bcerac.ca€¦ · web viewby conducting this privacy impact assessment, it will help your district...

This generic Privacy Impact Assessment (PIA) template and its contents are intended to be used and modified by authorized members. Non-members should obtain written consent for any use or modifications of this document. Also, remove this page from the final, completed version of your PIA.

Privacy Impact Assessment for BC School Districts

[Zoom Video Communications]PIA# [assigned by your privacy office(r)]

Note to Districts:

Instructions or examples appear in Red text in this document and should be removed from the final version of your District’s PIA.

We understand your District has chosen to make use of Zoom Video Communications, Inc. By conducting this Privacy Impact Assessment, it will help your District identify your privacy risks while ensuring compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) and your school’s or district’s applicable use policy; and provide documentation on your organization’s transparency processes when introducing new programs or services that involves the collection, the use and disclosure of personal information.

The purpose of a PIA is to ensure that the district complies with its obligations under FIPPA, and to ensure that, with heightened sensitivity about the use of personal information and private data, it demonstrates to all stakeholders the due diligence that is applied to new services and initiatives within the school district.

To assist you in the deployment of Zoom Video Communications, Inc. this Privacy Impact Assessment (PIA) has been partially completed for you. Please review and edit this document carefully to ensure that it accurately reflects the intent and scope of your initiative. It is your responsibility to ensure that the information in this PIA is accurate and complete.

Note: Nothing in this document constitutes legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute Focused Education’s approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

1 | P a g e



Enquiry BC: Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867

2 | P a g e

Why should I complete a PIA?

A PIA is a tool to help Schools/Districts ensure compliance with applicable privacy legislation. This document helps mitigate and evaluate many of the unintended risks and consequences that can develop as a result of not anticipating multiple perspectives and circumstances with a new system or project. As part of the process, schools/districts are taking the appropriate steps to ensure that parents, students and educators understand what measures are taken with regards to the safety and security of personal information and the importance of informed consent.

School/District staff need to contact the privacy office(r) or PIA Drafter, at their School/District, to determine internal policies for review and signing-off of a Privacy Impact Assessment. Staff may submit PIAs to their Superintendent of Schools for consideration. If you have any questions about this PIA template or FIPPA in general, you may contact the designated PIA Drafter as noted in this document or call the provincial Privacy and Access Helpline at Enquiry BC as noted below. Completed PIAs must be retained in a secure location at the School/District for the purposes of a Privacy Commissioner’s Audit.

Note: This process can help identify and reduce many of the unintended risks and consequences that may potentially jeapordize student and educator privacy and security issues.

What if my initiative does not include personal information?

Best practices indicate that Schools/Districts should still complete Part 1 of the PIA and submit it along with the signature pages to their privacy office(r) even if it is thought that no personal information is involved. This process ensures that the initiative has been accurately assessed to meet the requirements of FIPPA.Note: The definition of personal information is: Recorded information about an identifiable individual other than contact information.The following examples are a non-exhaustive list of personal information:

Name, address, email address or telephone number; Age, sex, religious beliefs, sexual orientation, marital or family status, blood type; Information about an individual’s health care history, including a physical or mental disability; Information about an individual’s education, financial, criminal or employment history; Social Insurance Number (SIN) and Personal Education Number (PEN); and Personal views, opinions, religious or political beliefs or associations.



Part 1 GeneralName of District: Board of Education – SD Name and ##PIA Drafter: Name, Title of School District ContactEmail: Email of School District Contact Phone: Number of SD ContactProgram Manager: Name, Title of initiative contact, if different from PIA DrafterEmail: Alternate to the above Phone: Alternate to the above

As this is a generic PIA template, each school district should review and customize the contents to accurately describe the configuration and use of Zoom within your district. Then remove the instructional text once you complete the document.

1. Description of the Initiative

School districts in British Columbia have access to Zoom, a video conferencing platform provided by Zoom Video Communications, Inc. based in San Jose, California, through a Master Subscription Agreement (MSA) for the Zoom Education License established by Focused Education Resources effective April 2, 2020.

