Call Recording: A UK Legal Perspective

Contents: Executive summary

3

Introduction 4

Call recording: A UK Legal Perspective

The regulatory landscape

5

Personal data and sensitive personal data

6

The recording of business calls

7

The recording of personal calls

8

Informing parties that calls are being recorded

10

Storing call recordings

11

What are the risks of non-compliance?

12

The future

13

About the author

14

About BT smartnumbers

15

2

Executive summary • Organisations are increasingly looking to record calls for compliance, dispute-resolution, training and quality control reasons. In some sectors, such as financial services, there are increasing regulatory requirements to do so. • In the UK, any such call recording needs to be compliant with both the Data Protection Act 1998 (DPA) and the Regulation of Investigatory Powers Act 2000 (RIPA). • The DPA applies because recording calls will generally result in the organisation obtaining personal data and, potentially, sensitive personal data. Call recordings do not actually need to be accessed or used before the DPA can apply - storing the recordings is enough. • In general, business calls may be recorded without contravening the DPA if the benefits of recording outweigh any adverse impacts, and if appropriate steps are taken to satisfy the other data protection requirements that apply. • In practice, however, organisations often allow employees to also make personal calls on business devices, or at least turn a blind eye to such personal calls. Although this is no doubt convenient for employees, it raises significant compliance issues. • In particular, if there is a viable alternative option for ensuring that only business calls are recorded, while leaving personal calls private, then an organisation that disregards that option and instead implements a blanket recording policy for all calls may well be contravening the DPA and thereby exposing itself to the risk of significant reputational harm, a substantial fine, and other legal challenges. • The new European General Data Protection Regulation (GDPR), which will replace the DPA in 2018, will significantly tighten data protection rules. The maximum fine for serious breaches will rise from £500,000 to a potentially vast 4% of total worldwide turnover. • Organisations would be well-advised to start focusing on ensuring their call recording policies meet data protection requirements well in advance of these important changes.

Call Recording: A UK Legal Perspective

3

1. Introduction Organisations increasingly want to record their employees’ telephone calls, whether in response to regulatory requirements, or to meet other business needs. This makes it timely to consider the compliance issues that arise if calls are recorded, including the difficult question of how data protection requirements can be satisfied if employees are using their telephones to make personal as well as business calls. Compliance is important in this context. In addition to the obvious risk of reputational harm, a failure to comply with data protection requirements can lead to a substantial fine and other legal challenges. Further, the risks of non-compliance will increase in the next few years as awareness of data protection issues continues to grow, and as new European legislation comes into effect to strengthen the governing regime.

Call Recording: A UK Legal Perspective

4

2. The regulatory landscape In the UK, the recording of employee telephone calls is regulated by three separate statutory schemes. T he Data Protection Act 1998 (DPA), which regulates the handling of ‘personal data’ and ‘sensitive personal data’. The data does not actually need to be accessed or used in any way by a human being before the DPA can apply. It is enough if an organisation is simply storing the data electronically. The Information Commissioner is the independent regulator responsible for ensuring compliance with the DPA. The Information Commissioner has the power to impose fines and take other enforcement action. He has issued important guidance on applying the DPA in the present context in the form of his Employment Practices Code. The Regulation of Investigatory Powers Act 2000 (RIPA), which needs to be read with the Lawful Business Practice Regulations (LBP Regulations) made under it. RIPA places limits on when telephone calls can be recorded, while the LBP Regulations provide a basis for

Call Recording: A UK Legal Perspective

recording business calls without falling foul of RIPA. Irrespective of the DPA, the automated recording of a telephone conversation will in general contravene RIPA (by being unlawful ‘interception’) unless either all parties to the call consent, or the recording falls within the LBP Regulations. In essence the LBP Regulations permit a call recording policy so long as that policy is solely for the purpose of recording calls that are relevant to the organisation’s business. The Human Rights Act 1998 (HRA) and the right to privacy that it contains. In practice, however, the HRA is unlikely to add anything to what the DPA requires (and it does not directly apply to the private sector in any event). It can therefore generally be assumed that organisations that achieve compliance with the DPA will not be at risk of breaching the HRA.

