Data Protection and Privacy Considerations When Recording Video Calls
I am old enough to remember 2019. In those days, most people had face to face meetings and sometimes even travelled to other countries just to get business done. Fast forward six months and meetings are taking place in the comfort of our own home. Video conferencing has surged and the most used sentence in the business world today is now “You’re on mute”.
With organisations swiftly adapting culture and practices to accommodate the changes forced upon us by Covid-19, we all start to get comfortable with the technology and people are getting more inquisitive about additional features and offerings. I have enjoyed seeing colleagues and clients adopt quirky backgrounds of choice and I have even unlocked a potential business opportunity myself — launching a range of awkward video conference backgrounds, aimed at passive aggressive people who hold grudges and want to make other meeting participants feel ill at ease. I think it is a winning product, but I digress, another blog for another time.
One tool that has caught people’s attention is the Record meeting function. It has resulted in a few of my clients and former colleagues contacting me for Data Protection advice on whether their organisation can or should record their video calls. My response has been to steer clear, but I promised a more detailed write up once I have some time off, so here it is.
Should my organisation record video calls?
Before I go into the details, I want to make it clear that the scope of this article doesn’t extend to the security and privacy facets of the various products themselves, there are many products in use, such as Google Hangouts, Microsoft Teams, Zoom, Webex and the list goes on. There have been some great articles written about these companies and this subject doesn’t require further input from me. This blog investigates whether organisations should use video recording and how that may or may not align with Data Protection Regulation in Europe — namely GDPR.
Is there personal data in a video call?
In case there is any doubt, the content of a video call is definitely personal data. Personal data is any information that relates to an identified or identifiable living individual. Depending on the content being recorded, it could also include special categories of personal data if things like political opinions, religious beliefs, data concerning health or a person’s sexual orientation are revealed.
Who is my organisation recording?
Your organisation will of course be recording the participants of the video call, but in the shift to working from home, video recording will literally be providing a window into people’s private lives. We have all witnessed half naked partners stroll past during our team meetings*, we have also seen the occasional child and pet joining the call. Recording household activities starts to feel very intrusive once you start to contemplate that you might be recording more than a willing meeting participant. Who knows what inadvertent information may be revealed about the other people in the household, including children or individuals with vulnerabilities. Have those people been informed that they are being recorded?
Why are you recording the call and is it lawful?
To process personal data an organisation must have defined their purpose of processing and lawful basis. Simply put, you should not use the technology just because you can. I would advise any company wishing to record video calls to ensure they have a very good reason for doing so, which is logged in their records of processing and their privacy notice.
Many companies deciding to use this function will forget about defining the purpose and skip straight to the idea that they will get consent from all participants. This route proves to be especially seductive because most of these tools provide built in consent mechanisms, but here are a few reasons I think this is a terrible idea:
Consent must be freely given — for consent to be valid it must be freely given. I would argue that there is an imbalance of power if an employee is being asked to give consent to have their meeting recorded, because they might be worried about the consequences of declining the recording, for example fear of being obstructive or uncollaborative. This could invalidate the consent if put under scrutiny.
Consent must be easy to withdraw — in order for consent to meet GDPR’s strict standards, it must be as easy to withdraw consent as it is to give consent and I don’t think this is an easy one to manage. If you have a real purpose for recording the meeting, it is likely to be obstructive to your purpose if a participant decides to withdraw consent, because you need to delete the file as you no longer have consent to process it.
Consent is not a purpose — an organisation must still demonstrate that they have a valid reason to process that data. Reasons for recording video calls might vary from business to business, but in most standard organisations, I would struggle to find a good reason for recording video calls, especially if I start to consider whether it is really necessary and proportional for any purpose.
Unwilling participants — Consent cannot be gained from unwilling participants, who inadvertently end up being seen or heard in the background and whose personal data you may end up processing.
If consent is not used, then you need to find another lawful basis and most companies will seek to claim legitimate interests. This is another dubious lawful basis which requires a legitimate interest impact assessment — an LIA, which is a documented exercise in which an organisation must specify why the processing is necessary for their purpose, how these benefits balance with the rights and freedoms of data subjects, why the purpose could not be achieved in a less intrusive way and other key elements. Whilst there may be some exceptions, most organisations are going to struggle to demonstrate legitimate interests for undertaking an activity which they coped perfectly well without up until now.
There are of course other lawful bases to consider, but in most circumstances, I consider them to be weak for this purpose.
How is your organisation going to fulfil Data Subject Rights?
If your organisation starts recording video calls, this personal data becomes in scope for the fulfilment of data subject rights. Your Data Protection Officer (or associated team) might need to provide copies of the video call as part of your response to a Subject Access Request. Consider how well your organisation is equipped to handle this and whether you wish to take on the extra expense of having to search, review and if necessary redact the videos to ensure that the fulfilment of the request doesn’t impact the rights and freedoms of other data subjects — all within 30 days. This could become a lengthy, cumbersome and expensive exercise, which points back to the fact that you will want to have a really robust and important reason for recording these calls, because when you start to consider cost/benefit it’s not quite the innocuous free feature it first appears to be.
