Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Recording Phone Calls

Tuesday, August 29, 2017 - 15:12

Most of us are familiar with the recorded messages at the start of phone calls that warn "this call may be recorded for compliance and training purposes". Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection implications of call recording are perhaps more interesting.

Any conversation involves two people, so organisations need to think of two groups of data subjects before recording calls: staff and callers. For staff, the requirements are set out in Part 3 of the Information Commissioner's Employment Practices Code:

  • There must be a clear purpose to the recording (page 60 mentions examples "to listen to as part of workers training, or simply to have a record to refer to in the event of a customer complaint about a worker");
  • An impact assessment should be carried out, including identifying any possible alternatives;
  • Unless an exception applies, staff must be informed of the recording and the reason(s) for it.

From the caller's side, the organisation needs to think about the legal justification for processing, the rights that callers will have over their personal data, and how long the recording will be kept. A few industries may have a legal obligation to record calls but normally – as the ICO's examples indicate –this will be done to support a legitimate interest of the organisation. This justification involves three tests: is the purpose of processing legitimate, is the processing necessary to achieve that purpose, and can the risk to the data subject be reduced to a level where it does not override the organisation's interest in the processing.

For example, identifying areas where helpdesk staff could benefit from training seems to be recognised by the ICO as legitimate, and listening to recordings is likely to identify needs that might not be discovered by other approaches. Reducing risk to callers will require controlling access to recordings, ensuring that those with access only use recordings for the specified purpose, and deleting recordings as soon as they have been checked. To improve service to its customers the organisation should want to do that as soon as possible after the call, even if it weren't also a requirement under data protection law.

However, using a recording as an example in a training course seems much harder to justify under these criteria. If the caller's or recipient's voice is played back there is a risk – which the organisation cannot control – that trainer or trainees will identify them, either during the course or next time the individual calls. The same purpose can be as well, or better, achieved by using an anonymised transcript as an illustration, role-play, or script voiced by someone else. And an anonymised script doesn't need to be deleted under a retention requirement or disclosed under a subject access request. However the balancing test still needs to be applied to the anonymisation process to protect the individuals' interests – if they use distinctive phrases or styles of speech then the risk of identification from a transcript may still remain too high for the use to be acceptable.

Further legal and practical details can be found in an article from Wright Hassall.