5

3. Personal data and sensitive personal data The DPA applies if an organisation is recording ‘personal data’ or ‘sensitive personal data’. It is therefore important to clarify when the recording of a business call may result in such data being recorded. But the same analysis also needs to be done for personal calls, because organisations will often explicitly allow employees to use business devices for personal matters, or at least turn a blind eye to such use. The concept of ‘personal data’ is somewhat technical, and there are borderline cases which can give rise to legal debates. However, for the purposes of considering the compliance issues surrounding call recording, it is sufficient to know that information which is held electronically about identifiable individuals generally amounts to their personal data, even if it is relatively innocuous. So, for example, an organisation that records a business call in which a customer gives her home address is thereby recording personal data about that customer (namely, her home address). Given this breadth in the definition of personal data, it is clear that recordings of business calls will frequently contain such data. Certain forms of personal data are classified as ‘sensitive’, and they are more restrictively regulated by the DPA than non-sensitive personal data. Examples of sensitive personal data include information about an individual’s racial or ethnic origin, religious beliefs, sexual life and mental or physical health. The likelihood that recording business calls will result in the recording of sensitive personal data depends on context. For instance, it is obvious that a health insurance business that records calls with customers will frequently be recording sensitive personal data in the form of health information. Nevertheless, for most organisations, it should in general be unlikely that any given business call will stray into areas that constitute sensitive personal data.

Call Recording: A UK Legal Perspective

If, however, an organisation records personal calls in addition to business calls (for instance, because the same devices are being used for both) then sensitive personal data may well be obtained. A simple example would be a personal call in which an employee discusses his health with his spouse. One final point should be noted. In the above examples the personal data relate to one or other of the parties to the recorded call. But it is also possible that the personal data or sensitive personal data that are obtained will relate to a third party. For instance, an employee may call her spouse to discuss the health of their child. If this call were recorded then the child’s sensitive personal data would be obtained (in addition to any personal data or sensitive personal data relating to the employee and her spouse). The position may be summarised as follows. The recording of business calls will frequently capture personal data, but, at least for most organisations, it ought not in general to capture sensitive personal data. By contrast, if personal calls are recorded, then irrespective of the nature of the organisation’s business - it can readily be anticipated that sensitive personal data will also be captured, and that some of that data will relate to individuals who are not themselves parties to the calls in question.

6

4. The recording of business calls Unless an organisation’s business calls routinely involve sensitive personal data, the basic test for whether recording those calls on a systematic basis complies with the DPA is whether any adverse impacts that result from recording (including intrusions into privacy) are justified by the benefits of recording for the organisation, or society generally. If the business calls are being recorded to satisfy a specific regulatory requirement, such as arise in the financial sector, then it will be safe to assume that this basic test is satisfied. In other cases, the organisation should conduct what is known as an ‘impact assessment’ to decide whether what is proposed satisfies the basic test. An impact assessment involves the following five steps: 1. Identifying clearly the purpose(s) of the proposed recording policy, and its likely benefits. 2. Identifying any likely adverse impacts of the policy, particularly in the form of intrusions into privacy. 3. Giving thought to whether some other less intrusive approach could deliver the benefits sought. 4. Checking that employees will be appropriately informed of the organisation’s policy on recording calls, and that any recordings will be handled appropriately (see below); and bearing in mind the right of individuals to request copies of their personal data. 5. Judging whether, overall, the proposed recording policy is justified. In general, the less the business calls focus on the particular circumstances of individuals, the less recording those calls will intrude into privacy. If the basic test is satisfied then the recording policy can in principle be implemented. Before doing so, however, the organisation should: • Inform employees of the policy and the justification(s) for it, together with the use to which the recordings will or may be put. • Ensure that its privacy notice (which summarises how it uses the personal data of those outside the organisation) reflects the policy. If, given the particular organisation at issue, business calls are likely to routinely involve sensitive personal data then specialist advice should be sought on whether call recording can comply with the DPA and, in particular, can satisfy one of the so-called ‘Schedule 3 conditions’.

