The use of video conferencing tools have surged with the COVID-19 pandemic.  When organising virtual meetings, meeting organisers frequently request from attendees their consent to use the recording functionalities as it is convenient to prepare minutes, keep accurate records of the meetings and easier to share with colleagues who might not have been able to attend the meetings.  There is always a good reason to record for “future reference”.

However, we should not forget that such recording and storage qualifies as personal information processing within the meaning of the Protection of Personal Information Act, 4 of 2013 (POPIA).  The use of video and sound recording may be considered as a too intrusive means to achieve meeting recording purposes.  All lawful processing conditions should therefore apply to it.  First and foremost, there should be a lawful basis for processing.

Companies often rely on consent from the meeting attendees as a legal basis for recording.  Messages such as “by accessing this video meeting, you agree to it being recorded…” are quite common.

Consent as a lawful basis for processing should be carefully considered and most of the time discarded.

Indeed, POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.[1]Section 1 of POPIA.

In the absence of guidelines issued by the Information Regulator, or case law, to further define the characteristics of consent, it is useful to refer to the General Data Protection Regulation (GDPR) and its related documentation.  In the Guidelines 05/2020 on consent under Regulation 2016/679[2]edpb_guidelines_202005_consent_en.pdf (europa.eu). (EDPB Guidelines) relating to consent issued by the European Data Protection Board (EDPB), the EDPB specifies that, for the consent to a processing to be freely given, and therefore valid, the possibility for the data subject to refuse such consent should be without detriment.

The choice proposed to a virtual meeting attendee is often, either to attend the virtual meeting (consent) or, in case of refusal, to not attend the virtual meeting, remain silent or turn one’s camera off during the meeting.  These options are obviously detrimental to the attendee and, to a certain extent, to all participants to the meeting.  Therefore, consent cannot be considered as freely given in this instance.

This is even more true in the employment context, due to the imbalance of power between employer and employee.  Does an employee who is requested by the employer to attend a recorded virtual meeting have a true and free choice to refuse such recording without any risk?

In limited instances, consent may be a valid basis if, in case of refusal of one attendee to be recorded, an alternative solution would be proposed, which would have no impact or detrimental effect for the attendee having refused.  This would give the data subject a fair and genuine choice in accepting or not the virtual meeting recording.  This solution appears however to be highly impractical.

In limited instances, the recorder could rely on the legal basis of legitimate interest to process virtual meeting recording.

This legitimate interest should however be carefully demonstrated and documented.

POPIA does not define “legitimate interests”, but the General Data Protection Regulation (GDPR) says[3]Recital 47 of the GDPR.:

The legitimate interests of a controller, (…), or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

Therefore, it is a good practice to assess the legitimate interest through the conducting of a balancing test.  The responsible party should assess whether the processing is indeed necessary to achieve the legitimate interest that it pursues and weigh up its legitimate interests against the data subject’s fundamental rights and freedoms in the case of virtual meeting recording.

Depending on the purpose of the meeting, the legitimate interest may be more or less compelling, and the recording may be more or less necessary to achieve such interest.

This balancing test should be carefully conducted for each type of meeting and not applied as a blanket.  For example, the balancing test could be in favour of recording for a training session that will form part of the induction material for all employees.  In other instances, the balancing test could be in favour of not recording for HR meetings where sensitive employee matters would be discussed.

This can be quite administrative intensive but this is the price to accurately document processing and limit cases where personal information is unnecessarily (and unlawfully) processed and held by the organisation.

Having a video conferencing policy in place at the organisation level, or limiting recording rights to certain authorised employees may also help maintaining lawful practices.

Please contact us for more good, clear, precise advice.

References

References
1 Section 1 of POPIA.
2 edpb_guidelines_202005_consent_en.pdf (europa.eu).
3 Recital 47 of the GDPR.