Updated March 2018
Actually trying to determine what is the law on call recording is difficult. We have tried to encapsulate the position as it is in February 2019 in the UK below. Putting this together has taken many hours, but we still do not feel like experts and we are certainly not lawyers. However, we do hope that we have brought some clarification for those who seek it.
The General Data Protection Regulations which came into force on May 25 2018 – will have a major impact on the situation. They supersede the Data Protection Act and so we have amended the notes to show the new situation as we see it.
What is the UK law?
The recording and monitoring of telephone calls is governed by a number of different pieces of UK legislation.
The main ones are:
- Investigatory Powers Act 2016 (supersedes the Regulation of Investigatory Powers Act 2000 (“RIPA”))
- Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (“LBP Regulations”)
- Section 48 of the Wireless Telegraphy Act 2006 (offence of interception or disclosure of messages) (“WTA”)
- Sections 1 to 3A of the Computer Misuse Act 1990 (computer misuse offences),(“CMA”)
- General Data Protection Regulations “GDPR” (supersedes the Data Protection Act 1998)
- Human Rights Act 1998 (“HRA”)
Beyond general legislation the financial industry has specific regulations:
- Markets in Financial Instruments Directive (“MiFID”)
- and if you are receiving payments by credit card further regulations apply
- PCI Data Security Standard (“PCI DSS”)
The following telecommunication related regulations do not seem to be concerned with call recording per se:
- The Telecommunications (Data Protection and Privacy) (Direct Marketing) Regulations 1999
IPA 2016
Under IPA it is an offence to intercept or monitor telephone calls or record telephone calls by those not involved in the call.
However, UK intelligence agencies and law enforcement can carry out targeted interception of communications, bulk collection of communications data, and bulk interception of communications;
Communication service providers (CSPs) must retain UK internet users’ “Internet connection records” – which websites were visited but not the particular pages and not the full browsing history – for one year.
LBP regulations
The LBP Regulations set out circumstances in which interceptions of communications by or with the consent of the system controller (such as the employer) for purposes relating to monitoring or recording communications relevant to the system controller’s business are lawful.
These include:
- establishing the existence of facts;
- ascertaining compliance with regulatory or self-regulatory practices or procedures; or
- monitoring the performance standards of staff.
In order to be lawful, the system controller must have made all reasonable efforts to inform every user of the system that communications might be intercepted.
Wireless telegraphy act
The act makes it an offence to intercept a phone message to obtain or disclose information as to the contents of a message without authorisation. This would seem to make hacking and bugging phone calls and recordings illegal.
Computer misuse act
The relevant section of this act effectively makes hacking or trying to hack a computer or network illegal
Human rights act
The act deals with basic human freedoms. Call recordings or interceptions may be in breach of those freedoms – most obviously the right to privacy. At this time as far as we are aware there is no case law clarifying these points.
GDPR and call recording
The GDPR regulations require you to maintain records of personal data and processing activities. That is pretty much any time you come across someone’s name you are processing their personal data. Recording phone calls is very probably going to be included as processing personal data.
The regulations state that you should carry out an audit of your activities and determine on which of the 6 lawful grounds you are processing that data.
The grounds are:
- Consent of the data subject (which must be an opt-in process)
- Processing is necessary for the performance of a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
The reason why phone calls and/or recordings are being made needs to comply with one of those grounds.
Beyond this:
a) You should define the systems by which recordings are made and ensure privacy is built into the system. The data held should be searchable, secure and erasable. For example, you should be able to completely erase personal data e.g. names and phone numbers and recordings, if required by the data subjects.
b) You are responsible for control of the recording however the person owns their data. You should have in place procedures to detect a data breach, investigate and report it.
c) People will have the right to request copies of the data held on them – (SAR – Subject Access Request). This should usually be provided with no charge.
d) You should designate a person responsible for the control of the recording and compliance.
Markets in financial instruments directive
Markets in Financial Instruments Directive, commonly known as MiFID II came into force in January 2018. It applies to all financial services businesses.
MiFID requires that all calls associated with financial trading in any way including advice be recorded.
Recordings must be accessible for a minimum of 5 years. These calls must be recorded and stored securely so that they may not be tampered with (this also complies with EU law).
PCI data security standard (PCI DSS)
PCI DSS (Payment Card Industry Data Security Standard) features a group of principles and a set of requirements that aim to safeguard sensitive card data across the card payment industry. The main issue addressed by PCI compliance is data storage, making it an offence to store both the credit card numbers and three-digit security codes on premises, which together can be used to make fraudulent transactions.
The easiest way to stay compliant is to avoid recording credit card data in the first place by muting call recordings during the payment process.
Why record calls and how are the used?
Call recording is used for a number of different purposes. Every organisation will have a particular need they are trying to fulfil by recording calls.
From a business perspective, call recording can help a business comply with strict regulations, pass legal controls, resolve potential disputes with customers as well as help with employee training and customer quality assurance.
There are numerous reasons why call recording might be implemented, such as:
- Provide evidence of a business transaction,
- Ensure that a business complies with industry standards and regulatory procedures,
- See that quality standards or targets are being met,
- Protect national security,
- Prevent or detect crime,
- Investigate the unauthorised use of a telecommunications system, or
- Secure the effective operation of the telecommunications system.
- Training purposes
- Quality monitoring
- Fact verification
Do businesses have to say if they are recording calls?
Companies frequently play a message to the effect that calls may be recorded for monitoring and quality purposes. This may be found on advertising, the company website or on the IVR (Auto attendant, Voice menu).
However, businesses are under no obligation to inform you that they are recording calls for any of the following reasons:
- Provide evidence of a business transaction
- Ensure that a business complies with regulatory procedures
- See that quality standards or targets are being met in the interests of national security
- Prevent or detect crime to investigate the unauthorised use of a telecom system
- Secure the effective operation of the telecom system
(as provided for in The Lawful Business Practice [LBP])
If businesses want to record for any other purpose, such as market research, they should obtain your consent.
You may find it interesting that Ofcom themselves do not give any announcement that calls may be recorded.
How long should call recordings be kept?
The length of time you will be required to keep call recordings will depend largely by the industry you operate in.
In the financial services industry, call recordings must be retained for a minimum of 5 years.
Birchills call recording
When you answer or make a call using a Birchills system you can choose to record it to a sound file. We digitally record your calls and save them for as long as required. Recordings can then be played back or even downloaded.
- Some providers charge for call recording. With Birchills it’s one of many great free features.
- Call recording can be set to be on by default or used on demand as necessary
- All calls in or out can be recorded as long as they go through a regular Birchills extension.
- Call recording can be set in different ways on different extensions
- By dialling *1 during a call, the call recording can be paused and resumed meaning you can remain compliant with PCI DSS Compliance
- You can search, listen back and download recordings easily and quickly.
Conclusion
It is clear that the complexities of call recording have made it very difficult to give a definitive statement of the law. The only time when the legality or otherwise of a call recording can be established is by the courts and that will only happen for specific recordings in specific circumstances.
We believe that you should employ common sense in any recordings and follow any guidelines within your own industry.