Call Recording: A UK Legal Perspective 7

5. The recording of personal calls As already explained, recording personal calls can result in sensitive personal data being obtained, and some of the sensitive personal data may relate to individuals who are not parties to those calls. These two features make it much harder to record personal calls without contravening the DPA. While an organisation may record and store sensitive personal data if the individual in question has explicitly consented, in practice consent of this type is unlikely to provide a means of achieving compliance with the DPA. In particular, while employees may in principle be able to provide explicit consent (by, for instance, signing relevant waiver documentation), it is harder to reliably obtain such explicit consent from individuals outside the organisation who are parties to personal calls. Furthermore, it will be all but impossible to obtain such explicit consent from all third parties whose sensitive personal data might be discussed during personal calls. In the absence of explicit consent the DPA permits sensitive personal data to be obtained for certain specified purposes set out in what are known as the ‘Schedule 3 conditions’. One purpose is ’exercising or performing any right or obligation which is conferred or imposed by law … in connection with employment’ (which includes, for

Call Recording: A UK Legal Perspective

instance, health and safety obligations). But even if one of these specified purposes can in principle be relied on - and their scope is rather limited - the recording must also be ‘necessary’ for that purpose. This is a version of the basic test mentioned above whether the adverse impacts that result from recording are justified by the benefits of recording. However, in the case of personal calls and sensitive personal data, the Information Commissioner has made clear that the adverse impacts need to be given very significant weight in the balancing exercise. What are the practical implications of this? Assume that an organisation wants to record all its business calls, and is considering adopting a blanket recording policy to achieve that, but at least some of the telephone lines in question (whether mobile or fixed-line) are in practice also used for at least some personal calls. A blanket policy will obviously lead to those personal calls being recorded, which in turn means that the organisation is likely to be recording sensitive personal data. Even if that is only inadvertent, the fact that the organisation is likely to be recording sensitive personal

8

data will in turn attract much greater scrutiny of its recording policy, and make it significantly harder for the organisation to establish that it complies with the DPA. In addition, holding such records of sensitive personal data may also complicate employment disputes if, for instance, an employee claims discrimination on the basis of something that the recorded data allegedly reveals about him or her. Will an organisation that nevertheless adopts a blanket policy in this scenario be able to show that it has complied with the DPA? The key issue will be whether the organisation can properly conclude, when applying the basic test, that the potentially very significant intrusions into privacy that result from recording of personal calls are no more than is necessary to achieve the underlying aim of ensuring that all business calls are recorded. As part of this, the organisation will need to carefully consider whether there is any viable alternative option for ensuring that all business calls are recorded without recording personal calls. Assuming that a viable option exists for ensuring that only business calls are recorded (including, if relevant, on mobile devices), then an organisation that disregards that option and instead implements a blanket

Call Recording: A UK Legal Perspective

policy of recording all calls is likely to find it very difficult to justify its approach from a DPA perspective. In other words, if a viable option exists for ensuring that only business calls are recorded then an organisation may well in practice have to adopt it in order to comply with the DPA. The final issue is whether this compliance can alternatively be achieved by policy only – notably by the creation of a staff policy that prohibits employees from making personal calls on business devices. Anecdotal evidence suggests that some organisations have adopted or at least considered adopting this approach. If a staff policy of this type is in place, and if it is generally complied with and enforced, then an organisation can reasonably argue that a blanket recording policy is justified because all recorded calls should be business calls. However, if a staff policy of this type is in place but in practice it is not complied with or enforced, then the Information Commissioner’s view appears to be that merely having such a policy will not justify blanket recording. In other words, a staff policy that prohibits personal calls but that does not in practice reflect the reality is unlikely to save an organisation that knows or should know that it is recording sensitive personal data in a way that may not comply with the DPA’s stringent requirements.

9

6. Informing parties that calls are being recorded

As noted above the DPA requires that employees be informed of any systematic recording policy that will affect them. The LBP Regulations effectively impose this same requirement. Should individuals outside the organisation who make calls to, or receive calls from, employees also be informed of the recording policy? The LBP Regulations do not require this. As regards the DPA, any call recording policy should be referred to in an appropriate section of the organisation’s website (such as the ‘contact us’ page). Is anything else required? The Information Commissioner has stated that individuals should generally expect that organisations will record calls, so that they do not need to be specifically informed of this during calls (for instance, by way of a recorded message). There are signs that business practice increasingly reflects this. In general, therefore, if individuals outside an organisation would generally expect that their calls might be recorded by that organisation then the DPA is unlikely to require that those individuals be specifically informed of any recording policy during each call. (The Information Commissioner’s position on this issue is not however entirely clear, and if it would not be ‘obvious’ in the particular context at issue that recording might occur, then the Code of Practice advises organisations to consider using a recorded message, or instructing its employees, to inform callers of this.)

