Data Protection Act, GDPR, Consumer Duty, and Call Recording Laws in the UK

A group of files saying data, confidential, company and clients

We explore the Data Protection Act and GDPR regulations, focusing on call recordings, as well as referencing other relevant law and the impact of Consumer Duty – along with a handy FAQ section.

A Summary of the Data Protection Act

The Data Protection Act (DPA) is a fundamental piece of UK law that governs the protection of personal data.

The 1998 Act is the most recent iteration of the law, supplanting an earlier statute from 1984.

The Act itself does not mention privacy, but was ratified by UK parliament to bring UK law into line with the 1995 European Data Protection Directive, which enshrines European citizens’ right to privacy regarding the processing of their personal data.

Although there are some exemptions, any individual or organisation retaining personal data for anything other than domestic (personal) purposes is legally obliged by the government to comply with the Data Protection Act.

The Eight DPA principles

The Act itself sets down eight data protection principles, which can be read in full, together with compliance examples, on the Information Commissioner’s Office (ICO) website: ICO Data Protection Guide

In layman’s terms, the principles are as follows:

1. Data can only be used for the explicit purpose for which it was gathered.

2. Data cannot be released to a third party without the consent of the individual it refers to, unless there is a lawful reason to do so – for instance, the prevention or detection of criminal activity.

3. Citizens have a legal right to access any data held about them in most circumstances. Exclusions might apply if information is held for the prevention or detection of criminal activity.

4. Personal data cannot be kept for longer than is necessary and must be kept up to date.

5. All organisations that process personal data must be enrolled onto the Register of Data Controllers database, which is managed by the ICO. Only a few organisations that conduct the simplest forms of processing are exempt from this rule.

6. If personal data is factually incorrect, the individual that information pertains to has a legal right to see that it is corrected.

7. Any organisation or individual holding personal data for anything other than domestic purposes is required to have appropriate technical and organisational measures in place. These might include technical security features such as network firewalls and organisational security features such as the provision of relevant staff training.

8. Personal data cannot be transferred outside the European Economic Area unless the individual it pertains to has given their consent, or unless the country or territory it is being sent to can ensure adequate protections are in place.

How the Act Applies to Customer Call Recordings

The term ‘call recording’ is not specifically mentioned anywhere in the DPA, which may suggest that the law is open to interpretation.

That said, the Act does explicitly refer to the ‘processing’ of information or data as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

a) organisation, adaptation or alteration of the information or data

b) retrieval, consultation or use of the information or data

c) disclosure of the information or data by transmission, dissemination or otherwise making available;

d) alignment, combination, blocking, erasure or destruction of the information or data.”

Arguably, then, any telephone call recording undertaken and retained by a contact centre, be it for training purposes or for subsequent data entry, could be construed as data that is being ‘processed’.

It is therefore advisable for contact centres to protect call recordings in the same way they would protect any digital or written data where the customer can be identified by that information and so are susceptible to a data breach.

obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data

An example of how this might be is when a contact centre manager burns a disk of call recordings which they intend to analyse for quality purposes and to assess individual agent performance. If the disk identifies individual callers and their personal data, and is subsequently accidentally left on a train or in a café, then the security of those individuals may be breached.

How to Keep Call Recordings Within DPA Guidelines

Anyone concerned about the DPA as it pertains to call recordings should refer to the ICO website, which contains good-practice notes, technical guidance, legal clarification and a compliance audit manual that can be used by data controllers such as contact centres.

Go to: ICO Data Protection Guide

As a starting point, the ICO website also provides the following checklist, which can be used by organisations that want to gain an overview of their conformance:

  • Do I really need this information about an individual? Do I know what I’m going to use it for?
  • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
  • If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
  • Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
  • Is access to personal information limited to those with a strict need to know?
  • Am I sure the personal information is accurate and up to date?
  • Do I delete or destroy personal information as soon as I have no more need for it?
  • Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
  • Do I need to notify the Information Commissioner, and if so, is my notification up to date?

