Meeting Recording & GenAI Management
Privacy Notice
The University of Oxford is committed to protecting the privacy and security of your personal information ('personal data'). This notice explains how personal data is collected and used when meetings organised by the Nuffield Department of Medicine (NDM) are recorded, transcribed, and/or processed using approved generative AI (GenAI) tools under the NDM Meeting Recording and GenAI Management SOP.
A. Who is using your personal data?
The University of Oxford[1] is the data controller for the personal data processed under this notice. This means that the University decides how your personal data is used and is responsible for looking after it in accordance with UK data protection legislation.
Day-to-day administration and first-line queries should be directed to the NDM Information Governance Team at: information.governance@ndm.ox.ac.uk. The University Data Protection Officer can be contacted at: data.protection@admin.ox.ac.uk.
This notice applies to meetings hosted by NDM staff where recording, transcription and/or GenAI tools are used for personal note-taking, informal meeting management, formal minutes or records, and knowledge-sharing. Higher-risk activities, including meetings focused on HR matters, student welfare, health matters, patients, research participants, clinical care, or special category personal data, are outside routine scope and require separate review before any such processing takes place.
B. Glossary
'Personal data' means any information relating to an identified or identifiable person. 'Processing' means anything we do with that information, including collection, use, storage, disclosure, deletion, or retention.
C. The types of data we may collect
Depending on the meeting and the agreed plan, we may collect and use:
- basic identity and contact details, such as your name, job title, department or organisation, and email address;
- your image, voice and contributions in a meeting recording or live transcript;
- messages, files, shared screens, questions, comments, reactions and other information you submit during the meeting;
- meeting outputs such as transcripts, draft minutes, action lists, summaries, translated text, and other GenAI-generated or human-edited notes;
- limited technical metadata associated with the meeting, such as date, time, participant list, and meeting title.
We do not intend to use this routine process for the purpose of collecting or otherwise using special category personal data, or confidential information outside the agreed scope of the meeting. However, because meeting recordings, transcripts and related outputs may include participants’ names, voices images or remarks, they may incidentally contain, or allow the inference of, information of that kind. If such information is disclosed unexpectedly or falls outside the agreed scope, the meeting chair must manage the meeting appropriately and, where necessary, stop or limit recording/transcription and ensure that material is not taken forward for GenAI processing.
D. How we obtain your data
Most of the personal data covered by this notice is obtained directly from you when you attend and participate in an NDM-hosted meeting. This includes information collected through your spoken contributions, video, chat messages, shared content, and any meeting materials you provide. We may also receive limited information about you from the meeting organiser, from Microsoft Teams and related Nexus365 services, or from another participant who shares documents or agenda materials containing your details.
E. How we use your data and our lawful basis
We use personal data under this SOP only where recording, transcription and/or GenAI processing has been planned in advance, participants have been informed, and the activity is within the approved scope for the meeting. The main purposes are:
- to support personal note-taking, accessibility, recall, comprehension, translation, or individual learning;
- to support informal meeting management, including shared notes, summaries and action tracking;
- to produce formal minutes, records, and draft governance documentation for committees and decision-making meetings;
- to support internal or external knowledge-sharing, for example recorded presentations, briefings, seminars, workshops, and training sessions;
- to enable secure storage, controlled sharing, quality assurance, and lifecycle management of meeting outputs.
For most processing under this notice, the University relies on one or both of the following lawful bases:
- public task, where the processing is necessary for the University to perform tasks in the public interest, including education, training, academic administration, governance, and the advancement of learning;
- legitimate interests, where the processing is necessary for the governance, management, operation, accessibility, efficiency, and knowledge-sharing activities of NDM and the wider University, provided those interests are not overridden by your rights and interests.
Where a meeting involves a separate legal obligation, a different lawful basis may also apply. If we need to use your personal data for a new and unrelated purpose, or if consent is required for a specific use, we will tell you that separately at the relevant time.
GenAI processing under this SOP is limited to approved Oxford AI tools and approved methods. GenAI may be used to help generate summaries, draft minutes, action lists, translations, explanations, or other working outputs from recordings, transcripts, or manually prepared notes. Human review remains mandatory where outputs are used for formal minutes/records or knowledge-sharing, and GenAI outputs must not be treated as authoritative without appropriate checking.
