GDPR for filmed and recorded events: in-person & via Zoom
DPA (2018) & GDPR
The General Data Protection Regulations (GDPR) came into force in the UK from 25th May 2018. They are implemented alongside the Data Protection Act 2018 and both set out the data protection framework within the UK.
Privacy Notices
When the AV team are requested to provide filming and recording services in person, the specific photography and video Privacy Notice attached at the end of this page, must be made available to attendees.
It should be amended by the event organizer and then made available to the AV Centre and attendees during the event - for example to have available to read at the Registration Desk..
The Privacy Notice informs individuals what purpose the images or videos will be used for, and that images and videos must not be used for other purposes.
The Privacy Notice should be used in addition to visible posters for any event where filming has been requested. These posters must confirm that filming is taking place, what the purpose of the filming is, and how to opt out of being photographed or filmed.
Prior notice of filming must be given to event attendees. This can be done in a number of ways including via email, printed documents and/or University webpages.
The University provides standard wording and further information or you can amend the Privacy Notice attached at the bottom of this page.
Arrangements should be made by the event organiser to procure all relevant permissions, copyright approval etc. and the wishes of individuals should be provided to camera operators or the AV Centre before the filming takes place, ideally in writing.
An easy way to identify individuals on the day itself who have opted out of photography and video is through the provision of coloured lanyards to individuals . This will enable camera operators to identify them and avoid including them in shots.
On the day the AV Centre staff (photographer/videographer) will be identifiable via a black shirt with the embroidered Audio Visual logo or an armband. Individuals can approach them to request that they not be filmed or photographed.
Anyone filmed can request their image/data is not used after the event - this approach should be made to the designated event organiser. If you are unsure how this will affect your event, please contact the Information Governance team for advice, at dataprotection@york.ac.uk.
AV Centre process for securing data
Filmed in-person:
Filming takes place with privacy notice, visible signage and any copyright permissions evidenced
Footage copied onto local edit computers (requires keycard access to room and AV Centre staff login on computer). Original copies of footage kept in edit room.
Editing is specified by end client
Completed footage only sent to end client
All footage sent via Drop Off - IT Services file transfer service. Files are encrypted when sent. DropOff security
After completion - all files and edit projects archived onto secure IT Services filestores and all original files on SSD's or SD cards deleted permanently by formatting drives and cards.
Edit projects and all content deleted from IT Services filestores after 2 years unless there is a specific reason to keep it.
Recorded via Zoom (online web conferencing):
Individual participants to any zoom call must approve being recorded before they can join the Meeting or Webinar. If anyone requests not to be recorded, they will not be able to participate in or watch the online event but will be able to watch the recording at a later date.
Recording of an attendee is impossible if their microphone and camera remains muted - in a webinar scenario this will always be the case unless they specifically approve a request from the Host to unmute. The attendee in question will always have full control of their own microphone and camera.
Recordings are copied onto edit computers. These are located either in locked locations on campus, not accessible to students or the public, or on computers at AV staff's home premises. Original copies of recordings remain on the Zoom servers for 180 days and are then deleted automatically. Zoom GDPR policy
Only edited/completed footage is sent to the end client.
All edited footage is sent via Drop Off. Files are encrypted when sent if neccessary - DropOff security provides further information on this process.
After completion - all files and edit projects archived onto secure IT Services filestores and all original files on SSD's or SD cards deleted permanently by formatting drives and cards.
Edit projects and all content deleted from IT Services filestores after 2 years unless there is a specific reason to keep it.
For reports sent internally to University of York staff notice is given of the need to be in compliance with the University's Data Security Policies
All reports (Registration, Attendee, Questions etc) are sent via Drop Off - IT Services file transfer service. Files are encrypted when sent. DropOff security
For reports sent externally, notice is given that the data is of a confidential and personal nature and as such the receiving party must maintain adherence to GDPR requirements and data security principles. We may also delete any personal data before sending such reports.
Further Information
Further information regarding GDPR is available on the University Data Protection webpages, or by contacting the University's Information Governance Officer at dataprotection@york.ac.uk, and from the Information Commissioners Office.
Downloadable Privacy Notice for Filming & Photography:
N.B. The sections in red should be amended by the event organiser to be relevant to the event.