Zoom’s services include video conferencing via online meetings, chat, file sharing and voice calling that support online collaboration and delivery of classes and meetings virtually.

Our school district has registered for a Zoom subscription under the MSA by completing an order form specifying the date which services go into effect, the initial subscription term, and the renewal term. The renewal term will automatically go into effect unless written notice is provided to Zoom 30 days in advance of the end of the initial subscription term.

To use Zoom under the MSA, schools or districts first complete an online survey linked from the Focused Education website. Once the survey is completed, staff from Focused Education’s procurement team contact the district to provision the requested administrative account mailbox accessible to the individual(s) designated by the district or school. An account activation link is sent to that mailbox. These administrative account holders then create user accounts within their school/district with users’ first and last name, email address and password.

Within Zoom, “hosts” refer to any school district users who schedule and start online video meetings. Host subscriptions are assigned to specific people and not intended to be shared. “Participants” refer to any person, other than the host, who joins a meeting.

3 | P a g e



<Adjust description below to most accurately reflect implementation and configuration in your district>

In our district, accounts are created for <identify users who have Zoom accounts. For example: teachers, staff, students> to use Zoom.

<Relevant school district users> create, schedule, and administer Zoom meetings, and invite participants to attend.

Participants join meetings by <identify method used in your district: for example, via meeting link and password; by logging in to their account to authenticate; through Single-Sign-On; using their district email address etc.>

Vendor:Zoom Video Communications, Inc.55 Almaden Boulevard, 6th FloorSan Jose, CA 951131.888.799.9666Email: [email protected] information inquires: [email protected]

2. Scope of this PIA

The PIA addresses the use of Zoom by <identify all intended users in School District ##> in accordance with the terms of the MSA, for the purposes of:

Delivery of online classes via virtual classrooms Meetings between district staff, students, parents, and teachers Online meetings within districts or across different districts Office hours for teachers to answer student questions Inviting guest speakers over video <add any other examples identified by the School District or schools>.

For interactions or discussions involving the exchange of sensitive personal information (such as counselling, or one-on-one sessions with students), school districts should consider whether to use alternate methods of communicating.

Within this PIA, “meetings” and “online classes” both refer to Zoom teleconference sessions with a host and participants in attendance.

4 | P a g e

mailto:[email protected]




Although Zoom offers add on services to its core platform, such as Zoom Rooms and Audio Plan, the use of these is not addressed within the scope of this PIA. Add on services will be addressed by the school district in separate addenda to this PIA as necessary.

Note: The MSA states that Zoom may offer access to Beta versions (which are not widely available) of its services. For example, an upgraded version of the Zoom platform that is still being tested before public release. Beta versions of software may contain unresolved technical issues that entail additional privacy risks. Use of Beta versions are not covered within the scope of this PIA.

3. Related Privacy Impact Assessments

Districts to customize text accordingly. If aware of any related PIAs, these should be noted here.

4. Elements of Information or Data

Through the use of Zoom as described above, the following information is stored and/or processed by the Zoom Platform:

Customer Account Information (referred to in the MSA as Customer Data)

Through the Master Service Agreement, school districts are customers of Zoom, and the following customer information is collected: School district name, customer account owner, contact information (name, email, phone), customer business contact information (name, email, phone), business address, customer account type, customer account plan and scheduled meetings. Business address and contact information is not considered personal information under FIPPA, and the staff member designated as the “customer account owner” should be instructed not to provide any personal contact information.

User Profile Information

For Hosts and Participants with Zoom accounts, the system stores at a minimum first and last name, email address and password. If Single Sign On (SSO) is used, password information is not stored.

The following information may also be stored as part of individual user profiles, however, is optional: phone number, profile picture, department. Although phone number, profile picture and department can be optionally added to individual user profiles, this information should not be added to minimize privacy exposure.

5 | P a g e



Meeting metadata

Zoom stores the following metadata about meetings: topic, description (if entered by the meeting host), IP addresses of participants, information about devices connected to the meeting, meeting statistics and metrics, start time, join time and leave time.

Zoom states that they do not use any call-generated metadata for any secondary purposes.