If you receive a right to erasure request, the same applies, you have to find it and delete it within 30 days, unless you have a lawful basis under which you can continue to process this data.
Allowing video recordings means that you have to tell the data subjects that you are recording them and fulfil the requirements of GDPR article 13 and 14. Let me give you the heads up — none of the tools in question have a function that provides all of the information required under the right to be informed. Sure, most video conferencing tools provide a message to say that the call is being recorded, but they won’t provide your organisation’s specific purpose, lawful basis, retention period and other information required to fulfil the right to be informed. You will need to ensure that your Privacy Notice to employees (and anyone else on the call) has adequately covered this.
Storage, access and retention
If you plan to allow the recording of calls you need to make sure the format and location in which it is stored provides an adequate level of security. Many of the key providers offer the option to download the file and store it locally, depending on your plan, you may also be able to store in the cloud.
Access is another key consideration. Who has access to the recording? Is it the person hitting the record button? Is it everyone in the meeting? Does this vary from call to call? How do you make sure the wrong people don’t get access to it? Should any of these elements change if someone on the call reveals anything unexpected? In practice, this can swiftly become impossible to manage and track. In my network of DPOs and Privacy Managers, very few can say they have truly got to grips with the practicalities of this aspect.
You must also have a robust retention policy. Retention periods for these video recordings should probably be much shorter than retention periods for other purposes, so you need a process to guarantee the file is deleted at the end of that retention period. If you don’t and there is any kind of incident involving the loss of that data, then it is going to be pretty tricky to explain why you were still storing it. Shorter retention periods also make DSARs much more manageable.
Big Brother is watching
When I think about all the meetings I have sat in during my 21 year career. I cringe at the thought of them being recorded and re-playable. All of us have had less than good days, we say things or pull faces that we regret or may not put us in the best light if re-watched. I am not talking about awful or inappropriate things that require disciplinary attention, just your average meeting where maybe someone is under the weather, under stress or has other reasons for not being at their best. Do we really want records of these situations? I feel uncomfortable with this and I think it is a real intrusion on privacy. Many meetings veer off in unexpected directions, sometimes revealing very sensitive information and I don’t think anyone can claim that they would be comfortable with recordings of all their historic meetings.
I also get really concerned with the idea of the calls being used beyond their original purpose. If it got into the wrong hands it could be used to analyse behaviours, attention spans, performance and so on. It can get dystopian if you have a good imagination.
You will have gleaned by now that I think video recording calls is a bad idea and I really believe this feature should be deactivated for most users. It is not necessary or proportional for most purposes and the ability to re-watch every nuanced look or expression is creepy to say the least. The issue is compounded by Covid-19 because recording in people’s homes is deeply intrusive.
If an organisation chooses to allow this functionality they have to do it sensitively and properly, this can become a costly and complicated exercise, which would rarely have cost benefits.
Sometimes things are best left alone.
What about exceptions?
I am against activating or allowing the video recording feature as standard day to day practice, but Data Controllers must do what they feel is correct for their business, taking into account their own necessity and risks. There may be exceptions where your organisation believes they have a genuine purpose and lawful basis for processing. For example, you might be running a training session and decide that it would be useful to make the recording available to other individuals who could not make the live session and would be interested to hear the input and questions of other participants.
If you do decide that video recording is for you then here are my top tips:
1. If people are working from home and you need to record them, ask them to obscure the background.
2. Tell all participants they are being recorded and give them the genuine option to switch off their camera or drop off without reprisal.
3. Make sure you have a purpose and lawful basis for recording which has been communicated to individuals concerned. That purpose must be specific and robust enough to stand up to scrutiny — in other words it is necessary and proportional.
4. Know where recordings are stored so data subject rights can be easily fulfilled.
5. Strictly limit the access to the recordings.
6. Don’t keep the recording indefinitely, in fact have a system in place to delete it at the earliest possible opportunity. I would advise to keep them no longer than 30 days after you have fulfilled the purpose for which they were recorded.
7. Ensure the recordings are stored as securely as possible. Ideally at minimum these will be encrypted.
8. Thoroughly investigate the software provider and consider the pros and cons of each. Don’t forget some providers will transfer your data outside of the EU.
9. Depending on the purpose, volumes and type of data processed, I strongly recommend undertaking a DPIA.
10. Update your records of processing and privacy notices to reflect the activities taking place.
11. Do not contemplate using the video recordings for purposes beyond those stated, no matter how justified the need may seem.
What do you think?
Should video calls be recorded? Perhaps you are a Privacy Professional who has approved video recordings in your organisation and find my view too dogmatic. Or maybe have I missed some concerns you have identified? Are you a business thinking about recording calls and have additional views, thoughts or need some advice? Either way, it would be good to hear from you!
Thanks for reading.
Image Icon made by https://www.flaticon.com/authors/freepik