COVID-19 drove many formerly in-person interactions onto a variety of video conferencing platforms. But as millions of vaccinations are administered each day, and case numbers decline, it’s now possible to imagine and plan for the time when conducting business over video will no longer be mandatory.
For many organizations, though, COVID-19 has led to an epiphany that will very likely outlast the pandemic: Many aspects of work can be conducted remotely, without any drop in productivity and with enormous advances in convenience and geographic reach.
An organization based in Chicago, for instance, no longer needs to limit its pool of job candidates to those willing to relocate to that city, and no longer needs to fly candidates in – at great expense – for in-person interviews. Instead, the organization can expand the scope of its search to include candidates who live – and plan to remain – in distant locations like Austin, Denver, Miami, and Nashville, and can interview those candidates by video conference.
What’s more, video conferencing platforms allow an organization to record those interviews, thereby potentially reducing biases and errors in its interview processes by creating far more reliable records of what transpired during each interview. The benefits don’t end there. The organization can then use its archive of video interviews to evaluate which interview styles and questions were most effective in screening candidates and can use the videos to train its staff on best practices for conducting future interviews.
But there’s a catch: In addition to potential concerns that the recordings may create unhelpful or even harmful “evidence,” video recording job interviews may also expose organizations to significant data privacy and security risk – risk which can and must be managed through thoughtful policies and procedures.
- Candidates in other states or countries may bring their jurisdictions’ data privacy and security obligations with them. Many data privacy and security laws are tied to the location or residence of the data subject (e.g., the job candidate); not the location of the data controller (e.g., the organization conducting the search). If your organization records interviews of candidates residing in California or the EU, for instance, it may be subject to obligations under the CCPA or GDPR, respectively. Both of these laws generally require the provision of certain privacy notices and, in the case of the GDPR, grant to data subjects an expansive set of rights related to the collection, use, disclosure, and retention of their data. (Beginning in January 2023, when a new California law, the CPRA, takes effect, California candidates will have similarly expansive rights.)
- Interview recordings will likely contain far more personal information than the notes or memos generated during or after in-person interviews. Interview discussions can be wide-ranging, often touching on subjects that may qualify as personal information under applicable law – including information that would rarely make it into written records of that discussion. For instance, even if not asked, the candidate might discuss her own or a family member’s medical condition, or she might directly or indirectly indicate her religious affiliation or sexual orientation. And even when discussion focuses on more mundane topics – like educational and work histories – the information collected may trigger privacy obligations under expansive privacy regimes like the CCPA, CPRA, and GDPR.
- Complying with purpose limitations. The CCPA and GDPR require organizations to disclose to data subjects the purposes for which their personal information is used. And, in the case of the GDPR, the organization may be required to assess whether its own purposes for using the personal information may be overridden by competing interests of the data subject. The obvious, likely unobjectionable, purpose for recording a video interview is to better evaluate the candidate at issue. But if the organization subsequently decides to use the recording for training or marketing, it could incur obligations to provide additional disclosures, obtain additional consent, and/or conduct additional analysis.
- Ensuring all parties consent. About a dozen US states require consent of both parties to record a conversation. An organization conducting interviews by video conference must therefore be mindful that, prior to recording the interview, it should obtain consent from both the candidate and the employees involved in conducting the interview.
- Ensuring video interviews are adequately secured. Data breaches have become an enormous source of liability for most organizations. It is not unusual for breaches to stem from systems or databases that an organization overlooked when designing its data security program because they weren’t obvious repositories of sensitive information. An archive of interview videos could easily fall into that category.
- Conduct scope analysis. Given the proliferation of data privacy and security laws – Virginia recently passed an expansive new privacy law, and Colorado, Florida, New York, and other states may soon follow suit – and the fact that many of these laws are tied to the location or residence of the data subject, determining which laws will govern your organization’s recording of video interviews is a critical first step.
- Ensure you provide requisite privacy notices. If applicable, based on your organization’s scope analysis, provide privacy notices to interviewees prior to their interview. Where the CCPA applies, for instance, your organization will likely need to provide a “notice at collection” to candidates, disclosing to them the categories of personal information that your organization collects about job applicants and the purposes for which it uses that information.
- Prepare to respond to requests for access, deletion, and rectification. If the GDPR applies, candidates may be entitled to request that your organization grant them access to their interview recordings, that it delete those recordings, or that it permit candidates to correct inaccurate information in the recordings. In California – the CPRA – will begin imposing similar requirements when it takes effect.
- Collect requisite consent. Your organization will, in most instances, be able to address applicable obligations to obtain consent to record video interviews by taking two relatively simple steps. First, it should develop a policy placing all employees who conduct video interviews on notice that those interviews will be recorded and collect from each employee an acknowledgment of receipt of that notice. Second, it should train applicable employees to advise candidates at the start of each interview that the interview will be recorded for specified purposes (e.g., to improve the quality of the organization’s interview processes).
- Develop policies and procedures to ensure proper use, disclosure, security, and retention. To comply with the GDPR, CCPA, and other data privacy and security laws, your organization should ensure that it has policies and procedures in place to regulate how interview recordings are used, who has access to them, to whom they’re disclosed, where they’re stored, and how long they’re kept. For instance, your organization may need to develop policies to prevent the use of interview recordings for purposes not previously disclosed; to restrict access to the recordings to employees with a legitimate need; to limit disclosure of the recordings to trusted third-parties with whom it has proper contractual protections in place; and to ensure the recordings are securely destroyed in accordance with the organization’s record retention policy.
With good reason, many organizations are intrigued by the prospect of recording video interviews – along with other video communications – for future use. For organizations engaging in this practice, or planning to, however, it’s important to be mindful of the associated risks. These risks will not, in most instances, be prohibitive, but they require careful consideration and the implementation of thoughtful mitigation strategies.