FAQs – Are You Staying on the Right Side of the Law?

Our expert panel provide answers about silent calls, screening your TPS data, and the use of smartwatches on the contact centre floor.

Outbound calling

Is there a difference between cold calling and calling customers that have created leads on our company’s website?

Yes. If the website makes it clear that you will call on the back of the enquiry and the person is explicitly asked to agree this, then they will be aware of the incoming call and their data won’t need to be screened against the TPS.

However, it is not safe to simply assume consent for the call ‘because the person contacted you’.

Should a call that has been classed as a “no answer” at the split second the customer picks up be classed as “silent”? We will always have these types of calls whatever ring time you select.

Ofcom are aware that this can happen. Several people pointed it out in their responses to the consultation.

Many responses made the point that completely eliminating silent calls is impossible because of this type of event.

It remains to be seen whether Ofcom try to maintain their zero tolerance approach or whether they accept that some silent calls are inevitable.

Can you define specifically what an “abandoned call” is in terms of outbound dialling?

An abandoned on outbound is where you are using a predictive dialler and you have dialled the call and then due to calculation reasons or bad luck you have more calls answered than agents available to speak to at the time.

There are strict timings on this. If the call cannot be answered by a live agent within 2 seconds, you have to play an information message telling the person who you are and giving them a number to phone back on.

The Ofcom regulations currently state that 3% of live calls is the maximum you can abandon.

If the rules are based on customer complaints, how does this work when trying to contact customers about arrears management? Could they make a complaint about a company trying to contact them as a way of avoiding payment?

The regulations relate specifically to direct marketing. Debt collection isn’t defined as direct marketing.

It is also important to note that the ICO only relies on consumers to highlight any issues and report companies seemingly not complying with the rules. This information is never taken at face value.

When individuals report to the ICO, they have to provide certain information. This is the point of the investigations team.

Even if the ICO did deem the complaint to be a case of direct marketing, they would first approach the organisation for evidence of consent.

How do multinational companies manage where there are conflicting laws from multiple jurisdictions?

It is unlikely that laws from multiple jurisdictions will contradict each other. There may be additional requirements, but adhering to all the requirements will act as a ‘belt and braces’ approach.

For Ofcom, their position has always been that they will go after the organisation on whose behalf calls are being made, regardless of where the call originates. Hence offshoring calling won’t protect a UK entity or the UK branch of a multinational.

Will the recent Memorandum of Understanding (MoU) with the ten communication providers give Ofcom the ability to investigate companies based on volume of calls and not volume of complaints?

Given that Ofcom must show ‘Unnecessary inconvenience, annoyance, or anxiety’, it is not clear whether high call volumes alone would be a problem because all of the calls could be welcome.

Details of the MoU aren’t clear, but Ofcom have historically struggled to identify calling organisations when complaints are raised because no CLI is provided.

From the wording of the MoU, it is possible that Ofcom is trying to get the service providers to give extra help in identifying the sources of calls. If so, this would be very good because, as it stands, Ofcom’s figures show that they cannot identify the calling party for around 70% of complaints.

You could also say that volume in its own right is only indicative of a problem. It might say that an organisation is engaging in a high-volume campaign, but it will not identify the type of campaign, whether the calls are silent or abandoned, which Ofcom deal with, or marketing calls, which the ICO deals with.

The initiative is only the start of a process that will allow the regulators and networks to determine whether there should be an intervention.

We’re a collections department calling out at 8.30am on Saturday morning. Is this deemed correct?

Assuming that this is referring to debt collecting, this type of call would not be caught by the regulations as it is not a direct marketing call.

The issue of time is not specified in the regulations. But if an organisation is contravening the regulations and calls are being made in the middle of the night, this can be a factor in deciding if substantial distress has been caused and would add to the case as an aggravating factor.

Where does customer satisfaction surveying (call or SMS) after a contact with a customer sit within the regulations? Is there a window in which it is best to ask the ‘how was it for you?’ question?

There would only be Ofcom concerns if the survey was re-sent because there had been no reply, for example – that might be annoying and potentially classed as misuse.

Practical considerations would suggest making contact soon after the call you’re asking about, just because the experience will be fresh in the person’s mind.

Strictly speaking, customer satisfaction or market research is not caught by the regulations (as long as this is truly the reason for the call).

Individuals may pursue complaints through the DMA, but there is nothing under the regulations.

At what point do you need to screen against TPS? What age or how old should the data be?