Recordings (Optional)

Note: Recording meetings presents a higher privacy risk, and school districts should consider whether this is operationally necessary, and otherwise avoid the practice. When a meeting is being recorded, Zoom will display a visual notification to indicate this to participants.

Zoom provides the ability to record meetings, which can be activated by the Host. Meeting recordings are stored either in Zoom’s cloud, or locally, on premises within our school district, as determined by the meeting host. Recordings include: MP4 files of all video, audio, and presentations; M4A files of all audio; text files of meeting chats; and audio transcript files.

Data stored based on other optional settings

If enabled by our school district through managing Zoom’s system settings, or through our contracted services, the following information may also be stored:

Instant Messaging: chat logs, in-meeting chat, persistent chat, related metadata.

File Transfer: files transferred between meeting participants using in-meeting chat.

Zoom Phone: called number, caller number, related metadata, voicemail recording, voicemail transcript, call-in number, call out number, country name, IP address, 911 address (registered customer address), start and end time, host name, host email, device information.

Zoom Webinars: host email, participants contact (first name, last name, email addresses), meeting ID, related metadata.

Location data

6 | P a g e



Zoom stores the approximate location of users to the nearest city, however, states they do not track specific location.

Cookies and tracking technology

Zoom states that there are no advertising cookies or tracking technology in their services, however their public marketing websites do use cookies to collect information about visitors such as IP address, browser type, internet service provider, referring URL, exit pages, files viewed on the site, operating system, and date and time of visit.

Customer Content

As defined in the MSA, Customer Content is any data created by our school district (including items described above) and our users through the use of the Zoom platform, including, but not limited to: files, documents, meeting recordings, chat logs, meeting subject, attendee information and meeting transcripts.

As per the MSA, our school district is responsible for any Customer Content that is uploaded into the Zoom platform, including ensuring that it complies with provincial laws. Our district retains ownership and control of this content.

By the nature of the service, district users disclose personal information to other users through the use of Zoom, including their identifiable image and voice, as well as ideas and opinions expressed within online classes or meetings.

Sharing or access to personal data

Zoom states they do not monitor or use Customer Content for any reason other than as part of providing our services. Zoom does not sell Customer Content to anyone or use it for any advertising purposes.

Third-party service providers that help Zoom provide the service may have limited access to personal information in the process.

Zoom states that they have agreements with service providers that say they cannot use any data for their own purposes or for the purposes of another third party.

Subprocessors

7 | P a g e



To deliver services, Zoom uses third-party data subprocessors who will potentially have access to customer data. Before working with any subprocessor, Zoom states that they evaluate the company’s security and privacy.

Zoom states that they assume liability for the actions of sub processors and ensure that vendors/sub processors are bound to substantially similar conditions and restrictions imposed upon Zoom by our district.

Zoom has a vendor selection process that examines third-party risk. Zoom evaluates the SOC 2 reports for third-party vendors as part of its third-party risk management. Additionally, Zoom engages a third-party auditor to conduct a SOC 2 Type II audit.

Zoom monitors SOC 2 reports and third-party security ratings of key Zoom vendors, sub processors and business partners involved in the processing and storing of customer data. As a public company, Zoom also monitors SOC 1 reports for certain third parties who are instrumental in the Zoom service.

Zoom performs these assessments during procurement for all new vendors and annually for critical/high rated vendors.

Full details about Zoom’s subprocessors, including their role and location, can be found in Appendix B of this PIA.

Part 2 – Protection of Personal Information

5. Storage or Access outside Canada

Zoom’s operates on a hybrid infrastructure:

Functions such as meeting setup, user management, conference recordings, chat transcripts, and voice mail recordings are hosted in the cloud (Amazon Web Services in Montreal).

Real time conference media, for example video and audio transmitted during video meetings, is processed in co-located Zoom datacentres (in Vancouver and Toronto).

For our school districts users, accounts are provisioned within Zoom’s Canadian Cluster. Our district’s Customer Content, as defined above in section 4 and in the MSA, which includes meeting recordings, chat logs and meeting metadata, is persistently stored in Zoom’s Cloud, in the Amazon Web Services (AWS) datacentre in Montreal.

