The explosion of generative AI has spawned a wide range of personal and professional tools and applications. One noteworthy (no pun intended) example of those tools and applications is notetakers that can capture, transcribe, and organize the content discussed at meetings (virtual or otherwise), enabling participants to more meaningfully participate in the meeting/discussion. They can even enable an individual to not be present at the meeting at all and not miss out! Of course, like any new AI or other technology, it is important to consider the risks along with the benefits.

There are already many AI notetakers on the market. Summaries like this can help potential users evaluate the different features, options, ratings, etc. In addition, potential users might consider the following questions when selecting and implementing an AI notetaker for their organization.

  • Does the tool record the conversation/meeting from which it develops the notes, transcript? If so, you will need to think about several issues, a few of which are discussed here.
    • One is whether you have complied with the applicable consent requirements. For example, some states, known as all-party or two-party consent states, require consent of all persons to a call before it can be recorded. Some AI notetakers can attend and record a meeting on behalf of the user. In some cases, the default rule may not alert others on a call that the AI notetaker is dialed in and recording the call. Organizations should alert employees of this possibility and address it accordingly. The organization also will need to consider whether it has provided appropriate notice of the collection of personal information from persons participating in the meeting. Businesses subject to the California Consumer Privacy Act (CCPA), for example, generally are required to provide a notice at collection to California residents concerning, among other things, the categories of personal information the business collects from them. This includes the business’ employees. Accordingly, such businesses will need to evaluate notetakers along with other means for collecting personal information from such individuals.
    • Another issue is how a recording is handled once created – should it be encrypted, who is permitted to access it, how long should it be maintained, etc. Such recordings could become the subject of a litigation hold, or a data subject access request. For example, an individual whose personal information is covered by the CCPA or a similar law, might request access to that information or deletion of it.
  • Is your data used to train the notetaking tool? Some notetaking tools will use the transcriptions generated by customers to help improve the accuracy of the product. Of course, the organization using the tool will need to consider the confidentiality, privacy, and security of the information it permits its notetaking vendor to acquire for this purpose, and whether this practice raises regulatory or contractual issues. The tool might provide an opt out from this use and the organization will want to make sure to train employees to opt out, as needed.
  • What kind of confidential and personal information do you anticipate will be captured by the tool? As with many AI applications, it is critical to understand the use cases that you anticipate being served by the technology. The use cases can be wide-ranging and will be shaped by, among other things, the type of business and activities engaged in, which departments/employees in the organization are using the tool, and other factors. For example, in a law firm environment, using a notetaker likely will raise attorney-client privilege issues. In a healthcare environment, it is likely that a notetaker could capture protected health information (PHI) of patients. However, if a health system’s marketing department is using a notetaker, capturing PHI might be less likely, but still possible. So, when thinking about how your organization will use a notetaker, it is important to consider not only your organization’s regulatory environment, but also who in the organization will be permitted to use the technology and for what purpose(s), what representations have been made about disclosures of confidential and personal information, etc. See policy development below.
  • If the product promotes deidentification, what standard for deidentification applies? Depending on the use cases that an organization anticipates when using notetakers, deidentification may not be a critical issue. Businesses in the construction industry, for example, might find it unlikely that the organization’s use of a notetaker would involve individually identifiable personal information. But where that is the case, and where the organization desires or needs to protect that information and or minimize the creation of it, some notetakers offer deidentification functionality. In those cases, however, it will important to understand the product’s deidentification process. Healthcare entities subject to HIPAA, for example, must satisfy a specific regulatory standard for deidentification. See 45 CFR 164.514.
  • How do we address others outside the organization who are using these tools? Customers, applicants, business partners, vendors, and other third parties also may be using these tools during meetings with persons at the organization. In the process, they may be creating a recording or transcript of the discussion, perhaps capturing confidential business or privileged information. The organization will need to evaluate how it will approach different situations, e.g., a vendor versus a job applicant. However, making the organization’s employees sensitive to this possibility is a starting point.
  • Do we need a policy? New technologies like generative AI and their various iterations often raise many questions concerning use in organizations. Indeed, many organizations have adopted policies to guide employees when using another popular application of generative AI technology – ChatGPT and similar tools. Policies can be helpful to establish guiding principles and requirements for employees, such as:
    • which notetaker(s) have been vetted by the organization and are approved for use in the course of employment,
    • which employees are permitted to use the notetaker and for what purposes,
    • guidelines for providing notice, consent, etc.,
    • what safeguards should be followed for securing transcriptions with confidential and personal information,
    • guidelines for limiting access to transcriptions,
    • record retention and litigation hold requirements, and
    • how to handle meetings intended to be privileged.

Policies will help the organization take into account regulatory concerns, client preferences, among other things. For what it is worth, we asked ChatGPT about whether to have a policy, and it responded, “Implementing a policy to govern how your organization’s employees use a generative AI note-taker is a prudent decision.”

Even if your organization has not formally adopted an AI notetaker, some of your employees may already be using the technology. As noted above, there are several considerations that should prompt additional analysis concerning the nature and scope of the use of such tools.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.