As the pandemic continues, universities are looking to move away from in-person teaching, instead turning to online learning by providing recorded lectures.

This move aims to enhance the learning experience of students who cannot attend in person teaching due to absence or in the event there are further lockdowns.

The ICO has issued clear guidance that data protection is not a barrier to increased and different types of remote working, but universities will need to consider the data protection issues and appropriate security measures.

What Are the Data Protection Issues When Recording Lectures?

When recording lectures, universities are processing personal data of the individuals delivering, and in some cases attending, the lectures. Where personal data is processed, universities will need to ensure that they are doing so fairly, lawfully and transparently.

First, consider whether processing personal information in this way is fair, taking into account what staff (and in some cases students) would reasonably expect in relation to the use of their personal information, the reasons their information is being used for this purpose and any detriment to the individuals involved.

Secondly, identify and document your lawful bases for processing personal data. For most universities it is likely that they will be able to rely on legitimate interests or public task as their lawful basis, but remember if you are relying on legitimate interest a legitimate interest assessment should be carried out.

Thirdly, make it clear to staff (and where applicable, students) what you are doing with their personal information, how recordings will be reused, how long they will be kept for and with who they will be shared. You can tell individuals either by updating your current privacy notice or by creating a separate notice which applies to only lecture recordings.

Other issues should also be considered, for example, whether the platform used to record lectures has end-to-end encryption, whether it has sufficient security measures to prevent unauthorised access, and if there are any reported concerns about the security of the platform.

What Should Universities Do Next?

  • Carry out a data protection impact assessment (DPIA). When using new technology and using personal information in a new way that poses a high risk, universities should carry out a DPIA to identify the advantages, risks, ways of mitigating those risks and other ways of working.
  • Review and update your privacy policies. These should be updated and clearly sign posted to staff (and where applicable, students) before recording begins, so that they understand why their personal information is being collected, what it will be used for, how long it will be kept for and who it will be shared with.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.