When district users connect to Zoom meetings, data is processed through Zoom’s co-located data centres in either Vancouver or Toronto.

8 | P a g e



Zoom states that Customer Content will not be transferred outside of Canada, even in the event of a failure in any of these data centres (Vancouver, Toronto, or Montreal).

For the purposes of providing technical support, Zoom has the ability to access our school district’s Customer Content from outside of Canada. Depending on the type of support required, assigned representatives with access could include: Customer Success Manager, Account Executive, Sales Engineer, Phone Specialist or Phone Engineer. Such access is for maintenance and troubleshooting only and is permitted only on a temporary basis and for the minimum period of time necessary. It is therefore compliant with section 33.1(1)(p) of FIPPA.

Additionally, any access or storage of personal information by Zoom from locations outside of Canada is authorized under Ministerial Order M085 until December 31, 2020 when the use of Zoom is for the purposes of physical distancing in response to the COVID-19 pandemic.

Note: In June 2020, it was identified that data of customers in the Canadian cluster was transiting outside of Canada. A technical resolution was implemented over the period of July 10 to 12, which Zoom confirmed was successful. All BC school district accounts are now homed to Canada and data routes through Canada.

Data processing

Zoom’s third-party data subprocessors, identified in Appendix B, may have access to customer data from outside of Canada.

Customer data is information provided to Zoom to provide access to their services. Customer data is district name, billing address, and name and information of designated contact. This business contact information does not constitute personal information, and the name and business contact information of school district contact is information that can be disclosed outside of Canada in accordance with section 33.1(1)(a.1).

9 | P a g e



6. Data-linking Initiative*In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a “data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.

1. Personal information from one database is linked or combined with personal information from another database;

No

2. The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;

No

3. The data linking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.

No

If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.

7. Common or Integrated Program or Activity*

In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “a common or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.

1. This initiative involves a program or activity that provides a service (or services);

Yes

2. Those services are provided through:(a) a school district and at least one other public body or agency working collaboratively to provide that service; or(b) one school district working on behalf of one or more other public bodies or agencies;

No

3. The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FIPPA regulation.

No

Please check this box if this program involves a common or integrated program or activity based on your answers to the three questions above.

8. Personal Information Flow Diagram and/or Personal Information Flow Table

10 | P a g e



Personal Information Flow TableDescription/Purpose Type FIPPA

Authority

1. School district information (defined as Customer Data) is provided to Zoom to initiate services for our district.

No personal information involved

N/A

2. School district Zoom administrator(s) provide necessary information to Zoom in order to create accounts for users in our district to access Zoom services.

Disclosure 33.2(a)

3. Through using Zoom, identifiable images and voices of meeting hosts and participants are processed by Zoom’s collocated data centres in Vancouver and Toronto.

Collection 26(c)

4. Other Customer Content created through the use of Zoom, including chat logs and meeting metadata, is stored in Zoom’s cloud (hosted by Amazon Web Services in Montreal, Canada).

Disclosure 33.2(a)

5. If recording of a meeting is required, the identifiable images and voices of meeting hosts and participants, as well as other Customer Content, are saved within recordings either locally on school district’s secured drives or within Zoom’s cloud storage (hosted by Amazon Web Services in Montreal, Canada).

Collection 26(c)26(e)

6. When technical support is required, a Zoom staff member may access personal information of school districts users from a location outside of Canada as needed to provide the necessary technical support.

Disclosure 33.1(p)(i)(A)

7. Third-party companies may require limited access to personal information stored in the Zoom system from outside Canada to support the delivery of Zoom services.

Disclosure 33.1(p)(i)(A)

11 | P a g e



9. Risk Mitigation Table

Risk Mitigation Table

Risk Mitigation Strategy Likelihood Impact1. School district staff and / or

teachers access personal information of students and use or disclose it for personal purposes.

District policy on appropriate use of technology (or equivalent) contains instructions to not access or use student information unless required for the purposes of using the program.

Low High

2. An unauthorized or uninvited individual accesses a Zoom meeting and can view the identifiable voices and images of attendees and/or expose attendees to offensive content (as in cases of “Zoombombing”).

