Generative AI-powered note-taking tools (Gen AI tools) are increasingly being used to record, transcribe and produce summaries of meetings across all levels at large organisations including, in some cases, board and committee meetings. However, whilst near-instant transcriptions and summaries offer efficiency gains, they also introduce legal risks around their data processing, distribution and storage.

These concerns should not preclude the use of Gen AI tools entirely, and these tools can be used effectively to enhance the minute-taking process. However, companies may wish to weigh the risks against the benefits before deciding whether to use the tools for board and committee meetings.

In this article, we examine the legal implications and offer practical guidance to help businesses decide whether to harness the benefits of Gen AI tools in this context, and how best to do so.

Board and committee minutes must be kept for at least ten years under section 248 of the Companies Act 2006. If AI-generated transcripts or summaries are created, there is a risk these could be interpreted as records requiring retention. To mitigate this risk and avoid confusion, companies should have a clear written policy around the use of Gen AI tools at board and committee meetings that clarifies that any AI-generated transcripts or summaries are non-official, temporary aids for preparing minutes, not the formal record.

The policy should also specify who is responsible for overseeing the use of Gen AI tools at board and committee meetings, and outline how data outputs will be managed and the timing of their deletion. Whilst the Company Secretary may refer to AI-generated output when preparing formal minutes, such content must always be carefully reviewed and edited to ensure that the final minutes accurately reflect the meeting.

Minutes should be expressly tabled and approved at the next meeting as the official record. At this point, any underlying AI-generated material should be deleted in accordance with company policy. Tools should be configured by default with short retention periods and automatic deletion to address these concerns.

Legal privilege can be inadvertently waived if transcripts or AI-generated notes of discussions of privileged legal advice are shared too widely. If AI-generated material is made available outside the core internal meeting group, such as where it is automatically saved to a non-restricted location or shared by default with all meeting invitees, this could potentially jeopardise the confidentiality needed to maintain privilege. It is therefore particularly important that, when used in any meeting where sensitive legal matters such as litigation strategy or internal investigations are on the agenda, the tools are configured so that any AI-generated material is only accessible to the individual drafting the minutes.

Where sensitive legal matters arise unexpectedly, the person responsible for overseeing the Gen AI tools in the meeting should be authorised to turn off the tools if they consider it appropriate to do so. This could be reinforced by including a standing agenda item for every meeting (for example, “AI-assisted note-taking may not be used during any potentially sensitive discussions”) to keep the issue front of mind.

Company Secretaries should be aware that AI-generated summaries and transcripts may later be disclosable in litigation.

Once litigation is in contemplation, routine document destruction must be suspended to the extent required to preserve potentially relevant material, which includes any underlying AI-generated records of board and committee meetings.

Where a litigation hold is in place and AI-generated records continue to be created, these records should be stored in a manner that allows for effective searching and retrieval for disclosure purposes (with appropriate restrictions on access to ensure that privilege can be maintained). The policy should specify that once the litigation hold no longer applies, they should be deleted in line with the company's ordinary course retention policies.

If AI-generated material from board or committee meetings is to be stored on company systems, it needs to be carefully checked for accuracy.

Use of Gen AI tools to record, transcribe or summarise a board or committee meeting can involve the processing of personal data and confidential information by third-party software, which raises potential data privacy and cybersecurity concerns. Organisations must consider the necessity, proportionality and legal basis of the data processing, address transparency requirements, maintain data security, avoid over-retention of data and put in place processes to be able to give effect to data subject rights.

Data captured by Gen AI tools is usually transmitted to the provider’s servers for processing. As well as the usual data protection considerations (including addressing any restricted international data transfers), the sensitive nature of discussions at board and committee level means that confidentiality and cybersecurity considerations are particularly important.

One key aspect of addressing these risks and requirements is to ensure that only note-taking tools from fully vetted, company-approved providers are used. These approved tools should benefit from thorough vetting, robust controls and contractual assurances, with measures that have been assessed to be appropriate for the tool’s intended use and the company’s risk approach. They may include localisation or ‘on premises’ storage of certain data, limits on supplier data retention, agreed deletion periods, and restrictions on supplier data use and preventing company data from being used to train the AI model (which would also raise concerns around waiver of privilege).

The company-approved tool should also be configured securely and in line with any requirements identified by the company’s data protection and cybersecurity specialists.

Gen AI tools can also raise challenges in the HR context, particularly where board- and committee-level discussions about senior employees, general employee relations, remuneration, litigation and restructuring programmes occur. Individuals in the UK and EU have strong rights to access their personal data through data subject access requests, and AI-generated transcripts and summaries may be disclosable in response to such requests. In many countries, employees can bring employment claims in tribunals or similar, and in that process seek disclosure of relevant information.  

Many countries also require organisations to inform and/or consult with employee representative bodies (such as works councils or trade unions) about significant workforce changes, with potential civil and criminal penalties for failure to comply. Care should be taken to ensure that AI-generated records do not inadvertently or prematurely trigger such requirements. This could occur if the records incorrectly report an apparent decision affecting the workforce at a time when the board is still considering strategic options. Such errors could also restrict the board's ability to consider further options. This risk can be mitigated by actively checking AI-generated transcripts for errors during the minute-drafting process so that the formal minutes of the meeting accurately reflect the board's discussions.