Legal Ramifications of Non-Compliance

Historically, the ICO’s powers allowed it to:

  • Carry out assessments to check whether organisations are compliant with the Act.
  • Serve information notices requiring organisations to provide the ICO with specified information within a certain time period.
  • Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take – or refrain from taking – specified steps to ensure they are DPA-compliant.
  • Prosecute those who commit criminal offences under the Act.
  • Conduct audits to assess whether those organisations processing personal data are following good practice.
  • Report to Parliament on data protection issues of concern.

However, from 6 April 2010, new powers came into being giving the ICO authority to issue monetary penalties of up to £500,000 for data controllers found to be in serious breach of the DPA.

For more information, go to: ICO Monetary Penalties Guidance

The DPA, Call Recording and Employees

If an employer monitors its staff by collecting or using information about them – for instance, if it assembles call recordings for quality assessment and training purposes – the Data Protection Act applies in the same way as it does for customers.

With this in mind, the ICO published an Employment Practices Data Protection Code in 2003, which contains guidance notes for organisations on monitoring employees at work.

Go to: ICO Employment Practices Data Protection Code

While the Code is not legally binding, it does contain guiding principles as to how the legal requirements of the DPA can be met. Employers may well have different ways of meeting these requirements, but doing nothing could mean that they break the law.

In simple terms, the Code states that employees should be made aware if their calls are being monitored. By definition, such monitoring includes call recording, which is generally undertaken for training and evaluation purposes. The guidelines also advise that employees should be told exactly why their calls are being recorded.

The Impact of GDPR on Call Recordings

Until May 2018, the DPA was how the industry was guided, in terms of using call recordings. Yet, GDPR has since inflicted stricter measures on how contact centres, serving EU customers, are to do so.

Firstly, an individual now has the right to request the erasure of all their personal data, without undue delay. This not only includes all call recordings, but all data records also. So, advisors need to be trained in how to deal with requests to erase recordings and access personal data.

Secondly, as Atiq Rehman of Business Systems reported in our article “How Will GDPR Affect the Call Centre Industry?“, organisations now need to justify their call recordings in one of the following six ways:

1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary to fulfil a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call

While many contact centres used to state that call recordings are for quality and training purposes, GDPR has since caused contact centres to focus on how to gain consent from customers. This has forced contact centres to alter recording policies, define their needs and work out innovative ways to obtain the consent of the individual.

Did You Know? The Introduction of Consumer Duty Will Also Impact on the Data Protection Act, GDPR, and Call Recording Laws

Data Protection Act (DPA) and GDPR:

  • The Consumer Duty emphasises the importance of respecting customers’ varied needs, including those in vulnerable circumstances, and providing clear and understandable communications. This aligns with the principles of data protection and privacy outlined in the DPA and GDPR.
  • Firms will need to ensure that they handle customer data responsibly, transparently, and securely. This includes obtaining explicit consent for data processing activities, informing customers about how their data will be used, and ensuring that data is only used for legitimate purposes aligned with the Consumer Duty‘s objectives.
  • The requirement to offer genuinely helpful customer support that is easy to access also implies that firms must handle customer inquiries and requests related to data protection rights (such as access, rectification, and erasure) promptly and efficiently.
  • Compliance with the Consumer Duty will likely necessitate adjustments to firms’ data handling practices, including enhanced data governance frameworks, staff training on data protection principles, and robust mechanisms for monitoring and auditing data processing activities.

Call Recording Laws:

  • The Consumer Duty emphasises the importance of clear, fair, and not misleading communications with customers. This extends to interactions conducted over the phone, including call recordings.
  • Firms must ensure that any call recordings adhere to legal requirements, including provisions related to consent, notification, and data retention periods. Customers should be informed at the beginning of the call that it is being recorded and provided with options to opt-out if they do not wish to be recorded.
  • Additionally, call recordings must be stored securely and used only for lawful purposes, such as training, quality assurance, dispute resolution, or regulatory compliance.
  • With the Consumer Duty‘s focus on delivering good outcomes for retail customers, firms may need to review their call recording practices to ensure that they support the objectives of the Duty, such as enabling effective communication and understanding between firms and customers.

As James Edmonds, Director of Investor in Customers Ltd comments:

“I’m witnessing Consumer Duty’s profound impact across financial services. From contact centres to marketing, CX to sales and beyond, it’s reshaping how financial services engage with customers through the end-to-end customer lifecycle.