Screening against the TPS needs to be done prior to any direct marketing calls being made. It is not enough to phone to ‘check’ if it’s OK to make further calls (this would be classed as a marketing call in itself).

Neither Data Protection nor the regulations define how old data should be. (DPA states that data should not be kept for longer than necessary – although unspecific, this is because the legislation applies to all organisations processing personal data – what is a relevant time for a multinational bank will not be the same for a local plumber.)

However, for a new number added to TPS, the service says that calls should stop within 28 days. Therefore any process must ensure that data is screened at least every 28 days against the latest TPS list.

Also, if you have very old data and have never made contact with the individual, and then randomly contact them years later, there is a good chance there would be data protection issues – both in terms of retention and fair processing.

You need to think about whether the individual would reasonably expect a direct marketing call from you.

The Ofcom consultation period for the ‘Review of how we use our persistent misuse powers: Focus on silent and abandoned calls’ policy closed on 24th February 2016. When can we expect the revised policy to be published and implemented?

Ofcom are keen to get it done as soon as possible, and are already in the process of reviewing the responses.

It is expected that there will be a 2–3 month implementation period from when they publish the new policy.

Data security

Do you need to pause recording when a caller gives you direct debit details as opposed to credit card details?

Direct debit details are not covered by PCI compliance, but there are people who do pause both voice and screen recordings when handling direct debit details.

If you have the technology, it would be best practice to do this.

What is the general opinion on smartwatches, as they are able to record data but not easy to spot?

There is only so much that can be achieved with asking agents to strip themselves of any recording devices before they enter the contact centre.

The discreet presence of smartwatches supports the fact that it isn’t really a viable option to operate a genuine White Room environment.

Outbound messaging

Can you please clarify the opt-in requirements for any SMS campaigns?

Unsolicited direct marketing via SMS and electronic mail applies to individuals. It can only be used if the individual has consented to this type of communication.

The only exception to this would be the rules on a soft opt-in, which say:

Direct marketing via electronic mail can be sent where:

• The contact details of the individual have been obtained in the course of a sale/negotiation for the sale of a product or service
• The direct marketing is in respect of similar products and services
• An individual is given a simple means of refusing further direct marketing on every subsequent message

Can you clarify if a business will need the opt-in for SMS for admin purposes?

It is important to understand that the regulations apply only to direct marketing.

As such, an opt-in for SMS for admin would not be required (although you may have to check any s10 requests from individuals asking you to not process their data under the DPA).

But it is essential that an admin SMS does not contain any marketing (including aims and ideals of the organisation), as this would be caught by the regulations.

PCI compliance

PCI DSS requires that telephone calls that are being recorded prevent card payments being taken over the phone. Is it okay to have a single phone extension where there is no recording in order to take card payments?

This comes down to the card data environment.

If you have that single extension in a locked room with key pad entry, and the equipment that serves that locked room is completely separate from the rest of the contact centre, yes that would be an acceptable compensating control.

This is because you’ve made sure that the only place where you can access that data is that locked room.

It’s not very practical to do that, but this would count as successfully removing that card data from touching any human or equipment.

Is it common to ban mobile phones in call centres where credit card information is being collected?

It is if you are operating a White Room environment, where effectively the contact centre is still in scope and the card details are being passed through to the agent.

These environments ban writing materials and recording devices in addition to mobile phones. However, it is questionable whether a White Room is an accepted compensating control.

How bad is it, from a PCI point of view, to have pause and resume call recording – rather than having the full call length recorded?

The ability to guarantee that customers’ details are going to be safe is essential for any business. The only way to provide real payment card security for customers is to prevent contact centre agents from being exposed to critical card data recording technology.

‘Pause and resume’ poses potential risks because it is subject to the manual intervention of the agent and therefore provides challenges in achieving PCI compliance.

Ensuring compliance using this method is expensive and time consuming – compared with a solution that guarantees card information is never seen or heard by the call recipient, without interruption to the phone conversation and without any need to pause, suppress or manipulate voice recordings.

Solutions which use DTMF clamping technology, which enables customers to enter their card details directly into the telephone keypad without anyone ever seeing, hearing or being able to store the sensitive data, are much more efficient and compliant, and provide the greatest levels of security.

Transactions can take place at any point during the call and as advisors are no longer exposed to cardholder data, they can remain on the call throughout the payment process.

With thanks to:

• Natasha Longson at Information Commissioner’s Office (ICO)
  
• David Nicholls at DJN Solutions Ltd
• Darren Sullivan at Ultracomms

What has been your experience of staying on the right side of the law?