VIRTUAL MEETINGS AND DATA BREACHES – Timothy Opurum, Esq.
Introduction
Among other things necessitated by the outbreak of Covid-19 pandemic and the consequent stay-at-home order of the various governments of the world is the rapid and unmitigated use of virtual connections by businesses to cushion the already hazardous effects of the pandemic on their economic wellbeing. Non-profit organizations including religious institutions have been horrendously hit by the pandemic, leaving them no choice than to adopt virtual connections as their new modus operandi.
Definitions
It may not be wrong if one opines that the opposite of a physical meeting is the virtual meeting. Physical meeting entails expected participants of a scheduled meeting physically coming together in a physical venue, such as meeting halls, conference rooms etc. for a meeting.
What then is a virtual meeting?
By way of common definition, virtual meeting is said to be the coming together of people, regardless of their location, using video, audio and text to link up online thereby allowing the sharing of information and data in real-time without being physically located together.
Virtual Meetings and Data Processing
The consequence of these virtual meetings or connections is the heavy dependence they place on data collection. In recent time, since the outbreak of the deadly pandemic, the internet space has been awash with tremendous rise in data collection as result of the current traffic on virtual meetings. Organizations as well as individuals now conduct virtual meetings where they host online workshops, conferences, professional engagements using various webinar platforms such as Zoom, Whatsapp, Facebook and very many other platforms that enable virtual connections. Religious organizations now host virtual worship services where members and anyone interested to connect may have to part with his or her data to be able to connect to the meeting; Schools and other providers of educational services also are leveraging virtual connections to remain a going concern. Professional bodies and associations are now making plans to tow the path of virtual connects to host their annual statutory conferences and meetings. For instance, the leadership of the Nigerian Bar Association (NBA) and the Christian Lawyers’ Fellowship of Nigeria recently proposed to host their annual national conference online with the aid of Zoom.
Should Personal Data Be Stored in Perpetuity?
Worthy of mention is that connecting to most of these online/virtual meetings requires interested participants to register and login with their vital data while some request interested participants to fill out their data in online forms (Google forms for instance) created for that purpose. Some of these forms fail to disclose why such data is collected, what it is to be used for and how long the host (the collector) intends to keep or store the data, and this is in utter disregard of the provision of the NDPR in regulation 2.13.6. For instance, it is the duty of the Data Controller (virtual meeting hosts) to state the duration of time within which personal data collected for the purpose of participating in the meeting will be stored by them?
By regulation 2.13.6, it is provided thus:
Prior to collecting personal data from a Data Subject, the Controller
Shall provide the Data Subject with the following information:
(g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
(Underlining mine for emphasis)
Flowing from the above provision of the Regulation, it suffices to say that Data Controllers do not have the legal wherewithal to store personal data in perpetuity. There must be a time certain for the storing and usage of personal data which must be made known to the Data Subject.
How long should Virtual Meeting Hosts (VMHs) store personal data? Do they have the legal enablement to retain them further after the end of the meeting (for which such data is collected) without the outright or further consent of the Data Subject?
This writer answers the above question in the negative and states categorically that where there is no express consent or further consent of the Data Subject to continue storing or keeping his personal data, the VMH will become liable for data breaches if it (VMH) goes ahead to continue storing that data and using same for other purposes beside that meeting. Should the VMH require to keep the data longer than the duration and purpose for which the data was collected, then there is the need to seek and obtain the consent of the Data Subject, even if there is another scheduled meeting by the VMH requiring the participation of Data Subject.
VMHs Must Disclose Why They Need Participant’s Information
Furthermore, as part of a Data Subject’s rights, a Data Controller, is mandated, by Regulation 2.13.6 (b) of the NDPR 2019 to disclose to the Data Subject the purposes for which the personal data being processed are intended as well as the legal basis for the processing. For the avoidance of doubt, let me replicate the provision.
Prior to collecting personal data from a Data Subject, the Controller
Shall provide the Data Subject with the following information:
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
Many of these online registration forms created by VMH fail woefully to comply with the provision of the Regulation. This is an integral part of the Regulation and compliance to it is very paramount and non-excusable. A VMH must ensure it does not use Subject Data’s personal data for purposes other than that for which it was processed. That, I believe, is the rationale behind the compulsory disclosure. For instance, where a VMH obtains personal data for the purpose of a virtual meeting, it will be a breach of personal data to use same for the purpose of sending customized promotional messages. It will also be a breach of personal data if such a VMH transfers the data to another VMH for similar or other meetings without first obtaining the consent of the Data Subject. These kinds of breaches wantonly occur unabated.
Only Crucial Data should Be Processed by a VMH
So why should a VMH request certain information of the potential participant? How relevant is a person’s place of work to an unqualified invitation to participate in a virtual workshop? Why does a VMH require knowing my mother’s maiden name before I can be admitted to participate? Is my email address and other of my social media handles really relevant before I can be admitted to participate in a virtual programme? These are salient questions a VMH must answer before processing participant’s data. This is simply because a VMH will be held highly liable should there be any breach resulting therefrom. It is advisable to reduce the quantum of participant’s data you process as much as possible.
It becomes imperative to consider data privacy at this point. Whether solid security measures have been put in place to ensure the security of data collected by VMHs and the privacy of the participants at these meetings is another issue worthy of consideration. There is, no doubt, an increase in data and privacy breaches in recent time. Even some of the providers of these virtual meeting platforms are still grappling with the reality of how unsecure their facilities are. It was reported recently of how a church virtual meeting on Zoom was hijacked by porn promoters who took over and bombarded the meeting with videos of pornographic contents.
How secure are the emails collected for virtual meetings? How safe are the other information linked with my emails? How sure can I trust the VMH’s data and privacy protection security measures? Do they even have any?
In Conclusion
While it is expedient for us to embrace the new world order of living virtually, we must however not forget that security of our lives, property, images and the protection of individual and collective wellbeing is non-negotiable. The attendant dangers of living virtually cannot be quantified especially in developing countries like Nigeria where data and privacy protection are seemingly novel, one must therefore exercise caution with the kind of personal information he fills online.
