GDPR: Recording Phone Calls

Most of us are familiar with the recorded messages at the start of phone calls that warn “this call may be recorded for compliance and training purposes”. Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection implications of call recording are perhaps more interesting.

Any conversation involves two people, so organisations need to think of two groups of data subjects before recording calls: staff and callers. For staff, the requirements are set out in Part 3 of the Information Commissioner’s Employment Practices Code:

  • There must be a clear purpose to the recording (page 60 mentions examples “to listen to as part of workers training, or simply to have a record to refer to in the event of a customer complaint about a worker”);
  • An impact assessment should be carried out, including identifying any possible alternatives;
  • Unless an exception applies, staff must be informed of the recording and the reason(s) for it.

From the caller’s side, the organisation needs to think about the legal justification for processing, the rights that callers will have over their personal data, and how long the recording will be kept. A few industries may have a legal obligation to record calls but normally – as the ICO’s examples indicate –this will be done to support a legitimate interest of the organisation. This justification involves three tests: is the purpose of processing legitimate, is the processing necessary to achieve that purpose, and can the risk to the data subject be reduced to a level where it does not override the organisation’s interest in the processing.

For example, identifying areas where helpdesk staff could benefit from training seems to be recognised by the ICO as legitimate, and listening to recordings is likely to identify needs that might not be discovered by other approaches. Reducing risk to callers will require controlling access to recordings, ensuring that those with access only use recordings for the specified purpose, and deleting recordings as soon as they have been checked. To improve service to its customers the organisation should want to do that as soon as possible after the call, even if it weren’t also a requirement under data protection law.

However, using a recording as an example in a training course seems much harder to justify under these criteria. If the caller’s or recipient’s voice is played back there is a risk – which the organisation cannot control – that trainer or trainees will identify them, either during the course or next time the individual calls. The same purpose can be as well, or better, achieved by using an anonymised transcript as an illustration, role-play, or script voiced by someone else. And an anonymised script doesn’t need to be deleted under a retention requirement or disclosed under a subject access request. However the balancing test still needs to be applied to the anonymisation process to protect the individuals’ interests – if they use distinctive phrases or styles of speech then the risk of identification from a transcript may still remain too high for the use to be acceptable.

Further legal and practical details can be found in an article from Wright Hassall

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *