Skip to content

Audio recording of meetings – are you complying with Data Protection obligations?

17/12/2024

Audio recording of meetings – are you complying with Data Protection obligations?

Whilst most employers continue to make handwritten notes of meetings including investigations, disciplinary, and grievance meetings, with advances in technology and the increasing use of AI some employers are now considering alternative methods of notetaking. Some AI tools automatically transcribe the content of a meeting, alternatively parties may use more traditional audio recording and manually transcribe the content following the meeting.

Technology isn’t always without its glitches and from a practical perspective we would encourage any organisation considering moving to this type of recording to test any system rigorously before moving entirely away from handwritten notes.

The purpose of this article however is to consider the data protection implications of such recordings.

 Be aware of your data protection obligations

Recordings will contain the personal data of the participants and also contain the personal data of anyone who is discussed during the meeting. It is highly likely that in any such meeting Special Category data (which attracts a higher level of protection) will be recorded, for example, information about health, trade union membership, religious beliefs, race, sexual orientation etc.

Compared to making a handwritten note, any form of audio recording is more intrusive as it not only captures what each individual said but also their voice. If a video recording is made, for example of a meeting conducted via Teams, this is more intrusive again.

 Carry out a Data Privacy Impact Assessment

In light of this we strongly recommended that a Data Privacy Impact Assessment (DPIA) is carried out before an organisation take steps carries out any form of audio recording.

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations. Conducting a DPIA is a legal requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals. The ICO website contains a template that you can use or adapt: https://ico.org.uk/media2/migrated/2553993/dpia-template.docx

 Identify your lawful basis for processing 

As part of the DPIA the organisation will need to identify its lawful basis for processing, and then document the lawful basis, before any processing (including recording) can begin. As members will be aware, due to the imbalance of power in the employer/ employee relationship consent cannot be used as a lawful basis for processing. Therefore you will need to consider whether you can bring it under “necessary for the performance of the contract” or the more flexible “legitimate interests” however this requires a Legitimate Interests Assessment and can also be open to challenge.

 Update your privacy information

Where audio recording is being used, it will also be necessary to issue all parties to a recorded meeting with an updated privacy notice. This updated privacy notice should detail information including:

  • the lawful basis for processing;
  • how the recording will be used;
  • who it will be shared with;
  • where it will be stored; and
  • for how long etc

It must be provided to all parties in advance of the meeting. This could be achieved through a statement in the Disciplinary Policy and Procedure / Grievance Procedure itself provided the parties are made aware and are able to access to it. Alternatively, you may need to consider issuing a Just in Time Privacy Notice on each occasion.

You also need to define how long your organisation will keep the recording. We are aware that some employers transcribe the recording, share a copy of the typewritten notes with the employee, then erase the recording once the typewritten notes are agreed. You should however consider how you will deal with any disputes about the transcript as any party to the meeting could request a copy of the recording.

Deletion of the recording also may not be straightforward as it must be retained if it is relevant to any potential legal proceedings.

 Consider how you will deal with requests for the recording

Any individual who attends a recorded meeting may issue a Data Subject Access Request (DSAR) and as part of this request a copy of the audio recording. Such a request could be issued by the employee who is the “subject” of the meeting, it may be their companion/Trade Union representative, or anyone else in attendance.

There is an exemption in the Data Protection Act 2018 that states you do not have to comply with a DSAR if doing so would mean disclosing the personal data of a third party except where:

  • the other party has consented to the disclosure; or
  • it is reasonable to reply to the request without that individual’s consent

As all of the attendees at the meeting heard what was discussed, it is highly unlikely you could refuse to share the recording on the basis consent is required (or has been denied) by others who attended the meeting. If people who were not present at the meeting are discussed, this opens up a different line of consideration.

If you are sharing an audio recording then it should be subject to strict controls, some of which would likely include: that it is not to be published (for example, online); and an agreement about who it can be shared with/played to however this may be difficult to enforce in practice.

Overall, whilst the move to digital forms of recording brings a number of benefits, there are certainly a number of legal implications to consider.