“In contact centres, it’s about anticipating needs and fostering transparency in call recordings. Marketing must prioritise clarity, CX needs empathy, and sales must focus on enhancing financial well-being.

Consumer Duty isn’t just a regulatory mandate; it’s a call to reimagine every aspect of companies’ operations, centred on consumer empowerment and protection. Embracing it as an opportunity will set organisations apart in the evolution of financial services.”

Frequently Asked Questions

Is call recording legal?

Monitoring communications made to a confidential voice-telephony counselling or support service which is free of charge (other than the cost, if any, of making a telephone call) and operated in such a way that users may remain anonymous if they so choose.

The short answer is yes, it is legal to record phone calls – provided that you do not breach the Data Protection Act and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000, as well as a number of other regulations.

Can a company record conversations that they have with the customer without telling them?

According to the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000, call recordings can be done for the purpose of:

“Monitoring communications made to a confidential voice-telephony counselling or support service which is free of charge (other than the cost, if any, of making a telephone call) and operated in such a way that users may remain anonymous if they so choose.”  Section 3 – (1c)

This law can therefore protect anonymous recordings in contact centres, but you can also record phone calls for the purpose of doing the following:

  • Establishing facts and evidence for business transactions
  • Ensuring compliance with regulatory or self-regulatory practices
  • Ascertaining and demonstrating that standards are being met
  • Defending national security
  • Preventing or detecting crime
  • Investigating or detecting the unauthorised use of that or any other telecommunication system
  • Safeguarding the effective operation of the telecommunications system

Yet, as noted earlier, the ICO’s Employment Practices Data Protection Code does note that staff should be made aware that their calls are being recorded.

How long can the company hold customer information for?

There is no limit for how long companies keep recorded phone calls, although in some industries there is a minimum amount of time that recordings must be kept for.

This follows the fifth principle of the Data Protection Act 1998, which requires each company to make a judgement based on:

  • The current and future value of the information
  • The costs, risks and liabilities associated with retaining the information
  • The ease or difficulty of making sure it remains accurate and up to date

So, this is why it varies from industry to industry. For example, an insurance policy quote is only held for 15 months if it is not enacted, but organisations that conduct simple processes can be exempt from this rule entirely.

Can the customer access the call recordings that the company makes?

The customer can ask for a copy of a recorded phone call. A request can be made for a copy of the recording under data protection legislation and is known as a “subject access request”.

Under the Data Protection Act, you can make a subject access request from “data controllers”, which includes contact centres, for both paper and computer records, as well as for any related information.

Requests for information are usually free. However, organisations can charge an administrative cost in some circumstances.

Can a company pass on the recording without the consent of the customer?

Only in specific situations, such as in legal disputes, or where law enforcement agencies have requested copies.

According to the ICO, these situations include:

  • A hospital where you have had an operation shares information with your GP so that you can be looked after properly once you’ve been discharged.
  • A teacher, social worker and health professional share information about a child so the child’s needs can be addressed.
  • A local authority shares information with the Department for Work and Pensions (DWP) to allow it to work out a pensioner’s application for housing benefit.
  • The police share information with a local authority to help counter antisocial behaviour in the area.
  • Credit referencing, where lenders consult a credit reference agency to check your financial standing when you apply for credit.

For any other reason, businesses/organisations will most likely require the customer’s consent.

–  Thanks to Trevor Davis at Enghouse Interactive

What is a data breach?

A data breach involves someone viewing and perhaps even stealing unauthorised information. In the contact centre, this could include a customer’s personally identifiable information or their intellectual property.

What is a privacy notice?

Privacy notices are made compulsory when a business/organisation attains personal information from customers, to guarantee that it will not be released, under the Data Protect Act.

For more, read our article: FAQs – Are You Staying on the Right Side of the Law?

Relevant links

A full copy of the 1998 DPA can be found at:

An annotated version of the 1998 DPA, including references to laws that have impacted on the DPA since its introduction, can be found at:

Further Reading

Thanks to the following for sending in information that was used in this article:

– Alex Coxon
– NICE Systems
– Sabio
– Verint

Originally published on 14th March 2013. Recently updated.

