微信视频通话视频录制_录制视频通话和数据保护

微信视频通话视频录制

I am old enough to remember 2019. In those days, most people had face to face meetings and sometimes even travelled to other countries just to get business done. Fast forward six months and meetings are taking place in the comfort of our own home. Video conferencing has surged and the most used sentence in the business world today is now “You’re on mute”.

我的年龄足以记住2019年。在那些日子里，大多数人都面对面开会，有时甚至为了做生意而去了其他国家。 快进了六个月，会议在我们自己的家中举行。 视频会议激增，当今商业世界中使用最广泛的句子现在是“您处于静音状态”。

With organisations swiftly adapting culture and practices to accommodate the changes forced upon us by Covid-19, we all start to get comfortable with the technology and people are getting more inquisitive about additional features and offerings. I have enjoyed seeing colleagues and clients adopt quirky backgrounds of choice and I have even unlocked a potential business opportunity myself — launching a range of awkward video conference backgrounds, aimed at passive aggressive people who hold grudges and want to make other meeting participants feel ill at ease. I think it is a winning product, but I digress, another blog for another time.

随着组织Swift适应文化和实践以适应Covid-19所强加给我们的变化，我们所有人都开始对技术感到满意，并且人们对附加功能和产品也越来越好奇。 我很高兴看到同事和客户采用古怪的选择背景，甚至我自己也释放了潜在的商机-发起了一系列尴尬的视频会议背景，这些背景是针对那些怀有怨恨并想让其他会议参与者感到不适的被动进取者缓解。 我认为这是一个成功的产品，但是我离开了另一个博客。

One tool that has caught people’s attention is the Record meeting function. It has resulted in a few of my clients and former colleagues contacting me for Data Protection advice on whether their organisation can or should record their video calls. My response has been to steer clear, but I promised a more detailed write up once I have some time off, so here it is.

记录会议功能是引起人们关注的一种工具。 这导致我的一些客户和以前的同事与我联系，以获取有关其组织是否可以录制视频通话的数据保护建议。 我的回答一直是要弄清楚，但是我保证在我有时间的时候会写更详细的文章，所以这是。

我的组织应该录制视频通话吗？ (Should my organisation record video calls?)

Before I go into the details, I want to make it clear that the scope of this article doesn’t extend to the security and privacy facets of the various products themselves, there are many products in use, such as Google Hangouts, Microsoft Teams, Zoom, Webex and the list goes on. There have been some great articles written about these companies and this subject doesn’t require further input from me. This blog investigates whether organisations should use video recording and how that may or may not align with Data Protection Regulation in Europe — namely GDPR.

在开始讨论细节之前，我想明确指出，本文的范围不会扩展到各种产品本身的安全性和隐私方面，有许多产品正在使用中，例如Google Hangouts，Microsoft Teams， Zoom，Webex，列表继续。 关于这些公司的文章很多，而这个话题不需要我进一步的投入。 该博客调查了组织是否应使用录像，以及录像是否与欧洲的《数据保护条例》(即GDPR)保持一致。

视频通话中是否有个人数据？ (Is there personal data in a video call?)

In case there is any doubt, the content of a video call is definitely personal data. Personal data is any information that relates to an identified or identifiable living individual. Depending on the content being recorded, it could also include special categories of personal data if things like political opinions, religious beliefs, data concerning health or a person’s sexual orientation are revealed.

如有任何疑问，视频通话的内容绝对是个人数据。 个人数据是与已识别或可识别的生活个体有关的任何信息。 根据所记录的内容，如果发现诸如政治见解，宗教信仰，有关健康或人的性取向的数据之类的内容，则还可能包括特殊类别的个人数据 。

我的组织正在记录谁？ (Who is my organisation recording?)

Your organisation will of course be recording the participants of the video call, but in the shift to working from home, video recording will literally be providing a window into people’s private lives. We have all witnessed half naked partners stroll past during our team meetings*, we have also seen the occasional child and pet joining the call. Recording household activities starts to feel very intrusive once you start to contemplate that you might be recording more than a willing meeting participant. Who knows what inadvertent information may be revealed about the other people in the household, including children or individuals with vulnerabilities. Have those people been informed that they are being recorded?

