Your AI Notetaker May be Taking Notes on You Too: Addressing the Risks of AI Transcriptions in the Workplace

AI note-taking services are increasingly popular. Many organizations are using AI scribes to transcribe, summarize and analyze conversations in real time, providing unmatched utility for organizations and workplaces.

Implementing AI transcription services without considering and addressing the privacy, data confidentiality and privilege issues can result in real legal and reputational risk. The BC Office of the Information and Privacy Commissioner has released guidance on the use of AI scribes in healthcare settings – but the privacy concerns and best practices provided are universal.  Risks go beyond privacy compliance and could create unneeded evidence and challenges for litigation, risk the confidentiality of sensitive information, as well as the protection of legal privilege, and civil liability. 

If your organization is using AI transcription without forethought, it should consider developing and implementing appropriate guidance, protocol, or policy addressing some of the issues below and others.

Considerations and planning for AI Transcription Tools

Get consent or give notice. If your AI notetaker is collecting personal information about clients, you probably need consent. Where all of the participants involved are employees and the subject of the meeting is work-related, providing notice of the use of the AI tool may be sufficient.

Notice or consent to the use of AI scribes must be meaningful. All participants should be advised of the purpose of the recording and how their personal information will be used. If consent is required, consent agreements should be clear, unambiguous and easy for individuals to locate and understand – especially given the novelty and complexity of AI tools.

Consider whether a Privacy Impact Assessment is appropriate. A PIA is the mechanism by which you identify what information is flowing, to whom, for what purpose, and whether each of those flows is authorized. Conducting a PIA on your use of AI tools demonstrates you take your privacy obligations seriously and helps identify and mitigate risks.

Read the vendor contract carefully — and negotiate it. Does the vendor use your data to train its model? If so, you may need express consent for that. What happens to your data if the vendor is sold or goes bankrupt? Can you require the vendor to delete data? Will you be able to comply with access and other privacy rights? Being able to answer these could be the difference between defensible AI deployment and regulatory violations or civil liability.

Maintain human oversight and audit regularly. AI tools make mistakes. Organizations must have policies requiring human review of AI outputs before they are relied upon for any decision.

Watch for function creep. Every time a vendor updates its tool in a way that changes how personal information is collected or used, your original consent or notice procedures may no longer be valid.

Be cautious not to waive privilege. There is a risk that using an AI tool not managed within the company’s confidential and approved legal framework and/or outside of privileged communication lines could put privileged information in jeopardy.  Overall, transcriptions may increase, not decrease, litigation risks.

Update general privacy policies. Organizations should consider how they will meet other aspects of their privacy obligations–how the records are securely kept, limitations on access and use, retention and destruction periods, and individual access procedures–and update their policies accordingly.

These steps are only the beginning of an organization’s ongoing obligations to manage new and emerging AI abilities. As AI continues to evolve and change, organizations, too, must address the privacy concerns and adapt their policies.