Meeting hosts follow Security and Privacy best practices when administering meetings:

Identifying guest participants who may have joined from outside your account.

Lock meetings once they have begun.

Avoid using personal meeting IDs (which are long continuous meetings sessions) and instead generate random meeting IDs.

Limit screen sharing to the host only, unless otherwise necessary.

Allow only signed-in users to join.

If necessary, remove unauthorized participants.

Set up a Waiting Room, and post guidelines, information about rules for attending the meeting.

Provide meeting information and passwords over a secure, confidential channel to ensure it does not become public.

Medium High

3. Personal information is shared between participants via file

Hosts are advised to deactivate file transfer and private chat functionality

Medium Medium

12 | P a g e



transfer or private chat within Zoom.

within Zoom.

District’s policy on Appropriate Use of Technology provides further guidance on not sharing personal information.

4. A host or participant account is hacked or compromised.

Passwords are updated regularly, and include a combination of upper and lower-case letters, numbers and symbols.

Zoom is informed by school district of any user accounts suspected to be compromised.

Low High

5. Sensitive personal information discussed over Zoom is breached.

Staff consider using an alternative tool or method for having discussions that may include sensitive personal information such as counselling sessions, team meetings and one-on-one sessions with students.

Low High

6. People visible in the backgrounds of videos (who are not Zoom users) are inadvertently captured / recorded.

Hosts and participants join meetings from locations where the people are not likely to pass through background of video.

Medium Low

7. Screen shots of Zoom classes are captured and shared via social media.

Hosts and participants are advised to refrain from capturing and / or sharing images of Zoom sessions.

Low Medium

8. Vendor alters terms of service. Contractual terms of the MSA state that any modification to the agreement must be in writing and signed by both parties (Zoom and our school district).

Low High

10.Collection Notice

13 | P a g e



Your personal information, including name, image, voice, email address, opinions, chat logs, and any other information created through your use of Zoom’s services, is collected for the purpose of registering accounts and providing school district users with access to Zoom services for education, collaboration and communication.

Personal information collected by the school district in connection with the use of Zoom services as described above is collected under the authority of s. 26 (c) of the Freedom of Information and Protection of Privacy Act (FIPPA).

Accessing, updating or removing personal information

Any privacy related questions or comments, including requests to access update or remove personal information from Zoom’s storage, can be sent to:

District Contact: Name, Title, Phone number and E-mail address here.

Part 3 – Security of Personal Information

11.Please describe the physical security measures related to the initiative. (if applicable)

Zoom

Zoom uses Amazon Web Services (AWS) to host web services and cloud infrastructure and data centre providers to host its real-time communication services. This includes computing power, storage and other application services delivered over the Internet. AWS and the data centre providers are responsible for the physical security and environmental controls within these data centres.

Zoom indicates that the existence and operation of controls at AWS and the data centre providers are verified by Zoom’s security team on an annual basis through review of external service auditor reports. Any exceptions noted in the review are investigated with the service providers and reported to Management.

Physical access controls for data centres include key cards and biometric scanners, perimeter and interior IP-DVR, in-house staffing and mantrap and perimeter fencing. Access reviews are performed quarterly for physical access to the collocated data centres.

14 | P a g e



School District

<Describe any physical security measures used in the school district to protect personal information being stored on computers and / or networks.>

12.Please describe the technical security measures related to the initiative.

Zoom:

Zoom follows the recommended security controls established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Zoom's security framework includes role-based security access controls (RBAC) that enable or prevent access to client data based on the principle of "least privilege" necessary for an employee's job function.

Technologies in place to protect against outside threats include: network perimeter firewalls, security groups, intrusion detection systems/next-generation firewall (advanced threat protection), file integrity monitoring (FIM), security information and event management (SIEM), endpoint anti-malware protections, and company-wide multi-factor authentication to Zoom IT resources.

At the time of writing of this PIA, Zoom is working towards incorporating compliance with NIST 800-53 standards.

For data in transit: By default, Zoom encrypts in-meeting and in-webinar presentation content at the application layer using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm.

For dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's data centers and is transferred to the participant's phone network.