F. Who has access to your data
Access to personal data is limited to people who need it for the relevant purpose. Depending on the meeting plan, this may include:
- the meeting chair, organiser, minute-taker, and relevant NDM or University staff supporting the meeting;
- meeting participants and, where the plan allows, additional internal stakeholders who need access to outputs;
- authorised members of secretariat or governance support teams for formal records;
- authorised external attendees where the meeting is designed for external knowledge-sharing and this has been made clear in advance;
- approved service providers acting on the University's behalf, such as Microsoft and other approved providers used within Oxford's managed environment.
We may also disclose personal data where necessary to comply with a legal obligation, to investigate or report an information security incident, or to protect the rights, property, and safety of the University and others. Where data is shared, we will seek to share the minimum necessary.
G. Where we store and use your data
We store and use your data on University premises, in both a manual and electronic form.
Meeting recordings, transcripts, notes, and related outputs are normally stored within University-managed systems, including Nexus365 services such as Microsoft Teams, SharePoint, OneDrive, OneNote, and Microsoft Stream, in line with the agreed plan for the meeting.
Oxford-approved AI tools and Microsoft services may involve processing through cloud infrastructure. Personal data may therefore be transferred outside the UK in limited circumstances, for example where a cloud service provider operates internationally. Where that happens, the University will ensure that an appropriate safeguard applies, such as an adequacy decision, approved contractual clauses, or another lawful transfer mechanism recognised under UK data protection law.
H. Data security
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website: https://www.infosec.ox.ac.uk/.
The University applies technical and organisational measures to protect personal data. Access controls, approved platforms, retention limits, and restrictions on unauthorised use form part of those measures. Third parties processing data on our behalf must do so only on our instructions and must keep it secure.
Participants also play a role in protecting privacy. Meeting invitations and in-meeting reminders may ask participants to use privacy-protective options such as muting, disabling video, altering or blurring backgrounds, or using chat or a moderator instead of speaking aloud where appropriate.
I. How long we keep your data
Retention depends on the agreed meeting purpose. The standard retention periods in the SOP are summarised below. If a bespoke plan is approved, a different retention period may apply and participants will be informed accordingly.
|
Meeting purpose/output |
Typical access and storage |
Standard retention period |
|
Personal note-taking: transcript/recording |
Personal Nexus365 storage such as OneDrive; individual user access |
1 year then delete if retained as the sole output; or 1 month then delete if used only to generate GenAI outputs. |
|
Personal note-taking: GenAI outputs |
Personal Nexus365 storage; individual user access |
1 year then delete, unless anonymised outputs need to be retained. |
|
Informal meeting management |
Teams/SharePoint or similar Nexus365 shared workspace; participants and permitted internal stakeholders |
|
|
Formal minutes or records |
Teams/SharePoint; authorised participants and secretariat |
|
|
Knowledge-sharing: internal or external audience |
Teams, SharePoint, Stream or other approved University-managed workspace; defined audience |
|
If material changes are made after the meeting – for example a change of purpose, wider sharing, a different AI tool, or a retention extension – further review and approval may be required before the change is implemented.
J. Automated decision-making
This process is not intended to involve solely automated decision-making or profiling about individuals. GenAI tools may assist with drafting or summarising, but meaningful human oversight is required where outputs are used for formal or shared purposes.
K. Your rights
Subject to the conditions and limits in data protection law, you have individual rights to request access to your personal data, request correction of inaccurate data, request erasure in some circumstances, object to processing based on public task or legitimate interests, request restriction of processing, and request portability where applicable. You also have the right to complain to the Information Commissioner's Office if you are dissatisfied with how your information has been handled at: https://ico.org.uk/concerns/.
Information on your rights in relation to your personal data are explained at: http://www.admin.ox.ac.uk/councilsec/compliance/gdpr/individualrights/.
If you wish to exercise your rights, raise a concern, or discuss a particular meeting recording, transcript, or GenAI output, please contact the NDM Information Governance Team at: information.governance@ndm.ox.ac.uk or the University's Information Compliance Team/Data Protection Officer at: data.protection@admin.ox.ac.uk. We will consider requests without undue delay and in accordance with UK data protection law.
You can also contact us by post at:
Wellington Square
Oxford
OX1 2JD
United Kingdom
L. Changes to this notice
We may update this notice at any time to reflect changes in law, University guidance, approved tools, or departmental practice. The current version should be made available with meeting notifications or linked from the relevant departmental documentation.
[1] The University's legal title is the Chancellor, Masters and Scholars of the University of Oxford.