您的组织当然会在录制视频通话的参与者，但是从在家工作的转变来看，视频录制实际上将为人们的私人生活提供一个窗口。 我们所有人都目睹了半裸的伙伴在我们的团队会议中漫步过去*，我们还看到偶尔有孩子和宠物加入。 一旦您开始考虑自己录制的内容可能比愿意参加会议的参与者更多，那么录制家庭活动就会开始变得非常麻烦。 谁知道可能会泄露有关家庭中其他人的任何无意信息，包括儿童或弱势群体。 那些人被告知他们正在被记录吗？

*slight exaggeration

*有点夸张

您为什么要录音并合法？ (Why are you recording the call and is it lawful?)

To process personal data an organisation must have defined their purpose of processing and lawful basis. Simply put, you should not use the technology just because you can. I would advise any company wishing to record video calls to ensure they have a very good reason for doing so, which is logged in their records of processing and their privacy notice.

要处理个人数据，组织必须定义其处理目的和合法依据 。 简而言之，您不应仅仅因为可以就使用该技术。 我建议任何希望录制视频通话的公司，以确保有充分的理由这样做，并记录在他们的处理记录和隐私声明中。

Many companies deciding to use this function will forget about defining the purpose and skip straight to the idea that they will get consent from all participants. This route proves to be especially seductive because most of these tools provide built in consent mechanisms, but here are a few reasons I think this is a terrible idea:

许多决定使用此功能的公司将忘记定义目的，而直接跳过这样一个想法，即它们将获得所有参与者的同意。 事实证明，这条路线特别诱人，因为这些工具大多数都提供内置的同意机制，但是出于以下几个原因，我认为这是一个糟糕的主意：

Consent must be freely given — for consent to be valid it must be freely given. I would argue that there is an imbalance of power if an employee is being asked to give consent to have their meeting recorded, because they might be worried about the consequences of declining the recording, for example fear of being obstructive or uncollaborative. This could invalidate the consent if put under scrutiny.

必须自由给予同意-为使同意有效，必须自由给予同意。 我要说的是，如果要求雇员同意将会议记录下来，则权力不平衡，因为他们可能会担心记录减少的后果，例如担心会阻碍或不合作。 如果受到严格审查，这可能会使同意无效。

Consent must be easy to withdraw — in order for consent to meet GDPR’s strict standards, it must be as easy to withdraw consent as it is to give consent and I don’t think this is an easy one to manage. If you have a real purpose for recording the meeting, it is likely to be obstructive to your purpose if a participant decides to withdraw consent, because you need to delete the file as you no longer have consent to process it.

同意必须易于撤回 -为了使同意符合GDPR的严格标准，撤回同意必须与给予同意一样容易，而且我认为这不容易管理。 如果您有录制会议的真实目的，那么如果参与者决定撤回同意，这可能会妨碍您的目的，因为您需要删除该文件，因为您不再同意处理该文件。

Consent is not a purpose — an organisation must still demonstrate that they have a valid reason to process that data. Reasons for recording video calls might vary from business to business, but in most standard organisations, I would struggle to find a good reason for recording video calls, especially if I start to consider whether it is really necessary and proportional for any purpose.

同意不是目的 -组织仍必须证明他们有正当理由来处理该数据。 录制视频电话的原因可能因企业而异，但是在大多数标准组织中，我会很难找到录制视频电话的充分理由，尤其是如果我开始考虑出于任何目的是否真的必要和成比例的话。

Unwilling participants — Consent cannot be gained from unwilling participants, who inadvertently end up being seen or heard in the background and whose personal data you may end up processing.

不愿参加的参与者 - 不愿意参加的参与者无法获得同意，他们会无意中最终在后台被看到或听到，并且您的个人数据可能最终会被处理。

If consent is not used, then you need to find another lawful basis and most companies will seek to claim legitimate interests. This is another dubious lawful basis which requires a legitimate interest impact assessment — an LIA, which is a documented exercise in which an organisation must specify why the processing is necessary for their purpose, how these benefits balance with the rights and freedoms of data subjects, why the purpose could not be achieved in a less intrusive way and other key elements. Whilst there may be some exceptions, most organisations are going to struggle to demonstrate legitimate interests for undertaking an activity which they coped perfectly well without up until now.

