When we come to reflect on this extraordinary year, it will seem remarkable just how swiftly many organisations were able to adapt to remote working. But while Zoom, Teams and their ilk are very much the pandemic’s success story, they have presented us with some novel privacy considerations. Not least is the ability of some video conferencing platforms to record meetings as an aide-memoire or to share with others.
Article 5
While many have found this functionality invaluable, as soon as you press record you begin to collect personal data. As the host of the meeting, you will be the “data controller” within the meaning of the General Data Protection Regulation (GDPR), and this requires you to comply with Article 5. This means:
- collecting only the data you need;
- ensuring the recording is stored securely and access to it is limited;
- the recording must be processed lawfully, fairly and in a transparent manner.
But how does that translate in practice? Here, we set out some key considerations to help you remain GDPR compliant.
Is the platform provider GDPR compliant?
As platform providers are in precisely the same position as any online service you use to process personal data, you should already have a policy in place to deal with this. Focus in particular on the provider’s GDPR statement and/or privacy policy. What do they say they will do with your recordings and data? As the major platforms are based outside the EU, what are their stated protections to ensure compliance with EU standards?
Do you really need to record the session, and if so, how do you plan to use the data?
Ask yourself whether there is a less intrusive approach to achieve the same aim. If the meeting must be recorded, you should decide how the data that you will be processing from the session will be used. Consider the GDPR implications carefully. Remember, providing this information to attendees via your privacy policy will not in itself be sufficient – it must also be signposted to them. An easy way of achieving this is through the meeting invitation, which will also enable you to provide a link to the policy.
Do you need a formal Data Protection Impact Assessment (DPIA)?
Participants may see your recording of the meeting as intrusive, particularly if they are at home. So, while it is debatable whether a DPIA is a legal requirement here, it is probably worth documenting:
- the reasons you are recording the meeting;
- the perceived risks or harm involved and how you propose to mitigate those; and
- and how you will ensure compliance with GDPR.
What do you need to tell participants at the start of the meeting?
Attendees must be informed of all of the information required by GDPR at the point the data is collected, ie at the start of the meeting. But they are unlikely to thank you for a rambling discourse on privacy and data protection. As this information should already be in your privacy policy – which should have been signposted to them in advance – you should draw their attention to it verbally. If they indicate they have not read it or wish to re-read it, offer to adjourn the session for a few minutes to enable them to do so.
You must be able to actively justify the lawfulness of recording the meeting by demonstrating that the purpose fulfils one of the conditions in Article 6. However, whatever your basis for the recording, it is good practice to request participants’ verbal consent to do so.
Not every participant will be as tech-savvy as you, so it is worth reminding them that:
- if they turn on their camera their image will be visible to other participants and recorded;
- depending on their settings, personal information may be available to other participants;
- if they share their screen, any information it contains will be visible to other participants and recorded.
Your duty to process data lawfully and fairly
To demonstrate your obligations to process data lawfully and fairly, you should:
- store the recording securely; and
- retain the recording and data for no longer than absolutely necessary; and
- provide every participant with a right to access, rectify or erase the data (this can be provided for in your privacy policy).
Main points
In summary, you should:
- Check the wording of your privacy policy to ensure it covers your intended use of the information and identifies the appropriate lawful basis you are relying on.
- Include in your work policies and staff handbook your policy on the recording of video-conferences. In addition, have all staff who may conduct such meetings received training in how to carry out the meeting lawfully?
- Carry out a mini-DPIA to demonstrate that that all potential risks have been considered and how those risks will be mitigated.
- Signpost your privacy policy to participants in advance, and at the start of the meeting request their verbal consent to record the session.
- Keep records of your decisions to record meetings so that you can demonstrate you are complying with GDPR.
- Ensure compliance with your obligation to process data lawfully and fairly.