How the Data Protection Act and GDPR affect Call Recording
A summary of the Data Protection Act
The Data Protection Act (DPA) is a fundamental piece of UK law that governs the protection of personal data.
The 1998 Act is the most recent iteration of the law, supplanting an earlier statute from 1984.
The Act itself does not mention privacy, but was ratified by UK parliament to bring UK law into line with the 1995 European Data Protection Directive, which enshrines European citizens’ right to privacy regarding the processing of their personal data.
Although there are some exemptions, any individual or organisation retaining personal data for anything other than domestic (personal) purposes is legally obliged by the government to comply with the Data Protection Act.
The eight DPA principles
The Act itself sets down eight data protection principles, which can be read in full, together with compliance examples, on the Information Commissioner’s Office (ICO) website: ICO Data Protection Guide
In layman’s terms, the principles are as follows:
1. Data can only be used for the explicit purpose for which it was gathered.
2. Data cannot be released to a third party without the consent of the individual it refers to, unless there is a lawful reason to do so – for instance, the prevention or detection of criminal activity.
3. Citizens have a legal right to access any data held about them in most circumstances. Exclusions might apply if information is held for the prevention or detection of criminal activity.
4. Personal data cannot be kept for longer than is necessary and must be kept up to date.
5. All organisations that process personal data must be enrolled onto the Register of Data Controllers database, which is managed by the ICO. Only a few organisations that conduct the simplest forms of processing are exempt from this rule.
6. If personal data is factually incorrect, the individual that information pertains to has a legal right to see that it is corrected.
7. Any organisation or individual holding personal data for anything other than domestic purposes is required to have appropriate technical and organisational measures in place. These might include technical security features such as network firewalls and organisational security features such as the provision of relevant staff training.
8. Personal data cannot be transferred outside the European Economic Area unless the individual it pertains to has given their consent, or unless the country or territory it is being sent to can ensure adequate protections are in place.
How the Act applies to customer call recordings
The term ‘call recording’ is not specifically mentioned anywhere in the DPA, which may suggest that the law is open to interpretation.
That said, the Act does explicitly refer to the ‘processing’ of information or data as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
a) organisation, adaptation or alteration of the information or data
b) retrieval, consultation or use of the information or data
c) disclosure of the information or data by transmission, dissemination or otherwise making available;
d) alignment, combination, blocking, erasure or destruction of the information or data.”
Arguably, then, any telephone call recording undertaken and retained by a business, be it for training purposes or for subsequent data entry, could be construed as data that is being ‘processed’.
It is therefore advisable for businesses to protect call recordings in the same way they would protect any digital or written data where the customer can be identified by that information and so are susceptible to a data breach.
An example of how this might be is when a supervisor burns a disk of call recordings which they intend to analyse for quality purposes and to assess individual agent performance. If the disk identifies individual callers and their personal data, and is subsequently accidentally left on a train or in a café, then the security of those individuals may be breached.
How to keep call recordings within DPA guidelines
Anyone concerned about the DPA as it pertains to call recordings should refer to the ICO website, which contains good-practice notes, technical guidance, legal clarification and a compliance audit manual that can be used by data controllers such as contact centres.
Go to: ICO Data Protection Guide
As a starting point, the ICO website also provides the following checklist, which can be used by organisations that want to gain an overview of their conformance:
- Do I really need this information about an individual? Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner, and if so, is my notification up to date?
Legal ramifications of non-compliance
Historically, the ICO’s powers allowed it to:
- Carry out assessments to check whether organisations are compliant with the Act.
- Serve information notices requiring organisations to provide the ICO with specified information within a certain time period.
- Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take – or refrain from taking – specified steps to ensure they are DPA-compliant.
- Prosecute those who commit criminal offences under the Act.
- Conduct audits to assess whether those organisations processing personal data are following good practice.
- Report to Parliament on data protection issues of concern.
However, from 6 April 2010, new powers came into being giving the ICO authority to issue monetary penalties of up to £500,000 for data controllers found to be in serious breach of the DPA.
For more information, go to: ICO Monetary Penalties Guidance
The DPA, call recording and employees
If an employer monitors its staff by collecting or using information about them – for instance, if it assembles call recordings for quality assessment and training purposes – the Data Protection Act applies in the same way as it does for customers.
With this in mind, the ICO published an Employment Practices Data Protection Code in 2003, which contains guidance notes for organisations on monitoring employees at work.
