We have received many requests for guidance on using electronic media for carrying out online interviews and focus groups and whether or not they are safe and appropriate. The University’s preferred platform is Skype for Business, but it is, of course, acknowledged that study participants will, in most cases, have no access to this or to alternatives such as Microsoft Teams.
It is likely that most people outside the University will have access to other media, such as WhatsApp, Zoom, WebEx or similar. Some of these have been criticised for security failings which, according to reports, have been addressed, but they are not supported or endorsed by ISD.
The University’s advice is that if you are using these platforms you should proceed with caution in line with guidelines from UK National Cyber Security Centre.
Participants should be encouraged to be as discreet as possible, not to name others in conversations and to impart as little as possible of a personal, confidential or sensitive nature. You are encouraged to make a copy of any recorded conversation and save it to a secure place in accordance with ISD guidance, such as your University Office 365 cloud storage, then to delete the original recording. Skype and Zoom both allow this and state that the deletion from their servers is permanent. Other (mobile) applications might allow recordings to be made and deleted but the process is often more complicated or might require you to use a separate device to make the recording. WhatsApp, for example, offers end-to-end encryption and does not record conversations between participants, so you would need to use a standalone voice recording device to record.
In particular meeting information should be not displayed on public forums or web pages but sent direct to participants and best practice security features available in these platforms should be followed.
A privacy notice indicating that recording is about to commence and request for any objections from participants should be issued at the start of each meeting.
Please also note that if you are collecting personal identifying information from participants, this is governed by GDPR and the Data Protection Act 2018. The University, as Data Controller, is responsible for any such data and you must treat it as though you were in the workplace under normal circumstances by maintaining confidentiality and storing it in or transferring it as soon as possible to appropriate safe storage.
For specific advice on GDPR and Data Protection matters please contact the Data Protection Officer or the dedicated GDPR email address.