如果未使用同意书，那么您需要寻找另一个合法依据，大多数公司将寻求主张合法利益。 这是又一个可疑的合法基础，需要进行合法的利益影响评估-LIA，这是一个有据可查的演习，组织必须在其中指明为何出于其目的需要进行处理，这些利益与数据主体的权利和自由之间的平衡，为什么不能以较少干扰的方式和其他关键要素来实现该目的。 尽管可能会有一些例外，但是大多数组织都将努力证明自己从事一项活动的合法利益，而这项活动到目前为止还没有很好地应付。

There are of course other lawful bases to consider, but in most circumstances, I consider them to be weak for this purpose.

当然，还有其他合法依据需要考虑，但在大多数情况下，我认为它们在此基础上是薄弱的。

您的组织将如何实现数据主体权利？ (How is your organisation going to fulfil Data Subject Rights?)

If your organisation starts recording video calls, this personal data becomes in scope for the fulfilment of data subject rights. Your Data Protection Officer (or associated team) might need to provide copies of the video call as part of your response to a Subject Access Request. Consider how well your organisation is equipped to handle this and whether you wish to take on the extra expense of having to search, review and if necessary redact the videos to ensure that the fulfilment of the request doesn’t impact the rights and freedoms of other data subjects — all within 30 days. This could become a lengthy, cumbersome and expensive exercise, which points back to the fact that you will want to have a really robust and important reason for recording these calls, because when you start to consider cost/benefit it’s not quite the innocuous free feature it first appears to be.

如果您的组织开始记录视频通话，则此个人数据将成为实现数据主体权利的范围。 您的数据保护官(或相关团队)可能需要提供视频通话的副本，作为对主题访问请求的答复的一部分。 考虑一下您的组织有多强的能力来处理此问题，以及您是否希望承担额外的费用，即必须进行搜索，审阅以及如有必要，请对视频进行编辑以确保满足要求不会影响他人的权利和自由。数据主体-全部在30天内。 这可能会成为一个冗长，繁琐且昂贵的练习，这表明您希望有一个记录这些通话的确实可靠且重要的原因，因为当您开始考虑成本/收益时，它并不是无害的免费功能它首先看起来是。

If you receive a right to erasure request, the same applies, you have to find it and delete it within 30 days, unless you have a lawful basis under which you can continue to process this data.

如果您收到删除请求的权利，则同样适用，您必须在30天内找到并删除它，除非您有合法的依据可以继续处理此数据。

透明度 (Transparency)

Allowing video recordings means that you have to tell the data subjects that you are recording them and fulfil the requirements of GDPR article 13 and 14. Let me give you the heads up — none of the tools in question have a function that provides all of the information required under the right to be informed. Sure, most video conferencing tools provide a message to say that the call is being recorded, but they won’t provide your organisation’s specific purpose, lawful basis, retention period and other information required to fulfil the right to be informed. You will need to ensure that your Privacy Notice to employees (and anyone else on the call) has adequately covered this.

允许进行视频录制意味着您必须告诉数据主体您正在录制它们并满足GDPR第13和14条的要求。让我提起您的头脑-有问题的工具没有一个功能可以提供所有知情权要求的信息。 当然，大多数视频会议工具都会提供一条消息，告知您正在录制呼叫，但它们不会提供贵组织的特定目的，合法依据，保留期限以及履行知情权所需的其他信息。 您将需要确保您给员工(和通话中的其他任何人)的隐私声明充分涵盖了这一点。

存储，访问和保留 (Storage, access and retention)

If you plan to allow the recording of calls you need to make sure the format and location in which it is stored provides an adequate level of security. Many of the key providers offer the option to download the file and store it locally, depending on your plan, you may also be able to store in the cloud.