Call Recording: A UK Legal Perspective

10

7. Storing call recordings Assuming that calls can be recorded in compliance with the DPA, the final data protection issue is how those recordings should subsequently be handled. The key points are as follows: • The recordings must be securely stored. • The number of employees who have access to recorded calls should be kept to a minimum, and they should be subject to appropriate confidentiality requirements and given appropriate data protection training. • Unless there is a regulatory requirement to keep the recordings for a particular time period, the organisation will have to fix its own retention period. This should be no longer than is necessary to achieve the purposes of the recording policy. The recordings must be erased after the end of the retention period. If an organisation is keeping calls because of a regulatory requirement then it should watch out for any changes in that requirement, and adjust its systems accordingly. For instance, in the financial services sector, the current retention period of 6 months (under COBS 11.8 in the FCA’s current Handbook) is set to change to 5 years (under MiFID II).

Call Recording: A UK Legal Perspective

11

8. What are the risks of non-compliance? Recording policies that fail to properly respect the privacy of employees may undermine relations between management and staff. In addition, breaches of the DPA can generate bad publicity for organisations, and undermine the trust of customers and partners. These are significant matters. The competent handling of personal data is increasingly becoming essential to many businesses, and awareness of the importance of data protection is increasing. In addition, breaches of the DPA can lead to serious legal consequences. The Information Commissioner has power to investigate compliance with the DPA, and may issue fines of up to £500,000 for serious breaches. Further, there is an increasing trend of litigation by individuals, groups and NGOs to challenge perceived non-compliance with the DPA, with attendant risks of legal costs, and the possibility of damages awards. Finally, it should of course be noted that organisations that are required to record calls for regulatory reasons risk enforcement action if they fail to do so.

Call Recording: A UK Legal Perspective 12

9. The future The importance of ensuring compliance with data protection rules is only going to increase in the next few years. The new European General Data Protection Regulation (GDPR) will be coming into force in 2018, when it will replace the DPA. Even prior to its implementation the GDPR will focus attention on data protection issues. After it has come into force the GDPR will tighten the rules, and substantially increase the penalties for breaches. The maximum fine for serious breaches will in particular rise from the current £500,000 to a potentially vast 4% of total worldwide turnover. Organisations would be well-advised to start focusing on compliance well in advance of these important changes. RIPA is also being replaced. A new Act is expected by the end of 2016. At present the Government does not appear to want to change the regime governing the recording of business calls, but it would nevertheless be prudent to keep this position under review.

Call Recording: A UK Legal Perspective

13

10. About the author Ben Hooper is an expert on data protection and privacy. From 2000 to 2015, Ben was a Barrister at 11KBW, a leading set of chambers in public and information law. He specialised in data protection and the right to privacy, and was ranked in the top 4 junior counsel in England for data protectionand information law. He acted for and advised UK Government Departments and regulators, including the Information Commissioner, as well as regulated entities in the technology and telecoms sectors. Ben is now an independent consultant providing strategic advice to companies on regulatory issues and trends, including in particular in the fields of data protection and privacy.

Call Recording: A UK Legal Perspective

14

About BT smartnumbers

The creation of this eBook was sponsored by BT smartnumbers, a service designed to meet the compliance and legal obligations of organisations that need to record business telephone calls. BT smartnumbers enables conversations on both fixed and mobile lines to be recorded, and provides a number of unique features that make it ideally suited to meet these legal and regulatory requirements, including; • Within a single device, enables business calls to be recorded while personal calls remain strictly private. • Automatically stores a record of business conversations for a period of 5 years or longer in a highly secure, encrypted online vault. • Reflects the fact that many calls are often joined by multiple third parties, or delegated to staff who may be working from fixed, mobile or IP devices. Any and all calls, even delegated calls, are recorded. BT smartnumbers works across all UK fixed and mobile networks, enabling an organisation to keep their existing network provider while enabling call recording as an overlay service from the cloud. This eBook is not intended to be a source of legal advice, and should not be relied on as such.

Call Recording: A UK Legal Perspective

15

Offices worldwide The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2015. Registered office: 81 Newgate Street, London EC1A 7AJ. Registered in England No: 1800000

Get in touch: To find out more about call recording: a legal perspective, call our sales team on 020 3162 3030 or visit www.btsmartnumbers.com