“Your call may be recorded for monitoring and training purposes”
The law governing a business’s right to monitor and record telephone calls with its customers is primarily set out in:
- Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) (Lawful Business Regulations).
- Data Protection Act 1998 (DPA).
In addition, where businesses wish to monitor and record telephone conversations made by employees, it needs to consider the Information Commissioner's Employment Practices Data Protection Code and the Human Rights Act 1998 (HRA).
Further rights are included in the Regulation of Investigatory Powers Act 2000 (RIPA) which regulates the manner in which certain organisations may conduct surveillance and access a person's electronic communications.
What does the law say generally?
RIPA permits ‘inception’, meaning the contents of a communication are made available to a third party during transmission, when the organisation in question has (i) obtained the customer’s consent, or (ii) where it is authorised to do so by the Lawful Business Regulations.
The Lawful Business Regulations specify that any calls can be monitored and recorded in the following circumstances:
- to establish the existence of facts relevant to the business, such as keeping a record of instructions given by telephone where it is necessary or desirable to know what has been said during a conversation;
- to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business. This would include monitoring as a means of checking that the business is complying with external regulatory guidelines;
- to ascertain or demonstrate standards that are or ought to be achieved by persons using the system. This could include monitoring for the purposes of quality control or staff training;
- to prevent or detect crime. For example, monitoring to detect evidence of fraud or corruption;
- to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system, such as monitoring employee access to certain applications and data.
In relation to employees, the Lawful Business Regulations also authorise employers to monitor (but not record) employee communications without consent in the following circumstances:
- to determine whether or not the communication is relevant to the business; for example, when the employee is absent from work;
- to monitor communications to a confidential anonymous counselling or support helpline.
However, all the conduct permitted under the Lawful Business Regulations set out above is only expressly permitted solely for the purpose of monitoring or recording a communication which is "relevant to the business". Furthermore, the business must also have made "all reasonable efforts" to inform every person involved that this may take place.
In addition, the DPA is likely to be applicable if the content of a call is recorded, as the information disclosed during a call is likely to contain personal data such as name and address information. Accordingly, processing that recorded information will be subject to the requirements of the DPA.
The first principle of the DPA requires that personal data is processed fairly and lawfully, which includes informing the caller (at the point at which data is collected) that the data is being recorded, and having legitimate grounds for collecting and processing the data, for example, by obtaining consent from the caller.
In addition, recorded telephone calls must be stored securely, only retained for an appropriate time and the customer must be given the right to access the data.
Furthermore, to the extent that any information to be recorded would be classified as "sensitive personal data", which is personal data consisting of information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, or commission of or proceedings for any offence committed or alleged to have been committed by that person, further restrictions apply and explicit consent would be required in these circumstances. We advise that businesses should seek further advice if this is applicable.
What else needs to be considered when dealing with employees?
The Information Commissioner's Employment Practices Data Protection Code suggests the following principles of good practice for the monitoring of telephone calls made by employees at work:
- communications should only be monitored for specific purposes;
- wherever possible, employees should be notified in advance that such monitoring may take place, for example, through a staff handbook;
- covert monitoring should only be used in exceptional circumstances, such as a criminal investigation, on a strictly targeted basis and for a limited period of time.
In addition, article 8 of the HRA provides that every individual has the right to respect for their private and family life, their homes and correspondence. This right to privacy extends to the workplace. This has the following effect:
- employees have a reasonable expectation of privacy in the workplace. Employees should therefore be warned that communications may be intercepted; and
- even where no expectation of privacy exists, an employer must be able to justify the interference. Any monitoring must be proportionate and only go as far as is necessary to achieve its purpose.
What are the consequences of failure to comply?
Breach of the RIPA or the Lawful Business Regulations can result in either civil or criminal action, and breach of the DPA can result in the Information Commissioner imposing substantial fines.
As a business, how can I comply?
As a matter of best practice, a business that intends to monitor and record telephone calls should:
- Use pre-recorded messages to notify customers that calls may be monitored and recorded, and the specific purposes for which this is taking place, such as quality control or training. If pre-recorded messages are not possible, businesses should ensure telephone operators notify customers of this information at the outset of a call.
- Add suitable wording to privacy policies. For example, "We may monitor, record, store and use any telephone, email or other communication with you in order to check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service".
- In respect of employees, include in a staff handbook and work policies details of the monitoring of telephone calls or other means of communication and the purpose of such monitoring. Employees whose calls are monitored should be given access to a private line over which personal calls can be made during, for example, their lunch break.