Encryption can be required for H.323 and SIP devices joining Zoom meetings. This setting is configured at the account level, group, or user level. Encryption can also be enabled or disabled for chat.

Zoom supports secure voice calls across all supported SIP devices, desktop, and mobile clients. Zoom Phone supports standards-based encryption using SIP over TLS 1.2 Advanced Encryption Standard (AES) 256-bit algorithm for calls and during phone provisioning sessions.

15 | P a g e



Call media is transported and protected by SRTP with AES-256-bit algorithm for Zoom desktop and mobile clients, and with AES-128-bit algorithm for devices.

Zoom states that in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, they encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

As of July 2020, Zoom is engaged in the testing of an early beta version of its end-to-end encryption (E2EE). Zoom states that when E2EE is available, it will be an optional feature as it limits some meeting functionality. Account administrators will have the ability to enable and disable E2EE at the account and group level.

For data at rest: Data is protected using Amazon Server Side Encryption (SSE) using 256-bit Advanced Encryption Standard (AES-256).

Zoom 5.0: As of May 30, 2020, only Zoom clients running version 5.0 or later will be able to join Zoom meetings. Zoom 5.0 supports AES-256 ECB and AES-256 GCM encryption.

School District:

<Describe the technical security measures used in the school district to protect personal information being stored on computers and / or networks. For example: use of firewalls, document encryption, or user access profiles assigned on a need-to-know basis.>

13.Does your School District rely on any security policies? Describe any specific policies and procedures and provide contact details for someone who could answer further questions regarding these policies and procedures.

Zoom

Zoom’s security practices and other information are outlined at: https://zoom.us/security.

Zoom’s security team can be contacted at: [email protected].

The following documents identify security measures that Zoom has in place, and were both published in April 2020:

Zoom Security White Paper

16 | P a g e

https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf


https://zoom.us/security



Zoom Encryption White Paper

School District

<Please describe any specific technology user policies and procedures and provide contact details for the designated person who could answer further questions regarding these policies and procedures.>

14.Please describe any access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.

Zoom

Zoom has a formal Access Control policy in place, as well as administrative, physical, and technical safeguards and processes in place that prevent unauthorized access to their production environment. Only authorized personnel are allowed access. Access is role-based and least privileged, meaning that each role only has access to information that is required for its purposes.

Access to Zoom's production infrastructure hosted at AWS requires multi-factor authentication and access to servers hosted by AWS requires secure shell (SSH) with private key.

Access to Zoom's colocation/datacenter servers requires key pair authentication. Remote access to Zoom's data center is only allowed through Virtual Private Network (VPN).

Zoom's customer-supporting teams (Support, Sales, Customer Success, Sales Engineering, Billing) need access to Zoom's operations portal, which contains customer account information and meeting metadata. These Zoom staff may view the customer dashboard in a manner in which our district views it, however they are not able to modify any settings and cannot access recordings or chat history.

Zoom’s onboarding and offboarding processes also help limit unauthorized access: New staff are required to acknowledge Zoom’s information security policies and complete security awareness and

17 | P a g e

https://zoom.us/docs/doc/Zoom%20Encryption%20Whitepaper.pdf



privacy training. Upon termination during the exit interview process, access to Zoom production systems, tools, and the network is removed in accordance with the Access Control policy. Zoom performs full access reviews at least quarterly and any time there is a role change.

Zoom states that user content would only be accessed where there was a reasonable and credible reason to do so, for example in the case of service violations.

School District

<Describe any access control(s) your district has in place. For example: role-based access.>

15.Please describe how you track who has access to the personal information.

Zoom

Zoom states that they have robust and validated access controls and perform access reviews at least quarterly and any time there is a role change. Access is role-based and least privileged and determined by Zoom’s Access Control Policy.

School District

<It is recommended that a staff member within a school district is responsible for reviewing administrator logs for unauthorized access. This may be identified within the applicable school district policy and procedure documents. This process should be described here.>

Part 4 – Accuracy/Correction/Retention of Personal Information

16.How is an individual’s information updated or corrected? If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be

18 | P a g e



annotated? If personal information will be disclosed to others, how will the school/district notify them of the update, correction or annotation?

