these tools or applications, including that:  they are reasonably secure; the public body make all reasonable efforts to remove personal information from the tools or applications as soon as possible when the order expires (June 30, 2020, unless rescinded or extended); and  records created using these tools or applications are managed appropriately.

For more information, please read the Guidance on Ministerial Order 085: Respecting Disclosures During COVID-19 Emergency.

Security measures

Security measures should be proportional to the sensitivity of information. The more sensitive the information, the more secure it should be. For example, your health information is more sensitive than your opinion of the weather, so it would be reasonable to expect your health information be protected to a higher degree. If you are an employee of a broader public sector entity and your job includes sharing potentially personal, sensitive or confidential information, you are encouraged to consult your organization for specific guidance on which tools to use.

The information provided below is for general informational purposes only and does not replace the need for broader public sector organizations to conduct their own due diligence, including seeking legal advice, where appropriate, on video communication platform use within their organization.

Security best practices and tips

Determine whether you will be sharing personal/sensitive/confidential or public information.

Some questions to ask:

  • How sensitive is the information that I will be sharing or processing over my intended platform or tool?
  • Is it okay if other people, aside from my intended audience, have access to this information without my knowledge?
  • Who would want to steal this information and does my intended platform or tool protect this information from them?
  • What are the risks to sharing this information, and is my organization willing to accept those risks to achieve our business objectives? Are there any risks that must be addressed in order to ensure compliance with legislative requirements?

If your information is personal/sensitive/confidential, ensure the tool you are using has sufficient security controls in place to protect the information.

Choose a service provider with strong security and privacy policies and features.

  • Consider how the service provider responds to privacy breaches and security incidents. Look for a reliable provider who proactively engages their customers to address privacy and security issues.
  • Be familiar with and comply with the service provider’s customer use and responsibility policy.
  • Seek advice from your organization’s privacy and security experts and legal advisors before using any tool or agreeing to any terms and conditions. That way, you can avoid inadvertently accepting terms and conditions that breach your organization’s security requirements (e.g., if the service provider claims ownership of any recorded conversations, content, metadata, or files shared over their platform).
  • Consider the service provider’s encryption standards. They should be encrypting data while it is in transit and at rest. Strong encryption, such as Transport Layer Security (TLS), is necessary.
  • Find out what personal and potentially sensitive information the service provider collects about meeting participants. For example, do they collect names, roles, organizations, email addresses, usernames, passwords, or the devices used? Learn how the service provider will use this information and let participants know what to disclose during registration.
  • Use different passwords and credentials than the ones you use for your work accounts.
  • Compare the privacy and security features offered between providers and between subscription plans. You may discover a paid-for plan offers better security than a free one.

Set up a secure video conference or meeting.

  • Modify the meeting’s settings when the default settings do not meet your organization’s security requirements.
  • Send invitations securely. Use email or encrypted messaging apps to send links to your meeting. Do not share links or access credentials over public websites or social media.
  • Update your access credentials periodically to reduce the risk of uninvited guests at your future meetings.

Choose a secure physical setting.

  • Host your video conference from a private location. If you can’t find one, use headphones so that only meeting participants can hear the full discussion.
  • Consider muting participants. This eliminates background noise and prevents nearby private or confidential discussions from being overheard.
  • Consider what others can see behind you. Remove or conceal anything that should be kept private. Some video communication tools (e.g., MS Teams) let you blur the background or use a virtual background.
  • Check that meeting participants have also secured their physical setting and devices.

Limit and monitor meeting participants.

  • Consider who you allow to join your meeting. You can restrict access by requiring participants to enter a password to join. You can also allow authenticated users only, or registered or domain-verified users only (i.e., people whose email addresses include approved domains). On some tools, you can make participants wait in virtual lobbies before they join the meeting.
  • Watch or listen for cues that someone has joined the meeting. Ask participants to identify themselves when they join by phone. Do not share information if unidentified participants are in your meeting.
  • Lock the meeting once all participants have joined.
  • Learn how to eject unwanted participants quickly and prevent them from re-joining.
  • Invite a participant to co-host the meeting. Having two people in control means you can deal with unwanted participants or content faster.

Provide a collection notice, if required, and conduct due diligence whenever personal information will be collected or disclosed.

  • If a public body is using a video communication tool to collect personal information directly from individuals, then the Freedom of Information and Protection of Privacy Act requires each individual to be informed of:
    • The purpose for which the information is being collected,
    • The legal authority for collecting it, and
    • The title, business address and business telephone number of an officer or employee of the public body who can answer questions about the collection.
  • If you are using a video communication tool to disclose personal information between public bodies, no collection notice is required; however, there may be other legislative requirements that must be met.
  • Public bodies are encouraged to conduct appropriate due diligence, including seeking legal advice where appropriate, for use of any video communication platform in situations where personal information will be collected or disclosed, particularly where the platform provider is based in the U.S.

Only share what is appropriate and necessary.

