When we come to reflect on this extraordinary year, it will seem remarkable just how swiftly many organisations were able to adapt to remote working. But while Zoom, Teams and their ilk are very much the pandemic’s success story, they have presented us with some novel privacy considerations. Not least is the ability of some video conferencing platforms to record meetings as an aide-memoire or to share with others.
While many have found this functionality invaluable, as soon as you press record you begin to collect personal data. As the host of the meeting, you will be the “data controller” within the meaning of the General Data Protection Regulation (GDPR), and this requires you to comply with Article 5. This means:
- collecting only the data you need;
- ensuring the recording is stored securely and access to it is limited;
- the recording must be processed lawfully, fairly and in a transparent manner.
But how does that translate in practice? Here, we set out some key considerations to help you remain GDPR compliant.
Is the platform provider GDPR compliant?
Do you really need to record the session, and if so, how do you plan to use the data?
Do you need a formal Data Protection Impact Assessment (DPIA)?
Participants may see your recording of the meeting as intrusive, particularly if they are at home. So, while it is debatable whether a DPIA is a legal requirement here, it is probably worth documenting:
- the reasons you are recording the meeting;
- the perceived risks or harm involved and how you propose to mitigate those; and
- and how you will ensure compliance with GDPR.
What do you need to tell participants at the start of the meeting?
You must be able to actively justify the lawfulness of recording the meeting by demonstrating that the purpose fulfils one of the conditions in Article 6. However, whatever your basis for the recording, it is good practice to request participants’ verbal consent to do so.
Not every participant will be as tech-savvy as you, so it is worth reminding them that:
- if they turn on their camera their image will be visible to other participants and recorded;
- depending on their settings, personal information may be available to other participants;
- if they share their screen, any information it contains will be visible to other participants and recorded.
Your duty to process data lawfully and fairly
To demonstrate your obligations to process data lawfully and fairly, you should:
- store the recording securely; and
- retain the recording and data for no longer than absolutely necessary; and
In summary, you should:
- Include in your work policies and staff handbook your policy on the recording of video-conferences. In addition, have all staff who may conduct such meetings received training in how to carry out the meeting lawfully?
- Carry out a mini-DPIA to demonstrate that that all potential risks have been considered and how those risks will be mitigated.
- Keep records of your decisions to record meetings so that you can demonstrate you are complying with GDPR.
- Ensure compliance with your obligation to process data lawfully and fairly.