2020 has forced us all to adapt to the increased use of technology to facilitate meetings. These include disciplinary process, general meetings and interviews, some of which you may want to record for your internal record keeping.
Zoom (or your similar chosen platform) permits recording of meetings to be saved for later or shared with others. To ensure that you can take advantage of this function in a compliant manner, we have set out below some key data protection considerations that will need to form part of your preparation process, prior to pressing record.
When you record a video meeting you will be collecting personal data. This means that your organisation will be the data controller for this data, and will need to comply with Article 5 of the GDPR. This includes ensuring that you collect only what you need, the recording is stored securely and access is limited, and that the recording is processed lawfully, fairly and in a transparent manner. All of the principles that apply to personal data will apply to the recording, and you need to be able to demonstrate that you complied with all of them in order to carry out the recording lawfully.
Recording of a video meeting is likely to be seen by participants as particularly privacy intrusive - especially if they are in their home environment. Therefore, whilst it is unlikely that this is something that would legally require you to carry out a DPIA, we recommend documenting a mini-assessment of the reasons for recording, the risks / harm, how you intend to mitigate those risks, and how you will ensure compliance with the GDPR. Consider whether there is a less intrusive means of achieving the same aim. Is it necessary to record the meeting and store the recording? If it is not necessary to record the meeting we suggest that you do not use this function.
Transparency is also important. Unless there are particular reasons why you cannot notify individuals about the recording, consider in advance how you will provide the information required by GDPR. This includes information about purposes of processing, retention periods and lawful bases. You must provide this information at the point that data is collected (ie at the start of the video conference).
It would be impractical to provide all of this at the start of every meeting, and instead we recommend including this information in your privacy notice, and simply drawing the individual's attention to the notice at the start of the meeting.
You will also need to let them know that the video is being recorded. If you are relying on consent as your lawful basis then it will be at this point that you ask for consent from the individual to record the meeting.
If you are not relying on consent (and we recommend that you do not rely on consent as your lawful basis), then you will likely be processing the data for your legitimate interests, and you should identify this as your lawful basis in the privacy notice.
If you will not be collecting consent, there is no need to ask the individual if it is ok to record the meeting, instead you should tell them that you are recording, and allow them to object if they wish.
In order to demonstrate that you are processing the information lawfully and fairly your obligations also extend to:
Recording meetings covertly or in contravention of the principles outlined above may lead to a complaint from an individual about the way their personal data has been treated.
To avoid falling foul of your data protection obligations we recommend taking the following steps: