Call recording is extremely common across all kinds of businesses which operate external facing contact centres. For monitoring and managing service levels, assisting professional development and for protecting against disputes, call recording adds value to operations by providing reliable evidence which can be referred to as and when needed.
However, any business which records telephone conversation for any purpose needs to be aware of data protection and privacy rules. In the UK, the relevant laws are contained within the Data Protection Act 1998, which adopted EU wide principles aimed at protecting individual’s privacy.
Although the Act does not refer to call recording explicitly, it does cover any activity involving the “processing” of personal data, including the creation, management and use of records. As telephone conversations between a business and a customer will often involve the sharing of personal details and information, call recording falls under these terms.
The main principles of the Act which apply to call recording are as follows:
- Data cannot be used for any purpose other than that which it is gathered for.
- Any business which collects and stores personal data must be registered with the Information Commissioner’s Office (ICO).
- If a business does record and store personal data, it must have appropriate security infrastructure and protocols in place to keep it safe.
- Personal data should only be stored as long as necessary.
In terms of what these principles mean in practice, the first point means that businesses have to be explicit about the fact that they are gathering information and what it is to be used for. Amendments made to the Data Protection Act in 2003, as well as articles in the Telecommunications Act 1984 and Human Rights Act 1998, require organisations to announce both to employees and customers whenever calls may be recorded, and give the option not to take part.
Some specific uses of recorded calls may require explicit consent from the parties involved, but these are specialist cases. If unsure, it is best to get legal advice on what you intend to do with your recordings.
For incoming calls, many companies choose to insert a recorded message announcing that calls may be recorded, and the reason why – usually for training and security purposes. This covers businesses to use recordings for activities such as staff appraisals, compliance, checking service levels, and to use as evidence in the event of a dispute. For outgoing calls, agents must read a similar script at the start of any call which may be recorded.
Employees must by law be provided with a means to make private calls which will not be recorded, even if this is via a pay phone.
The other principles govern the preparations a business must make to become and remain compliant with the data regulations. Registering with the ICO is a requirement in case a complaint is made prompting an investigation by the Information Commissioner.
Data security is a key consideration in call recording compliance. Businesses are obliged to ensure that general network security, such as firewalls and encryption, are kept up to date and fit for purpose to prevent eavesdropping and theft from third parties. Procedures should also be put in place to ensure the safe storage of recorded calls, with permissions and access restricted as necessary to those who need to be able to hear the recordings.
There are no hard and fast rules as to how long recorded calls can be stored for. The onus is therefore on the business to be able to justify the length of time the keep recordings for – indefinite storage for the sake of monitoring service levels is unlikely to be considered appropriate, but longer periods will be tolerated for security and dispute resolution.
Businesses also need to bear in mind that there are special rules and regulations governing the recording of specific types of information. One example is the PCI-DSS rules on credit card transactions, which do not allow the recording of credit card details.
DPA Won’t Be Around Forever – GDPR is coming
On 25th may 2018 – less than a year from the date this article was published – DPA will be superseded by the GDPR (General Data Protection Regulation) guidelines. You’ll need to make sure that the following steps are taken before GDPR comes into force:
Plan for security breaches with a clear framework of key policies
- Establish an accountability framework so that staff is constantly monitoring data and reviewing high-risk issues
- Get a competitive advantage by making sure that privacy is embedded into your processing systems
- Analyse personal data use, and make sure that your current documents and processes are well-informed and clear
- Check policies and privacy notes and ensure that they’re in a clear, accessible format
- Know your obligations and put your customer’s minds at rest by implementing modern regulations
Information Commissioner Elizabeth Denham has warned there’s no time to delay in preparing for GDPR, calling it:
“The biggest change to data protection law for a generation”
We have further articles relating to GDPR, keep checking back as more will be published over the coming year.
- Preparing for GDPR – Time to get a plan in place?
- 84% of UK Businesses are Unaware of GDPR
- Microsoft: The First Cloud Provider to Offer GDPR Contractual Commitments
- Call Recording and the GDPR: Preparing for the New Data Laws
- What Will the GDPR Era Mean for Communications?