The explosion of generative AI has spawned a wide range of personal and professional tools and applications. One noteworthy (no pun intended) example of those tools and applications is notetakers that can capture, transcribe, and organize the content discussed at meetings (virtual or otherwise), enabling participants to more meaningfully participate in the meeting/discussion. They can even enable an individual to not be present at the meeting at all and not miss out! Of course, like any new AI or other technology, it is important to consider the risks along with the benefits.
There are already many AI notetakers on the market. Summaries like this can help potential users evaluate the different features, options, ratings, etc. In addition, potential users might consider the following questions when selecting and implementing an AI notetaker for their organization.
- Does the tool record the conversation/meeting from which it develops the notes, transcript? If so, you will need to think about several issues, a few of which are discussed here.
- One is whether you have complied with the applicable consent requirements. For example, some states, known as all-party or two-party consent states, require consent of all persons to a call before it can be recorded. Some AI notetakers can attend and record a meeting on behalf of the user. In some cases, the default rule may not alert others on a call that the AI notetaker is dialed in and recording the call. Organizations should alert employees of this possibility and address it accordingly. The organization also will need to consider whether it has provided appropriate notice of the collection of personal information from persons participating in the meeting. Businesses subject to the California Consumer Privacy Act (CCPA), for example, generally are required to provide a notice at collection to California residents concerning, among other things, the categories of personal information the business collects from them. This includes the business’ employees. Accordingly, such businesses will need to evaluate notetakers along with other means for collecting personal information from such individuals.
- Another issue is how a recording is handled once created – should it be encrypted, who is permitted to access it, how long should it be maintained, etc. Such recordings could become the subject of a litigation hold, or a data subject access request. For example, an individual whose personal information is covered by the CCPA or a similar law, might request access to that information or deletion of it.
- Is your data used to train the notetaking tool? Some notetaking tools will use the transcriptions generated by customers to help improve the accuracy of the product. Of course, the organization using the tool will need to consider the confidentiality, privacy, and security of the information it permits its notetaking vendor to acquire for this purpose, and whether this practice raises regulatory or contractual issues. The tool might provide an opt out from this use and the organization will want to make sure to train employees to opt out, as needed.
- What kind of confidential and personal information do you anticipate will be captured by the tool? As with many AI applications, it is critical to understand the use cases that you anticipate being served by the technology. The use cases can be wide-ranging and will be shaped by, among other things, the type of business and activities engaged in, which departments/employees in the organization are using the tool, and other factors. For example, in a law firm environment, using a notetaker likely will raise attorney-client privilege issues. In a healthcare environment, it is likely that a notetaker could capture protected health information (PHI) of patients. However, if a health system’s marketing department is using a notetaker, capturing PHI might be less likely, but still possible. So, when thinking about how your organization will use a notetaker, it is important to consider not only your organization’s regulatory environment, but also who in the organization will be permitted to use the technology and for what purpose(s), what representations have been made about disclosures of confidential and personal information, etc. See policy development below.
- If the product promotes deidentification, what standard for deidentification applies? Depending on the use cases that an organization anticipates when using notetakers, deidentification may not be a critical issue. Businesses in the construction industry, for example, might find it unlikely that the organization’s use of a notetaker would involve individually identifiable personal information. But where that is the case, and where the organization desires or needs to protect that information and or minimize the creation of it, some notetakers offer deidentification functionality. In those cases, however, it will important to understand the product’s deidentification process. Healthcare entities subject to HIPAA, for example, must satisfy a specific regulatory standard for deidentification. See 45 CFR 164.514.
- How do we address others outside the organization who are using these tools? Customers, applicants, business partners, vendors, and other third parties also may be using these tools during meetings with persons at the organization. In the process, they may be creating a recording or transcript of the discussion, perhaps capturing confidential business or privileged information. The organization will need to evaluate how it will approach different situations, e.g., a vendor versus a job applicant. However, making the organization’s employees sensitive to this possibility is a starting point.
- Do we need a policy? New technologies like generative AI and their various iterations often raise many questions concerning use in organizations. Indeed, many organizations have adopted policies to guide employees when using another popular application of generative AI technology – ChatGPT and similar tools. Policies can be helpful to establish guiding principles and requirements for employees, such as:
- which notetaker(s) have been vetted by the organization and are approved for use in the course of employment,
- which employees are permitted to use the notetaker and for what purposes,
- guidelines for providing notice, consent, etc.,
- what safeguards should be followed for securing transcriptions with confidential and personal information,
- guidelines for limiting access to transcriptions,
- record retention and litigation hold requirements, and
- how to handle meetings intended to be privileged.
Policies will help the organization take into account regulatory concerns, client preferences, among other things. For what it is worth, we asked ChatGPT about whether to have a policy, and it responded, “Implementing a policy to govern how your organization’s employees use a generative AI note-taker is a prudent decision.”
Even if your organization has not formally adopted an AI notetaker, some of your employees may already be using the technology. As noted above, there are several considerations that should prompt additional analysis concerning the nature and scope of the use of such tools.