The Church of Scotland

Using Zoom in the current crisis

Phone lying on laptop keyboard with start meeting on screen

How to safely use Zoom to communicate during the Coronavirus lockdown.

Important points to note:

  • Zoom conferences and sessions should not be recorded
  • Please use the settings outlined below to ensure your meeting is secure
  • Contact Allan Simpson, the Church of Scotland's Data Protection Officer, if you have any questions

Introduction

Zoom is a useful tool, allowing the local work of each congregation to continue “virtually” online. This has become increasingly important in recent weeks when it comes to Kirk Sessions and Presbyteries continuing their ability to make decisions.

However, we cannot ignore that there have been security concerns noted in the media, together with situations we have been able to create whilst testing the Zoom app and updates from Zoom themselves. Thankfully, Zoom themselves have changed their default policies to stop a number of the concerns occurring in the first place but if Church of Scotland congregations or departments are to continue to use Zoom they should do so in the safest way possible. This document has therefore been devised to support that and you are encouraged to follow these instructions on how to set up a meeting.

Recording meetings

It is vital that when we set up a Zoom conference for church matters those "attending" the meeting know to what extent they will be participating. For example, most people will know that their voice will be heard; for most attending they will be happy to have their video profile shown during the conference. But there might be a number of participants who do not wish their voice or video image recorded. Therefore, to comply with regulations we advise in the strongest possible terms that you should not record Zoom conferences or sessions. We have provided more technical information on why this is important towards the end of the document.

Zoom Conferences pre-scheduled prior to 4th April 2020

Zoom have recently updated their privacy settings to ensure that people need a password to join (if they are using the meeting ID) and automatically join a waiting room to be "admitted" to the meeting. If you have scheduled a conference before 4th April 2020 to take place sometime in the future you should ensure that your participants know the password and that you turn the waiting room option on in your settings (see instructions below)

Simple steps

If you follow the steps below when setting up a Zoom conference, then you will be creating your meeting space in as secure an atmosphere as you can on Zoom. A PDF version is available for download if you would like to have this guide by your computer to aid you in your preparation.

Zoom log-in page

Logging In

Log in to Zoom using an email address and password.

The advice to you is to avoid using Google or Facebook sign-in services.

Profile section

Calendar and Contact Integration: The advice is that calendar and contact integration using the Outlook Plugin or Chrome extension should not be used if it can be avoided.

The reason for this is, at the time of writing, Zoom does not offer multifactor authentication (MFA or 2FA) and therefore your user account could be compromised as a result of a phishing email designed to steal your user credentials. If this happens, there is no way to prevent unauthorised access to your Outlook or Gmail contacts lists. Remember, in the context of the Church of Scotland, this can mean unauthorised access to Special Category data.

Meetings section

Zoom meetings options
In this section, please make sure your Meetings are prepared with the following settings:

Meeting ID: GENERATE AUTOMATICALLY

Require Meeting Password: ENABLED (then choose your own password)

Waiting Room: ENABLED

Video: Host – ON, Participant OFF

Audio: BOTH (to allow users who are using a telephone to participate) or COMPUTER ONLY.

Meeting Options

Enable join before host: OFF/UNCHECKED

Mute participants upon entry: ENABLE/CHECK for broadcast type sessions.

Enable waiting room: ENABLE/CHECK

Record the meeting automatically on the local computer:  DISABLE/UNCHECK

Schedule a meeting screen

My Meetings/Previous Meetings

If you have held meetings previously and recorded them, they will be logged here. It is important that if a meeting is recorded it is only retained for the shortest possible period of time and then permanently deleted. Note that when you delete it from this screen, the recording is still available in the “Recently Deleted” page for seven days.

Recordings

Zoom recordings screen

Local Recording:  OFF

Hosts can give participants the permission to record locally: OFF/UNCHECKED

Automatic Recording: OFF

If meeting must be recorded: Recording Disclaimer ON

Ask participants for consent when a recording starts: ON/CHECKED

Ask host to confirm before starting a recording: ON/CHECKED

Multiple audio notifications of recorded meeting: ON

Telephone

For some of our elders and participants it is not possible to access the internet. Care should be taken when using the telephone option and you should ensure that international callers cannot call (unless you have specific need for this to be switched on, for example an elder overseas on business after this crisis is over)

Show international numbers link on the invitation email: OFF

Mask phone number in the participant list: OFF

Settings

Zoom settings screen

Host video

Start meetings with host video on:  ON

Participants video

Start meetings with participant video on. Participants can change this during the meeting: OFF

Audio Type

Determine how participants can join the audio portion of the meeting. When joining audio, you can let them choose to use their computer microphone/speaker or use a telephone. You can also limit them to just one of those audio types. If you have 3rd party audio enabled, you can require that all participants follow the instructions you provide for using non-Zoom audio:  TELEPHONE AND COMPUTER AUDIO

Join before host

Allow participants to join the meeting before the host arrives: OFF

Use Personal Meeting ID (PMI) when scheduling a meeting

You can visit Personal Meeting Room to change your Personal Meeting settings: OFF

Use Personal Meeting ID (PMI) when starting an instant meeting: OFF

Only authenticated users can join meetings from Web client

The participants need to authenticate prior to joining meetings from web client: ON