Zoom:

Users can send a request to Zoom about personal data that is held in the Zoom system about themselves and request a copy of this data. These requests can be directed to: [email protected].

Due to contractual confidentiality obligations, Zoom is not able to reply directly to requests from parents or students to correct their personal information stored in the system. As such, if a student or parent wishes to correct their personal information within the Zoom system, they should send a request to the school district, who can then contact Zoom to fulfil the request.

School District:

<Describe what information the School District will retain, including recordings or copies of chat exchanges and how it would approach the correction or annotation of these records.>

17.Does your initiative use personal information to make decisions that directly affect an individual(s)? If yes, please explain.

Yes, personal information exchanged or recorded using Zoom could be used for the purposes of making decisions about students and staff who participate in school district exchanges via Zoom. <describe examples here: such as performance on tests and quizzes; participation in classes.>

18. If you answered “yes” to question 17, please explain the efforts that will be made to ensure that the personal information is accurate and complete.

Zoom:

19 | P a g e




If any users believe that any of their personal data held in the Zoom system is incorrect or incomplete, they can send a request to Zoom to have the data corrected, or have supplemental data added. These requests can be directed to: [email protected].

For customers, such as school district administrators or staff, they can correct some of this information directly by logging into their service account.

Due to contractual confidentiality obligations, Zoom is not able to reply directly to requests from parents or students to correct their personal information stored in the system. As such, if a student or parent wishes to correct their personal information within the Zoom system, they should send a request to the school district, who can then contact Zoom to fulfil the request.

School District

<For example: check to see that the information from the application was obtained and recorded by the enrolling teacher and that there is matching duplicate secure records in the district approved student information system.>

19. If you answered “yes” to question 17, do you have a records retention and/or disposition schedule that will ensure that personal information is kept for at least one year after it is used in making a decision directly affecting an individual?

Zoom

Zoom states that they retain personal data for as long as required for the purposes identified in their privacy policy. As stated in section 10.2 of the MSA, Zoom will provide Customer access to retrieve Customer Content for thirty days following expiration or termination of the agreement. After this time Customer Content will be deleted according to Zoom’s regularly scheduled deletion protocols.

School District

<If you do not yet have a schedule, please document how these records will be kept until the schedule is in place. Please describe retention schedules that apply where retention exceeds the one-year requirement of FIPPA.>

20 | P a g e




Part 5 – Further Information

20.Does the initiative involve systematic disclosures of personal information? If yes, please explain.

No.

Please check this box if the related Information Sharing Agreement (ISA) is attached. If you require assistance completing an ISA, please contact your privacy office(r).

21.Does the program involve access to personally identifiable information for research or statistical purposes? If yes, please explain.

No.

Please check this box if the related Research Agreement (RA) is attached. If you require assistance completing an RA please contact your privacy office(r).

22.Will a personal information bank (PIB) result from this initiative? If yes, please list the legislatively required descriptors listed in section 69 (6) of FIPPA. Under this same section, this information is required to be published in a public directory.

<A personal information bank means a collection of personal information that is organized or retrievable by the name of an individual or by an identifying number, symbol, or other particular assigned to an individual. Text below provided as an example, to be customized by school district to reflect their circumstances.>

The creation of Zoom user accounts constitutes a personal information bank within the meaning of section 69 of the Act, and reference to it will be included in the School District Personal Information Directory.

Title: Zoom User accountsDescription: Names, email addresses and other account information of Zoom Users in

School District ## Location: Zoom’s AWS Instance in Montreal, CanadaAuthority: Section 26(c) Purposes: Online video classes, meetings and collaborationAuthorized Users: Teachers, school staff, students and other district-approved users

Please ensure Parts 6 and 7 are attached to your submitted PIA.

21 | P a g e



Part 6 – Privacy Office(r) Comments

This PIA is based on a review of the material provided to the Privacy Office(r) as of the date below. If, in future any substantive changes are made to the scope of this PIA, the school district will have to complete a PIA Update and submit it to the Privacy Office(r).