While the Code is not legally binding, it does contain guiding principles as to how the legal requirements of the DPA can be met. Employers may well have different ways of meeting these requirements, but doing nothing could mean that they break the law.
In simple terms, the Code states that employees should be made aware if their calls are being monitored. By definition, such monitoring includes call recording, which is generally undertaken for training and evaluation purposes. The guidelines also advise that employees should be told exactly why their calls are being recorded.
The Impact of GDPR on Call Recordings
Until May 2018, the DPA was how the industry was guided, in terms of using call recordings. Yet, GDPR has since inflicted stricter measures on how businesses, serving EU customers, are to do so.
Firstly, an individual now has the right to request the erasure of all their personal data, without undue delay. This not only includes all call recordings, but all data records also. So, advisors need to be trained in how to deal with requests to erase recordings and access personal data.
Secondly, organisations now need to justify their call recordings in one of the following six ways:
1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary to fulfil a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call
While many businesses used to state that call recordings are for quality and training purposes, GDPR has since caused businesses to focus on how to gain consent from customers. This has forced businesses to alter recording policies, define their needs and work out innovative ways to obtain the consent of the individual.
Frequently Asked Questions
Is call recording legal?
The short answer is yes, it is legal to record phone calls – provided that you do not breach the Data Protection Act and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000, as well as a number of other regulations.
Can a company record conversations that they have with the customer without telling them?
According to the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000, call recordings can be done for the purpose of:
“Monitoring communications made to a confidential voice-telephony counselling or support service which is free of charge (other than the cost, if any, of making a telephone call) and operated in such a way that users may remain anonymous if they so choose.” Section 3 – (1c)
This law can therefore protect anonymous recordings in businesses, but you can also record phone calls for the purpose of doing the following:
- Establishing facts and evidence for business transactions
- Ensuring compliance with regulatory or self-regulatory practices
- Ascertaining and demonstrating that standards are being met
- Defending national security
- Preventing or detecting crime
- Investigating or detecting the unauthorised use of that or any other telecommunication system
- Safeguarding the effective operation of the telecommunications system
Yet, as noted earlier, the ICO’s Employment Practices Data Protection Code does note that staff should be made aware that their calls are being recorded.
How long can the company hold customer information for?
There is no limit for how long companies keep recorded phone calls, although in some industries there is a minimum amount of time that recordings must be kept for.
This follows the fifth principle of the Data Protection Act 1998, which requires each company to make a judgement based on:
- The current and future value of the information
- The costs, risks and liabilities associated with retaining the information
- The ease or difficulty of making sure it remains accurate and up to date
So, this is why it varies from industry to industry. For example, an insurance policy quote is only held for 15 months if it is not enacted, but organisations that conduct simple processes can be exempt from this rule entirely.
Can the customer access the call recordings that the company makes?
The customer can ask for a copy of a phone call. A request can be made for a copy of the recording under data protection legislation and is known as a “subject access request”.
Under the Data Protection Act, you can make a subject access request from “data controllers”, which includes contact centres, for both paper and computer records, as well as for any related information.
Generally, you may have to purchase these recordings for £10, but it may be anything from £1 to £50 for health records and is just £2 for a request for your financial standing only from a credit reference agency.
Can a company pass on the recording without the consent of the customer?
Only in specific situations, such as in legal disputes, or where law enforcement agencies have requested copies.
According to the ICO, these situations include:
- A hospital where you have had an operation shares information with your GP so that you can be looked after properly once you’ve been discharged.
- A teacher, social worker and health professional share information about a child so the child’s needs can be addressed.
- A local authority shares information with the Department for Work and Pensions (DWP) to allow it to work out a pensioner’s application for housing benefit.
- The police share information with a local authority to help counter antisocial behaviour in the area.
- Credit referencing, where lenders consult a credit reference agency to check your financial standing when you apply for credit.
For any other reason, businesses/organisations will most likely require the customer’s consent.
What is a data breach?
A data breach involves someone viewing and perhaps even stealing unauthorised information. In businesses, this could include a customer’s personally identifiable information or their intellectual property.
What is a privacy notice?
Privacy notices are made compulsory when a business/organisation attains personal information from customers, to guarantee that it will not be released, under the Data Protect Act.
A full copy of the 1998 DPA can be found at: www.opsi.gov.uk
An annotated version of the 1998 DPA, including references to laws that have impacted on the DPA since its introduction, can be found at: www.statutelaw.gov.uk