Guidance for Data Protection for COVID-19 Operations
To ensure the protection of personal identifiable information and personal health information and to meet privacy regulation requirements (such as FERPA, HIPAA and GDPR), special care needs to be taken when using virtual meeting, event or collaboration platforms (“virtual tools and technologies”).
The Privacy Office and GW IT Security offer the following guidance to minimize risk of personal data/information disclosure while using virtual tools and technologies.
Faculty and Staff should only use virtual tools and technologies that have university approved contracts. These contracts contain the required terms and conditions and the tools have been configured with security and privacy protections. To protect non-public data, virtual tools and technologies should be integrated with GW Single-Sign On or two-factor authentication as well as have the capability for event-specific password protection, encryption and attendance control.
It’s anticipated that other virtual tools and technologies may be desired and should be implemented only after the required security and privacy assessment and a university contract has been completed. In absence of a contract, virtual tools or technologies should not be used for any activity where non-public data will be shared due to the risks presented for information security and data protection.
More information can be found on the GW COVID-19 remote work, virtual learning and FAQ pages.
To minimize risk of disclosure or breach of non-public data, these guidelines and best practices apply to virtual tools and technologies for administrative operations and virtual learning:
- Non-Public Meeting Room: If the virtual event will contain content that is sensitive or includes any personal identifiable information (PII or PHI), a non-public meeting room should be used. A non-public meeting room is one where a one-time password or access code for entry into the meeting room is required; End to end encryption is strongly recommended. All available encryption and privacy modes should always be enabled. Do not record the virtual meeting unless it’s absolutely necessary (e.g. for purposes of records retention or asynchronous learning.) If the meeting is recorded for asynchronous learning purposes, the recording must not be shared outside of the class roster without student consent.
- Public Meeting Room: If the content will not include any personal identifiable information (deidentified PII or PHI or general administrative or academic content), a public meeting room can be used. For example, a Webex personal room is a public meeting room unless a password has been enabled.
The following guidance applies to both non-public and public meeting rooms:
- Use a 'green room' or 'waiting room' to allow the meeting to begin only after the host joins.
- Monitor attendees through a dashboard – identify all generic attendees before meeting begins (e.g. Caller X). The host should pay attention to all new/late arriving attendees and ask them to identify themselves. An unauthorized attendee should be expelled or the meeting room may be locked once in progress to prohibit others from joining.
- Before anyone shares their screen, files or other content, remind them not to share sensitive or personally identifiable information during the meeting inadvertently.
For telehealth activities:
HHS has issued a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. It is understood that some GW Clinics may seek to operate limited telehealth activities during the university’s COVID-19 operating status. When using virtual meeting applications to provide services, all state licensing requirements and regulations for health professionals must still be met. If virtual meeting applications will be used for telehealth activity, they must be through a non-public meeting room. This requires the use of a one-time password or access code for entry into the meeting room. End to end encryption is strongly recommended. All available encryption and privacy modes should always be enabled. Telehealth virtual meetings can only be recorded if written consent is collected from clients prior to a recording session. Clients should be notified that the use of third-party applications may introduce potential privacy risks.
For privacy assistance:
GW Privacy Office
- Email [email protected]
For technical assistance:
GW IT Support Center
Instructional Technologies Lab (ITL)
- Phone: 202-994-0485 or [email protected]
School IT and Instructional Design Support teams
- Contact your department or school for school-specific support options.
- COVID-19 Data Protection Guidance
- Our Goal
- Our Services
- Privacy Regulations
- Privacy Policies
- Data Subject Requests
- Report a Data Incident or a Privacy Concern
- Data Management
- Records Management
2013 H Street, NW
Washington, DC 20006