Author: Jonty Pearce
Reviewed by: Jo Robinson

Published On: 8th Mar 2017 - Last modified: 22nd Apr 2024
Read more about - Technology, , , , , , , , ,

Follow Us on LinkedIn

Recommended Articles

Call Recording Guidelines
What are the Legislations on Call Recording?
Data Protection Act
Data Protection Question
A photo of justice scales
Understanding Customer Service Call Recording Laws
  • sorry to be picky but you have not properly reflected the 8 data protection principles on your page

    For instance there is no principle requiring Notification or Registration – this is another obligation of a data controller but NOT one of the 8 principles. There is no specific principle about transferring data to 3rd parties – that is caught in the 1st (fair and lawful) 2nd (specified purposes) and 7th (secure) principles.

    Phil Brining 4 Feb at 13:28
  • Can my employer play my calls to one of my colleagues without my permission.

    Kelly-Jayne Norton 30 Mar at 13:07
  • The short answer to this is probably yes. You will probably find that this is contained in your employment terms and conditions.

    Jonty Pearce 4 Apr at 16:37
  • I requested a copy of a telephone recording from a company and , after about 6 weeks, they wrote to say that the call was not recorded.
    I don’t believe them since I know that the recording would prove that they have lied about me.

    Is there a Data Protection body that I can ask to investigate?

    Thank you.

    Linda Kelly 20 Apr at 14:57
  • In regards to Telephone – where a customer has expressed to be opted out – how long does this have to be kept for suppression? especially in a b2b environment.

    ie if I had DNR requests from 18 years ago, could I in theory remove anything older than 7 years, under the premise of not keeping data longer than necessary?

    Chris 23 May at 12:52
  • You have to keep customer data for a reasonable period of time. If a customer opted out 18 years ago they will still be opted out now. So you would have to keep that opt out record.

    Jonty Pearce 25 May at 15:11
  • If the company you call has a pre-recorded message stating that they are recording the call for possible training purposes – does this mean they may not use it in court?

    Sooty 25 May at 14:22
  • I see no reason why the call recordings could not be used in court. Typically they say that the calls are used for training AND quality purposes. The key thing is that the caller had a reasonable expectation that the call was being recorded. Having said in a court case it could be argued that the recording was inadmissible as it was not obtained for that purpose.

    Jonty Pearce 25 May at 15:09
  • My mobile number has been cloned by a different network provider than the one I’m currently on and it’s been 2 days and the network provider in question still has not suspended my number on their network and someone is able to receive my texts and calls and access anything else that is possible with my mobile number are they in breach of my data protection?

    John duchan 26 May at 21:29
  • If your mobile number has been cloned by a different network provider, then there is a good chance that your data protection has been breached. It is then possible that you can claim compensation as a result.
    The ICO site is a bit vague about what this can be, and you would have to take the provider to small claims court.

    Jonty Pearce 30 May at 16:50
  • I requested a copy of call recordings made to my bank regarding my current account. They refused as the calls were made by a third party who fraudulently accessed the account, with the bank stating that as the caller was not me then it was a breach to allow me to listen to another person on the call.
    The bank failed in it’s security procedures when allowing this other person access to our account by not carrying out the standard of checks that it should have done (the first advisor we spoke to was shocked at how poor the operator handled the call), but complaints refused us the recordings. Is this correct?

    M Swinburn 23 Jun at 15:11
  • HI can you recommend any best practice data protection/ breach metrics that would focus on raising the profile of this positively in a front office environment?

    KN 26 Jun at 15:43
  • Surely with the new GDPR rules arriving all of this is now out of date??

    Paul Conaty 16 Aug at 10:33
  • I work in a bank and have a specific question if you ring a customer and tell the customer on the first call that’s calls are recorded for training and monitoring , and the customer knows this then you leave the call whilst customer needs to go check on something , you then ring them back after 10 mins you do all ID and know this is the same customer ! Do you need to repeat again calls are recorded again ???

    Joanne Frazer 18 Aug at 02:38
  • No you don’t need to tell them again. As long as you have told the customer once, then they would know that your calls are being recorded.

    Jonty Pearce 19 Aug at 14:25
  • So what happens if a call centre doesn’t buy data and just uses a public directory

    ANONYMOUS 27 Sep at 17:29