Privacy Officer/Privacy Office Representative

Signature Date

22 | P a g e



Part 7 – Program Area Signatures

Program/Department Manager Signature Date

Contact Responsible for Systems Maintenance and/or Security (Signature not required unless they have been involved in this PIA.)

Signature Date

Head of School District, or designate Signature Date

A final copy of this PIA (with all signatures) must be kept on record.

NOTE: If you have any questions, please contact your school district’s privacy office(s) or call the OCIO’s Privacy and Access Helpline at 250 356 1851 or email [email protected].

23 | P a g e




Appendix A – Security and Privacy Best Practices when using Zoom

The following practices help protect the privacy of users and the security of online video meetings conducted over Zoom, including avoiding uninvited participants joining a meeting.

Lock online sessions

Once a Zoom meeting has started, hosts can prevent any further participants from joining by clicking the “Participants” at the bottom of the Zoom window, then clicking the “Lock Meeting” option.

Limit screen sharing

By default, screen sharing is set to “Host Only.” Hosts can retain this setting, and only allow sharing by participants when necessary, for example when students are presenting a project to a class.

Use a waiting room

Waiting rooms allow hosts to review who is in the waiting room before the meeting begins and identify any potential unauthorized attendees. Meeting participants who are in a waiting room can be admitted to the meeting individually or all at once. (As of March 31, the Waiting Room feature is activated by default.)

Restrict chat

Disabling the in-meeting chat function prevents meeting participants from sending private messages, which could contain personal information, to each other during the meeting.

If the chat function is left available, the host can disable the auto-save option for chats.

Remove participants

If an unauthorized participant is identified in a meeting already in progress, the host can remove this participant by hovering over their name and selecting the “Remove” option.

Do not allow removed participants to rejoin

Hosts can disable the option that allows previously removed meeting participants to rejoin.

24 | P a g e



Far end camera control

Hosts can disable the option that allows another user to take control of the host’s camera during a meeting.

Settings when scheduling a meeting

When scheduling a meeting, the host can use the following setting to enhance security:

Require registration for meetings Use random meeting ID (which changes for each different meeting) instead of a Personal

Meeting ID (which is persistent over time) Add a meeting password (and only share with invited participants over a secure, private

channel) Allow only authenticated users to join Restrict participants from joining before the host (preventing the possibility of discussion

and sharing of personal information within a meeting environment that is not supervised by a host)

Disable annotation to prevent participants from adding notes to the shared screen.

Find further details about best practices for use of Zoom in schools, along with links to instructions, on Zoom’s website here: https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/

25 | P a g e

https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/

https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/



Appendix B – Sub processors - Information current as of June 04, 2020

It is possible to sign up to receive updates about new subprocessors by completing the form at the bottom of this webpage: https://zoom.us/subprocessors.

Subprocessor Description Location

SalesPeople.ai CRM updater United States

Success and SupportSendgrid by Twilio Transactional email provider United States

Task US Billing and technical support Philippines

KMC Solutions Billing and technical support Philippines

Forethought Automated customer support response tool United States

ADA Inc Support chat bot United States, Canada

Zendesk Cloud-based Customer Service Platform United States

Wootric Customer survey platform United States

Totango Customer "on-boarding" tool and customer experience tracker United States

Answerforce Answering Service for Customer Support United StatesRocket Science Group, LLC Meeting notification email provider (Mandrill) United States

Five9 Call center software United States

EPS Ventures technical support and billing support Malaysia

WKJ Consultancy technical support and billing support Malaysia

Relationship ManagementSalesforce CRM Platform United States

Billing

Stripe Payment gateway United States, E.U

CyberSource Payment management and fraud detection system United States

Adyen Payment management and fraud detection system Europe

Zuora Subscription management, automated billing and collections United States

Infrastructure

Amazon Web Services Cloud Infrastructure United States, E.U., Canada, Australia

Oracle America, Inc. Cloud infrastructure provider for free accounts United States

Bandwidth Infrastructure for ZoomPhone 911 United States

26 | P a g e

https://zoom.us/subprocessors

bcerac.ca€¦ · web viewby conducting this privacy impact assessment, it will help your district...

Documents