Data Protection Act and Call Recording
A summary of the Data Protection Act
The Data Protection Act (DPA) is a fundamental piece of UK law that governs the protection of personal data. The 1998 Act is the most recent iteration of the law, supplanting an earlier statute from 1984. The Act itself does not mention privacy, but was ratified by UK parliament to bring UK law into line with the 1995 European Data Protection Directive, which enshrines European citizens' right to privacy regarding the processing of their personal data.
Although there are some exemptions, any individual or organisation retaining personal data for anything other than domestic (personal) purposes is legally obliged to comply with the Data Protection Act.
The eight principles of the DPA
The Act itself sets down eight data protection principles, which can be read in full, together with compliance examples, on the Information Commissioner’s Office (ICO) website: ICO Data Protection Guide
In layman’s terms, the principles are as follows:
- Data can only be used for the explicit purpose for which it was gathered.
- Data cannot be released to a third party without the consent of the individual it refers to, unless there is a lawful reason to do so – for instance, the prevention or detection of criminal activity.
- Citizens have a legal right to access any data held about them in most circumstances. Exclusions might apply if information is held for the prevention or detection of criminal activity.
- Personal data cannot be kept for longer than is necessary and must be kept up to date.
- All organisations that process personal data must be enrolled onto the Register of Data Controllers database, which is managed by the ICO. Only a few organisations that conduct the simplest forms of processing are exempt from this rule.
- If personal data is factually incorrect, the individual that information pertains to has a legal right to see that it is corrected.
- Any organisation or individual holding personal data for anything other than domestic purposes is required to have appropriate technical and organisational measures in place. These might include technical security features such as network firewalls and organisational security features such as the provision of relevant staff training.
- Personal data cannot be transferred outside the European Economic Area unless the individual it pertains to has given their consent, or unless the country or territory it is being sent to can ensure adequate protections are in place.
How the Act applies to customer call recordings
The term 'call recording' is not specifically mentioned anywhere in the DPA, which may suggest that the law is open to interpretation.
That said, the Act does explicitly refer to the 'processing' of information or data as "obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: a) organisation, adaptation or alteration of the information or data; b) retrieval, consultation or use of the information or data; c) disclosure of the information or data by transmission, dissemination or otherwise making available; or d) alignment, combination, blocking, erasure or destruction of the information or data."
Arguably, then, any call recording undertaken and retained by a contact centre – be it for training purposes or for subsequent data entry – could be construed as data that is being ‘processed’. It is therefore advisable for contact centres to protect call recordings in the same way they would protect any digital or written data where the customer can be identified by that information and so are susceptible to a data breach.
An example of how this might be is when a contact centre manager burns a disc of call recordings which they intend to analyse for quality purposes and to assess individual agent performance. If the disc identifies individual callers and their personal data, and is subsequently accidentally left on a train or in a café, then the security of those individuals may be breached.
How to keep call recordings within DPA guidelines
Anyone concerned about the DPA as it pertains to call recordings should refer to the ICO website, which contains good practice notes, technical guidance, legal clarification and a compliance audit manual that can be used by data controllers such as contact centres.
Go to: ICO Data Protection Guide
As a starting point, the ICO website also provides the following checklist, which can be used by organisations that want to gain an overview of their conformance:
- Do I really need this information about an individual? Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner and if so is my notification up to date?
Legal ramifications of non-compliance
Call Centre Helper is not aware of any case brought by the ICO in which a contact centre has been found in breach of the DPA in specific reference to call recordings. However, in April 2009, the ICO did ask Doncaster Primary Care Trust to sign a formal undertaking to comply with the seventh data protection principle following the unauthorised removal of an obsolete out-of-hours GP service voice recording server that held personal data in the form of 220,000 clinical voice records.
Historically, the ICO’s powers allowed it to:
- Carry out assessments to check whether organisations are compliant with the Act.
- Serve information notices requiring organisations to provide the ICO with specified information within a certain time period.
- Serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take – or refrain from taking – specified steps to ensure they are DPA-compliant.
- Prosecute those who commit criminal offences under the Act.
- Conduct audits to assess whether those organisations processing personal data are following good practice.
- Report to Parliament on data protection issues of concern.
However, from 6 April 2010, new powers are expected to come into being, giving the ICO authority to issue monetary penalties of up to £500,000 for data controllers found to be in serious breach of the DPA.
For more information, go to: ICO Monetary Penalties Guidance
The DPA, call recording and employees
If an employer monitors its staff by collecting or using information about them – for instance, if it assembles call recordings for quality assessment and training purpose – the Data Protection Act applies in the same way as it does for customers.
With this in mind, the ICO published an Employment Practices Data Protection Code in 2003, which contains guidance notes for organisations on monitoring employees at work.
While the Code is not legally binding, it does contain guiding principles as to how the legal requirements of the DPA can be met. Employers may well have different ways of meeting these requirements, but doing nothing could mean that they break the law.
In simple terms, the Code states that employees should be made aware if their calls are being monitored. By definition, such monitoring includes call recording, which is generally undertaken for training and evaluation purposes. The guidelines also advise that employees should be told why exactly why their calls are being recorded.
A full copy of the 1998 DPA can be found at: www.opsi.gov.uk
An annotated version of the 1998 DPA, including references to laws that have impacted on the DPA since its introduction, can be found at: www.statutelaw.gov.uk