  • Review your settings for screen sharing, annotation or private messaging, or chat. Limiting or disabling these channels will avert unauthorized content and other distractions.
  • Share an application rather than the entire screen, if you need to show your screen to others.
  • Do not click on suspicious links or attachments sent via chat or emails about the platform or tool.
  • Before you upload or share a document, consider whether it is appropriate. For example, documents where the copyright is owned by a third party should not be shared, unless your organization has a license that permits this.
  • Notify participants in advance if you will be recording or transcribing the meeting and manage recordings in accordance with your organization’s policies.
  • Do not use private messaging for confidential information, as hosts may have access to chat logs.

Free Zoom and security 

During the COVID-19 public health emergency, many of you across the B.C. public sector may be using the free version of Zoom to communicate with colleagues and clients. Please be aware of the privacy and security vulnerabilities – primarily, weak encryption that generally falls short of B.C. government standards. This vulnerability means information is not adequately protected. If you are sharing confidential information, do not use Zoom if you have access to a secure alternative.

Other vulnerabilities include the ability for hackers to steal your Windows login credentials, and for uninvited participants to join and disrupt your Zoom meetings – called “Zoombombing.”

It is up to each broader public sector entity to determine whether Zoom is appropriate for use within that organization. Broader public sector entities are encouraged to consult with their privacy and security experts and legal advisors to assess the risks associated with their intended use of Zoom. Where a broader public sector entity has determined that the use of Zoom is appropriate within its organization, the following steps can be taken  to improve the security of the free version of Zoom.

General tips

  • Use the web version of Zoom on your desktop or laptop.
  • Ensure the Zoom client app is the current version and regularly check for updates. For more information on installing apps, read the Applications and Software Guide.
  • Use your full first and last name for your Zoom account (e.g., firstname_lastname, or Jane_Smith). This helps the meeting host verify participants against the invitation list.
  • Do not use your organization credentials to log into Zoom.
  • Choose a strong password (see Password Best Practices) and change your password immediately if you think someone may have access to your account.
  • Do not use the “Personal Meeting ID” option to host events. Instead, allow Zoom to automatically generate a random meeting ID for you.
  • Do not share your meeting link on social media or other public forums, and ask participants not to share the link as well.
  • Password protect your meeting when possible.

Setting up a meeting

  • Set screen sharing to “Host Only.” This allows you, as the host, to reject any unwanted content from participants.
  • Disable “Join Before Host.” Instead, use the “Waiting Room” feature to admit participants and keep out uninvited guests.
  • Enable “Co-Host” if you (as the host) want to assign moderating duties to other participants.
  • Be aware of everything your camera can see around you (e.g., family photos, sensitive documents).

During a meeting

  • Verify participants by comparing names against the invitation list.
  • Lock the meeting once all attendees have joined to prevent uninvited guests.
  • Disable “Allow Removed Participants to Rejoin.”
  • Disable “File Transfer” and do not click on links or open attachments.
  • Do not use Zoom’s cloud storage. You can stream or edit documents that do not have any personal, sensitive or confidential information, but do not upload or save documents onto Zoom’s cloud storage.
  • Do not record meetings unless necessary and with proper authority under the Freedom of Information and Protection of Privacy Act. If you do record a meeting, save the recording locally and never in Zoom’s cloud storage.
  • Disclose personal information only if your organization has determined that it is appropriate and lawful to do so, and limit any disclosure of personal information to the minimum amount reasonably necessary for performing your duties as an employee, officer or minister of the public body. In other words, consider what personal information is needed to get the job done and only share that information via Zoom.
  • Turn off video and/or audio by default when joining a meeting (in Zoom Settings) to protect your privacy.

Miscellaneous

  • Zoom collects account information, including IP addresses, usage analytics, names, email addresses, credit card information for the host account, product interaction analytics, and content uploaded, provided or created on Zoom, as well as metadata.
  • Zoom is based in the United States and may store data outside Canada. Your organization will need to assess whether the use of Zoom, including for meetings that may include the collection and/or disclosure of personal information, is appropriate and lawful.

You can find training and tutorials on Zoom’s website in A Message to Our Users.

Use of Zoom in B.C. schools

The B.C. Ministry of Education has secured and funded licences for the enterprise version of Zoom for all K-12 public and independent schools in B.C. This version of Zoom has many features to enable secure meetings. Find more information and resources for teachers and school administrators on the ministry’s Keep Learning website.

Contact Information for Broader Public Sector Entities

Privacy and Access Helpline

250-356-1851

privacy.helpline@gov.bc.ca

Video Communication Platforms – Information for Government Ministries

The video communication platforms that have been approved at a corporate level for use within government are:

  • Skype
  • Microsoft Teams

If the intended use case involves sensitive information, Ministries should seek internal legal advice. Other tools may become available, and employees are encouraged to check here regularly for updated information.

Contact Information for Government Ministries

OCIO.Communications@gov.bc.ca