Whilst video-conferencing via Zoom or Teams etc has allowed us to carry out our business relatively uninterrupted, they have also presented organisations with a new set of privacy considerations to take into account, writes Bronwen Jones.
2020 has forced us all to adapt to the increased use of technology to facilitate meetings. These include disciplinary process, general meetings and interviews, some of which you may want to record for your internal record keeping.
Zoom (or your similar chosen platform) permits recording of meetings to be saved for later or shared with others. To ensure that you can take advantage of this function in a compliant manner, we have set out below some key data protection considerations that will need to form part of your preparation process, prior to pressing record.
The GDPR will apply
When you record a video meeting you will be collecting personal data. This means that your organisation will be the data controller for this data, and will need to comply with Article 5 of the GDPR. This includes ensuring that you collect only what you need, the recording is stored securely and access is limited, and that the recording is processed lawfully, fairly and in a transparent manner. All of the principles that apply to personal data will apply to the recording, and you need to be able to demonstrate that you complied with all of them in order to carry out the recording lawfully.
1. Do you need a Data Protection Impact Assessment (DPIA)?
Recording of a video meeting is likely to be seen by participants as particularly privacy intrusive - especially if they are in their home environment. Therefore, whilst it is unlikely that this is something that would legally require you to carry out a DPIA, we recommend documenting a mini-assessment of the reasons for recording, the risks / harm, how you intend to mitigate those risks, and how you will ensure compliance with the GDPR. Consider whether there is a less intrusive means of achieving the same aim. Is it necessary to record the meeting and store the recording? If it is not necessary to record the meeting we suggest that you do not use this function.
2. What do you need to tell the individuals on the video call?
Transparency is also important. Unless there are particular reasons why you cannot notify individuals about the recording, consider in advance how you will provide the information required by GDPR. This includes information about purposes of processing, retention periods and lawful bases. You must provide this information at the point that data is collected (ie at the start of the video conference).
It would be impractical to provide all of this at the start of every meeting, and instead we recommend including this information in your privacy notice, and simply drawing the individual's attention to the notice at the start of the meeting.
You will also need to let them know that the video is being recorded. If you are relying on consent as your lawful basis then it will be at this point that you ask for consent from the individual to record the meeting.
If you are not relying on consent (and we recommend that you do not rely on consent as your lawful basis), then you will likely be processing the data for your legitimate interests, and you should identify this as your lawful basis in the privacy notice.
If you will not be collecting consent, there is no need to ask the individual if it is ok to record the meeting, instead you should tell them that you are recording, and allow them to object if they wish.
3. Other considerations
In order to demonstrate that you are processing the information lawfully and fairly your obligations also extend to:
- keeping the recorded data secure
- retaining the data for no longer than necessary
- providing the individual with a right to access, rectify or erase the data
Recording meetings covertly or in contravention of the principles outlined above may lead to a complaint from an individual about the way their personal data has been treated.
To avoid falling foul of your data protection obligations we recommend taking the following steps:
- Carry out a mini-DPIA/risk assessment to demonstrate that you have considered the risks and potential harm in carrying out the recording, and how you will mitigate those risks.
- Add suitable wording to privacy notices. This should cover your intended use of the information, as well as identifying the appropriate lawful basis that you will be relying on.
- Include in a staff handbook and work policies details of the recording of video-conferences and the purpose of such recordings.
- Train all staff who will be responsible for conducting meetings that may be recorded to ensure that they know how to carry out the meeting lawfully.
- Keep records of decisions to demonstrate how you are complying with the GDPR when recording meetings.