The information below sets out the points of consideration for data protection when remotely recording participants. As outlined above, you should undertake privacy by design for projects proposing to remotely record participants. CTRG/CUREC should also be consulted to ensure any changes are within the ethical requirements of the project or to submit an appropriate amendment.
Do I need to record?
With the move to remote working, there is now a demand to be able to hold participant interviews and collect data remotely using video-conferencing tools. However, in the first instance you should consider whether there is a need to remotely record participants if it was not necessary to record them prior to a remote working situation. For research, the University generally relies on ‘public interest task’ as its lawful basis for processing personal data. To rely on this lawful basis, the recording must be necessary for an active research activity and there must be ethical approval in place to conduct that activity.
Video recording in Microsoft Teams
Microsoft Teams is the University’s approved tool for virtual meetings and the only tool approved for confidential subject matter. Microsoft Teams has the functionality to video meetings, but you will still need to consider the risks described in the sections above when setting up a virtual meeting for the purposes of recording. To find out more, visit IT Services’ page on recording meetings.
Necessity and proportionality
Consideration should be given to the necessity and proportionality of the video recording. For example, if a video recording is necessary to capture an assessment of the participant, the video recording should be limited to the assessment only as it may not be necessary to record the entire meeting for the purpose of the research.
It may only be necessary to record the audio feed of the meeting for the purposes of transcription and later analysis. However, Microsoft Teams does not currently have the functionality to isolate audio from a video recording of a virtual meeting. In order to restrict the recording of the meeting to audio only, all attendees must switch off their cameras before starting the recording. This can only be done by each attendee. The onus is therefore on the participant to disable their own camera feed as it cannot be switched off by the meeting organiser. With this approach, there is a risk that participants may accidentally enable their camera during the recording and the researcher may inadvertently capture their video feed. As a safeguard to ensure that only audio is captured, the template invitation email to the invitees could be edited to remind them to ensure their webcams are switched off prior to joining the meeting. You should then remind all attendees in the meeting and check that all cameras are switched off before pressing record.
Where it is necessary to record the audio feed only but you need to be able to see the individual during the recording, there will be a risk of over-collection of personal data. You will need to consider how to mitigate those risks to avoid processing more personal data than necessary, for example, deleting the video as soon as the transcription is complete, ensuring data security measures are in place to protect the data until it can be destroyed and only using a third party transcription service:
- that has been subject to a third party security assessment (TPSA) and is assessed as low risk for confidential data
- whose contract uses the University’s standard template for supply for services or has been approved by the Purchasing Team in accordance with the University’s Financial Regulations
It is possible to create closed captions for recorded videos in Microsoft Stream. Further work to explore this functionality and the potential production of transcripts continues and further guidance will be issued in due course.
Before the meeting starts, you should ensure that your working environment is set up appropriately to maintain and protect the privacy and confidentiality of data subjects, such as using headphones and not allowing unauthorised persons to look over your shoulder.
Once complete, the recordings are saved on Microsoft Stream. The organiser must ensure that the permissions to the recording are set appropriately whilst the recording is stored by Microsoft and restricted to those with a need to know. For guidance on this, check IT Services’ page on recording meetings. The default permissions for the recording are set with the person who made the recording (the meeting organiser) as the owner of the video and, if applicable, the internal Nexus 365 users who were on the meeting invite are set as viewers. External or guest meeting participants will not have access to the recording.
As the recording will be on an individual organiser’s account as opposed to a shared mailbox, it is recommended that recordings are downloaded and saved to the University IT network (for example restricted access folder, password-protected format) for data availability and business continuity purposes and so the retention policy for that data can be easily managed. The recording will exist in Microsoft Stream as long as the owner keeps it there or for as long as their account exists. Once downloaded, the recordings should be deleted from the organiser’s individual Microsoft Stream account.
Note that when a user deletes a recording, it is sent to the recycle bin and they have 30 days to recover this before it is permanently deleted. Recordings can also be permanently deleted from the recycle bin before the automatic 30 days.
It is important that participants are informed about the proposed recording activities or proposed changes to recording activities for projects already in flight through participant information sheets. It is recommended that CTRG/CUREC are consulted on any changes to participant information sheets.