Require a password when scheduling new meetings

A password will be generated when scheduling a meeting and participants require the password to join the meeting. The Personal Meeting ID (PMI) meetings are not included: ON

Require a password for instant meetings

A random password will be generated when starting an instant meeting: ON

Require a password for Personal Meeting ID (PMI): ON

Only meetings with Join Before Host enabled: CHECKED

All meetings using PMI: UNCHECKED (unless you are using PMI)

Embed password in meeting link for one-click join

Meeting password will be encrypted and included in the join meeting link to allow participants to join with just one click without having to enter the password:  ON

Require password for participants joining by phone

A numeric password will be required for participants joining by phone if your meeting has a password. For meeting with an alphanumeric password, a numeric version will be generated:  ON

Mute participants upon entry

Automatically mute all participants when they join the meeting. The host controls whether participants can unmute themselves:  ON

Upcoming meeting reminder

Receive desktop notification for upcoming meetings. Reminder time can be configured in the Zoom Desktop Client:  OFF

In Meeting (Basic)

Require Encryption for 3rd Party Endpoints (H323/SIP): ON

Zoom requires encryption for all data between the Zoom cloud, Zoom client, and Zoom Room. Require encryption for 3rd party endpoints (H323/SIP).

Chat

Allow meeting participants to send a message visible to all participants:  ON

Private chat

Allow meeting participants to send a private 1:1 message to another participant:  ON

Auto saving chats:  OFF

Play sound when participants join or leave:  ON

Heard by host and all attendees: CHECKED

Heard by host only: UNCHECKED

When each participant joins by telephone

Record and play their own voice: UNCHECKED

File transfer: OFF

Feedback to Zoom: OFF

Display end-of-meeting experience feedback survey: OFF

Always show meeting control toolbar: ON

Show Zoom windows during screen share: OFF

Screen sharing: ON

Who can share?

Host Only: CHECKED  All Participants:  UNCHECKED

Who can start sharing when someone else is sharing?

Host Only: CHECKED   All Participants:  (should not be available)

Disable desktop/screen share for users:  ON

Annotation: OFF

Whiteboard: OFF

Remote control: OFF

Nonverbal feedback: OFF

Allow removed participants to rejoin: OFF

Allow participants to rename themselves: OFF

In Meeting (Advanced)

Breakout room: OFF

Remote support: OFF

Closed captioning: OFF (if you want to use this, you can change this setting)

Save Captions: OFF

Far end camera control: OFF

Virtual background: You should consider switching to OFF as part of your defence against Zoombombing

Identify guest participants in the meeting/webinar: ON

Participants who belong to your account can see that a guest (someone who does not belong to your account) is participating in the meeting/webinar. The Participants list indicates which attendees are guests. The guests themselves do not see that they are listed as guests.

Auto-answer group in chat: OFF

Enable users to see and add contacts to 'auto-answer group' in the contact list on chat. Any call from members of this group will be automatically answered.

Only show default email when sending email invites: ON

Allow users to invite participants by email only by using the default email program selected on their computer

Use HTML format email for Outlook plugin: OFF

Allow users to select stereo audio in their client settings: ON

Allow users to select stereo audio during a meeting: ON

Allow users to select original sound in their client settings: ON

Allow users to select original sound during a meeting: ON

Waiting room: ON

Attendees cannot join a meeting until a host admits them individually from the waiting room. If Waiting room is enabled, the option for attendees to join the meeting before the host arrives is automatically disabled.

Show a "Join from your browser" link: ON

Allow participants to bypass the Zoom application download process, and join a meeting directly from their browser. This is a workaround for participants who are unable to download, install, or run applications. Note that the meeting experience from the browser is limited

Email Notification

When attendees join meeting before host: ON

Notify host when participants join the meeting before them (this shouldn’t happen if waiting room is selected correctly)

When a meeting is cancelled: ON

Notify host and participants when the meeting is cancelled

Other

Blur snapshot on iOS task switcher: ON

Enable this option to hide potentially sensitive information from the snapshot of the Zoom main window. This snapshot display as the preview screen in the iOS tasks switcher when multiple apps are open.

GDPR and Recording

At the start we stated that it is important that conferences are not recorded. Along with the fact that people ought to give their permission in advance for such a recording to take place, there is some concern over the creation and storage of recordings of video sessions. Data subjects (conference participants) involved in such recorded sessions have rights over the processing of their personal data. For Congregations and departments to be able to uphold those rights as Data Controllers, there must be both accountability for, and transparency about the recordings themselves. Each data controller is responsible for knowing and administrating the purpose of all recorded sessions, the retention period and disposal method of all recordings.

If a Data Subject Access Request (DSAR) is received after the current crisis is all over, each Data Controller (congregation, presbytery and department) is responsible for complying with the rights invoked by data subjects. If, as a data controller, you don’t know where the recordings of a video session are, or you are unable to prove they have been destroyed, that will be no defence as far as the regulator is concerned.

Finally

We understand the need for the business of the Church to continue for the duration of the current crisis and by setting up Zoom conferences in with the settings contained in this page will allow you to have as much confidence as we can ever have that we have ensured the safety of all participants and upheld their rights. By applying these simple measures (and if followed step-by-step when setting up a conference they are simple!) we will likely avoid our own mini-crisis in a year’s time.

If you have any questions please feel free to contact Allan Simpson, Data Protection Officer.