There are a lot of reasons why a business might want to record its phone calls – compliance, dispute resolution, training, or even quality control. But many businesses are unclear about what aspects, if any, of business call recording are legal, and this lack of clarity can have potentially damaging consequences.
Business call recording is not illegal, but it is bound by a number of regulations,
especially in the financial services sector. It must comply with the Data Protection Act 1998 (DPA) and the Regulation of Investigatory Powers Act 2000 (RIPA). The DPA applies because call recording generally results in a business obtaining personal data.
RIPA places limits on when telephone calls can be made, and an automated recording of a telephone call will generally contravene the regulation unless there is the consent of all parties.
Personal data – for the purposes of DPA compliance – means information held about identifiable individuals, such as a home address. Sensitive personal data would include information about someone’s ethnicity, religious beliefs, mental and physical health.
Considering this it’s obvious that business call recording frequently captures personal data and if personal calls are included in call recording policies then sensitive personal data is also easily captured.
According to former barrister and data protection and privacy expert Ben Hooper, “business calls may be recorded without contravening the DPA if the benefits of recording outweigh any adverse impacts and if appropriate steps are taken to satisfy other data protection requirements that apply”.
In practice of course businesses often allow employees to make personal calls on business devices or at least turn a blind eye to such calls.
Hooper suggests this raises the possibility of “significant compliance issues”. If for example there is a viable option for a business to ensure that only business calls are recorded and personal calls remain private, a blanket recording policy for all calls may well contravene the DPA and expose the business to reputational damage, fines and other legal challenges.
Clarity in call recording policies then, is essential, for a business to be sure it doesn’t fall foul of data protection regulations.
Call recording regulations for financial services businesses are also going to tighten in the near future. The revised Markets in Financial Instruments Directive (MiFID II) comes into force in January 2018 and it will regulate the financial services sector with a strict set of rules around call recording.
MiFID II will be applied more widely than the current requirements for recording phone calls which apply to about 30,000 City traders.
MiFID II will apply to all firms who provide financial services to clients linked to ‘financial instruments’ (shares, bonds, units in collective investment schemes, commodity trades and derivatives) as well as to the venues where those instruments are traded. MiFID II also includes anyone in the advice chain that may lead to a trade, so the number of individuals falling under the regulation could go up to 300,000 in the UK alone.
It also includes premises in which these calls or conversations take place, and requires that all “communications that are intended to lead to a transaction” be recorded and retained. Recordings will also need to be stored for longer – for a minimum of five years against the six months currently required.
The new European General Data Protection Regulation (GDPR), comes into force at shortly after MiFID II, in May 2018. The GDPR will supersede national laws such as the DPA and strengthens the protection given to individuals on the data held about them.
It will require firms to pay attention to recording of conversations in the context of data privacy. Businesses will face greater penalties for data misuse under the GDPR – from the current maximum of £500,000 to potentially 4% of worldwide turnover. And remember that Brexit, will have no impact on any of this legislation.
Businesses will need a comprehensive view of their compliance across all channels – phone, email, SMS and in person – in order to meet these new regulations. They will need to demonstrate that the policies, procedures and management oversight of the MiFID II recording and monitoring rules are in place.