“I’m pressing record” – Zoom, Teams and recording meetings
The increased use of video conferencing to deliver outward facing services and manage internal office work has led to several data protection questions.
The same…but with important differences
In some ways, a recording of a Zoom or Teams meeting is no different than a traditional, face to face meeting.
People have always made notes, which could state who said what to whom. And it was possible for note taking to become almost verbatim (hands up who remembers shorthand?)
These notes therefore contained personal data: information about people.
- Someone’s opinion about a work matter.
- Someone saying something about a colleague in a work context.
- Someone saying something about a client.
And on some occasions, an audio recording was made – primarily when it was felt necessary to capture everything said, so that a full note could be transcribed and stored as a record of the meeting.
The main differences now come from:
- The completeness of the recording (nothing is missed).
- There being one recording (not multiple sets of notes, which may contain different interpretations of what was said).
- The recording capturing not only what was said, but the non-verbal detail (e.g. tone of voice; whether someone was talked over; facial expressions and gestures).
- The ease with which recordings can be made.
This means that several data protection and privacy issues should be considered before you press record.
The first question is: for what reason are you recording the meeting?
Is it to ensure you have a full, accurate record of what was said, by whom, for a business/service delivery/governance reason? Or will the recording be transcribed, meaning that the recording is a temporary step leading to the transcribed notes?
The potential consequences…
If people know they are being recorded, they may react and contribute differently.
It may improve some peoples contribution and the general flow of the meeting. Or it may make someone reticent, less likely to share.
For example, a client might be less likely to open up to a counsellor about a personal experience. A recording can therefore affect the nature and/or quality of the counselling provided.
The potential alternatives
With what you are seeking to achieve, and the potential consequences in mind, consider whether alternatives to a recording are sufficient.
For example, would;
- Enabling people to turn off their cameras – so that their physical expressions are not recorded, only their audio – reduce any potential negative impact you’ve identified?
- Would an accurate, contemporaneous set of notes of the session be sufficient? Especially if these are shared soon after the session, and the participants are invited to suggest any amendments.
Be honest and transparent
If you are clear that a recording is needed, then the following should be considered;
- The participants will not have a genuine choice about whether they want to be recorded, so don’t pretend or imply they do.
- Asking people, in front of everyone else, whether they “consent” to the recording does not therefore achieve anything.
- You should tell them you are recording, and why.
- Your lawful basis for processing is the legitimate interests condition – i.e. you have a clear legitimate interest in processing the personal data (the audio and visual recording) and don’t believe this unfairly or unduly harms the rights and interests of the people being recorded. You’ve filled your legitimate interests assessment for audit trail.
- If someone wishes to object (as is there right, i.e. to challenge your reliance on legitimate interests) then you should handle that objection.
- Remind people that the session is being recorded, and they could communicate information via another channel (outside the meeting) if they believe they need to. For example, staff wishing to discuss / raise a personal, private matter.
- To ensure the meeting can start and run on time, people should be informed of your default position on recordings beforehand. For example, set a clear policy on recordings, and give staff/clients the ability to raise objections.
If the option to record is just that, a genuine option, then you can seek consent:
- Ask before the meeting, separate to the meeting (so there’s no peer pressure to agree, with the result that the consent is genuinely freely given).
- And if someone does not consent, then the recording should not occur.
Security and ownership
Once the recording has been made, your organisation is the Data Controller responsible for the personal data contained within the recording.
- The recording becomes just like any other format in which information and personal data are generated and stored during the daily operation of your organisation.
You need to ensure appropriate security is applied to the recording.
- Make sure it is saved in the appropriate location where only those who have a business need to access it can access it.
- And if it’s to be used as the source for transcription only, make sure it is deleted once this has happened and been reviewed and confirmed as a fair and accurate transcription of the session.
“That meeting sounded interesting; can I see the recording?”
People who couldn’t attend the meeting will know it was recorded and might ask to see the recording.
This is a question of governance and need, as is any internal request to access information: does the person asking have a business need to view the recording?
- Would the attendees expect the person to see the recording, e.g. would the personal normally have attended the meeting?
- Or are they from an unrelated department or team, who would not normally access the information generated by the meeting?
Subject Access Requests (SARs)
People who attended might submit a SAR for a copy of their personal data.
It is worth remembering that the right of access to personal data is not a right of access to specific documents; the right of access is therefore to the personal data contained in the recording, not the recording itself.
- You may therefore be able to satisfy the request by providing the relevant extracts (i.e. that relate to the requester) as transcripts.
- However, this would not capture the “non-verbal” elements of the recording (the tone of voice; facial expressions and gestures) which might, in some cases, be very important to the requester.
As always, the context in which the personal data was recorded, and the legitimate expectations of any third parties, must be considered if the requester…
- Was present during the recording, then the other participants know that what they said was said in front of the requester and was recorded – they should therefore have a low expectation that what they said about the requester would remain confidential.
- Was not present during the recording, then the participants might have some expectation that what they said about the requester would remain confidential.
In both cases, any concerns other parties have about the potential disclosure personal data considered when deciding whether to apply any exemptions.