Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at england.igpolicyteam@nhs.net.

Video conferencing with colleagues

video conferencing.jpg

Published: October 2020

Updated: August 2023

Staff working in health and care organisations need to be able to communicate with each other whilst working remotely. We encourage the use of video conferencing software to support communications. 

This advice sets out the information governance considerations when staff are using video conferencing (VC) tools to communicate with other members of staff. It does not cover the use of these tools for patient and clinician interactions, or the usage of these tools for any other purposes. Here is advice on using video conferencing with patients and service users.

Also available are answers to common questions on recording Microsoft Teams meetings.



Guidance for patients and service users

It is important to those working in health and care organisations to effectively communicate with each other. This guidance provides advice to staff on how they can use video conferencing tools safely and securely.


Guidance for healthcare workers

Microsoft Teams can be used for meetings between colleagues, which this news announcement explains. You may also use other tools but you should check with your own organisation that they have carried out the appropriate risk assessments.

When using video conferencing tools there are some steps you can take to make it as safe as possible:

  • ensure that you update the software frequently for any tool you use
  • ensure meetings are password protected - otherwise uninvited attendees may be able to join or disrupt your meeting
  • be aware of privacy settings in any software you use - for example using the default ‘private’ setting within Microsoft Teams rather than changing to ‘public’
  • hold people who have joined the conference in a waiting area until you have verified their identity
  • be aware of phishing risks with links/attachments in video chat.

If you need to share personal/confidential patient information during your video call you should apply the same principles you would at any other time. This is in addition to the steps set out above.


Guidance for IG professionals

There are a number of video conferencing software tools available to use during this time. NHS England has assured the use of Microsoft Teams as a secure video conferencing tool.

Other conferencing tools (e.g. Zoom, Webex) are not assured nationally. This does not mean they should not be used, but it is important to note that it is an organisation’s own responsibility to perform risk assessments on any products that are used. Guidance issued by the National Cyber Security Centre (NCSC) may be used to support your decision making.

The key considerations include: 

  • Where is the app sending the data?
  • Are video calls encrypted end-to-end?
  • Are people able to record meetings (with third party software) freely without authorisation from the host?
  • Are there paid options for video conferencing services that offer enhanced security or privacy features?

You should review your video conferencing arrangements when the outbreak is over e.g. the video conferencing tool you are using during the outbreak may not be the right tool for the job in the long term.

Personal/confidential patient information and video conferencing

If your organisation is going to share personal/confidential patient information during video conferencing in ways not already covered by an existing Data Protection Impact Assessment (DPIA) then a short high level DPIA should be carried out, as required under the UK GDPR/DPA 2018. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. The Information Commissioner’s Office (ICO) has produced guidance on carrying out DPIAs and a template that you can refer to. You should also update your privacy notice where data is being processed in new ways.

video conferencing.jpg