如果计划允许记录呼叫，则需要确保存储呼叫的格式和位置提供足够的安全性。 许多关键提供商都提供了下载文件并将其存储在本地的选项，具体取决于您的计划，您也许还可以将其存储在云中。

Access is another key consideration. Who has access to the recording? Is it the person hitting the record button? Is it everyone in the meeting? Does this vary from call to call? How do you make sure the wrong people don’t get access to it? Should any of these elements change if someone on the call reveals anything unexpected? In practice, this can swiftly become impossible to manage and track. In my network of DPOs and Privacy Managers, very few can say they have truly got to grips with the practicalities of this aspect.

访问是另一个关键考虑因素。 谁可以访问录音？ 是那个人点击了录音按钮吗？ 是每个人都在开会吗？ 这随呼叫而变化吗？ 您如何确定错误的人无法访问它？ 如果有人在通话中发现任何意外内容，这些元素中的任何元素应该改变吗？ 实际上，这可能很快就变得无法管理和跟踪。 在我的DPO和隐私经理网络中，很少有人可以说他们真正掌握了这方面的实用性。

You must also have a robust retention policy. Retention periods for these video recordings should probably be much shorter than retention periods for other purposes, so you need a process to guarantee the file is deleted at the end of that retention period. If you don’t and there is any kind of incident involving the loss of that data, then it is going to be pretty tricky to explain why you were still storing it. Shorter retention periods also make DSARs much more manageable.

您还必须具有可靠的保留策略。 这些录像的保留期可能应该比其他目的的保留期短得多，因此您需要一个过程来确保在该保留期结束时删除文件。 如果您不这样做，并且发生任何涉及数据丢失的事件，那么要解释为什么仍要存储数据将非常棘手。 较短的保留期也使DSAR更易于管理。

大哥在看 (Big Brother is watching)

When I think about all the meetings I have sat in during my 21 year career. I cringe at the thought of them being recorded and re-playable. All of us have had less than good days, we say things or pull faces that we regret or may not put us in the best light if re-watched. I am not talking about awful or inappropriate things that require disciplinary attention, just your average meeting where maybe someone is under the weather, under stress or has other reasons for not being at their best. Do we really want records of these situations? I feel uncomfortable with this and I think it is a real intrusion on privacy. Many meetings veer off in unexpected directions, sometimes revealing very sensitive information and I don’t think anyone can claim that they would be comfortable with recordings of all their historic meetings.

当我考虑我在21年职业生涯中参加的所有会议时。 我不禁想到它们会被录制并重新播放。 我们所有人的日子都不好过，如果再看一遍，我们会说些遗憾或不高兴的事情或表情。 我不是在谈论需要纪律注意的糟糕或不适当的事情，而只是在您可能遇到某人的天气，压力或其他原因导致无法达到最佳状态的普通会议上。 我们真的想要这些情况的记录吗？ 我对此感到不舒服，我认为这是对隐私的真正侵犯。 许多会议朝着意想不到的方向转向，有时会透露非常敏感的信息，而且我认为没有人能声称自己对所有历史性会议的录音都很满意。

I also get really concerned with the idea of the calls being used beyond their original purpose. If it got into the wrong hands it could be used to analyse behaviours, attention spans, performance and so on. It can get dystopian if you have a good imagination.

我也非常担心呼叫的使用超出了其最初的目的。 如果误入歧途，它可以用来分析行为，注意力跨度，表现等。 如果您有良好的想象力，它会变得反乌托邦。

判决 (Verdict)

You will have gleaned by now that I think video recording calls is a bad idea and I really believe this feature should be deactivated for most users. It is not necessary or proportional for most purposes and the ability to re-watch every nuanced look or expression is creepy to say the least. The issue is compounded by Covid-19 because recording in people’s homes is deeply intrusive.

到现在为止您已经了解到，我认为视频通话是一个坏主意，我真的认为应该为大多数用户停用此功能。 对于大多数目的而言，这不是必需的或不成比例的，至少可以说，重新观看每一个细微差别的外观或表情的能力令人毛骨悚然。 Covid-19使这个问题更加复杂，因为在人们的家中进行录音是非常令人讨厌的。

If an organisation chooses to allow this functionality they have to do it sensitively and properly, this can become a costly and complicated exercise, which would rarely have cost benefits.

如果组织选择允许使用此功能，则他们必须灵敏而正确地执行此操作，这可能会成为一项代价高昂且复杂的工作，几乎不会带来成本收益。

Sometimes things are best left alone.

有时最好不要管它。

那例外呢？ (What about exceptions?)

I am against activating or allowing the video recording feature as standard day to day practice, but Data Controllers must do what they feel is correct for their business, taking into account their own necessity and risks. There may be exceptions where your organisation believes they have a genuine purpose and lawful basis for processing. For example, you might be running a training session and decide that it would be useful to make the recording available to other individuals who could not make the live session and would be interested to hear the input and questions of other participants.

我反对将视频录制功能作为标准的日常操作来激活或允许，但是数据控制者必须考虑到自身的必要性和风险，做自己认为对自己的业务正确的事情。 在某些情况下，如果您的组织认为他们有真实的目的和合法的处理基础，则可能会例外。 例如，您可能正在进行一次培训课程，并决定将录音内容提供给其他无法进行实时培训并希望听到其他参与者的输入和问题的个人很有用。

If you do decide that video recording is for you then here are my top tips:

如果您确定要录制视频，那么以下是我的主要提示：

1. If people are working from home and you need to record them, ask them to obscure the background.

1.如果人们在家工作，并且需要记录他们，请让他们掩盖背景。

2. Tell all participants they are being recorded and give them the genuine option to switch off their camera or drop off without reprisal.

2.告诉所有与会人员正在录制的影像，并为他们提供真正的选择，以关闭其相机或将其关闭而不进行报复。

3. Make sure you have a purpose and lawful basis for recording which has been communicated to individuals concerned. That purpose must be specific and robust enough to stand up to scrutiny — in other words it is necessary and proportional.

3.确保您已将录制的目的和合法依据传达给有关个人。 该目的必须足够具体且强大，足以经受审查—换句话说，这是必要且成比例的。

4. Know where recordings are stored so data subject rights can be easily fulfilled.

4.知道记录的存储位置，以便轻松实现数据主体权利。

5. Strictly limit the access to the recordings.

5.严格限制对录音的访问。

6. Don’t keep the recording indefinitely, in fact have a system in place to delete it at the earliest possible opportunity. I would advise to keep them no longer than 30 days after you have fulfilled the purpose for which they were recorded.

6.不要无限期地保存记录，实际上有一个可以尽早删除记录的系统。 我建议您在完成录制目的之后，将其保留不超过30天。

7. Ensure the recordings are stored as securely as possible. Ideally at minimum these will be encrypted.

7.确保录音尽可能安全地存储。 理想情况下，至少将这些加密。

8. Thoroughly investigate the software provider and consider the pros and cons of each. Don’t forget some providers will transfer your data outside of the EU.

8.彻底调查软件提供商，并考虑各自的优缺点。 不要忘记，有些提供商会将您的数据转移到欧盟之外。

9. Depending on the purpose, volumes and type of data processed, I strongly recommend undertaking a DPIA.

9.我强烈建议您根据处理数据的目的，数量和类型进行DPIA。

10. Update your records of processing and privacy notices to reflect the activities taking place.

10.更新您的处理记录和隐私声明，以反映正在进行的活动。

11. Do not contemplate using the video recordings for purposes beyond those stated, no matter how justified the need may seem.

11.不管看起来有多合理的理由，都不要考虑将视频记录用于上述目的之外的目的。

你怎么看？ (What do you think?)

Should video calls be recorded? Perhaps you are a Privacy Professional who has approved video recordings in your organisation and find my view too dogmatic. Or maybe have I missed some concerns you have identified? Are you a business thinking about recording calls and have additional views, thoughts or need some advice? Either way, it would be good to hear from you!

是否应录制视频通话？ 也许您是一名隐私权专家，已经在您的组织中批准了录像，并且认为我的观点过于教条。 也许我错过了您发现的一些担忧？ 您是否正在考虑录制电话并有其他观点，想法或需要一些建议？ 无论哪种方式，都希望收到您的来信！

Thanks for reading.

谢谢阅读。

Image Icon made by https://www.flaticon.com/authors/freepik

由https://www.flaticon.com/authors/freepik制作的图像图标

翻译自: https://medium.com/swlh/recording-video-calls-and-data-protection-b21ba6112cdd

微信视频通话视频录制