IsitlegaltorecordcustomercallsunderEnglishlaw

15 April 2003

Alistair Maclean

DQ operators may want to intercept, record and store recordings of calls made by customers to their call centres. In the interests of consumer and employee protection, various rules apply to these practices, application of which varies according to the purposes for which a call is monitored. Details of the different rules that must be considered are set out below. Because different provisions protect different interests, these rules must be considered individually and together. For example, the same provision may not apply to monitoring for the purposes of protecting the caller, but may apply for the purposes of protecting the recipient of the call.

The Regulation of Investigatory Powers Act 2000 (“RIPA”) and The Lawful Business Practice Regulations

Criminal offences

It is a criminal offence to intercept a communication in the UK on a public network intentionally and without lawful authority (i.e. tapping into a private telephone call). This does not apply if the recording is made on a DQ operator’s own private network within the call centre. It is also a criminal offence to intercept in the UK intentionally and without lawful authority a communication made on a private network unless that interception is made with the express or implied consent of a person with a right to control the operation of that private network. A DQ operator which controls its private network cannot face criminal liability for intercepting communications on it (provided of course that the interceptions are made with the consent of the business and not for example by an individual employee without the employer’s knowledge).

Civil liability

Interceptions made in the UK on a private network even with the consent of the business will be actionable by the caller (the customer who makes the call) or recipient (the employee who takes the call) if the interception is made without lawful authority. This means that the DQ operator could face civil liability, such as a claim for damages or an injunction to prevent monitoring or recording from either a customer or an employee, if it intercepts without lawful authority.

Lawful authority

A DQ operator can obtain lawful authority for the interception if: (i) it has the consent of the sender and the intended recipient or it has reasonable grounds for believing it has such consent; or (ii) pursuant to the Lawful Business Practice Regulations (referred to below as ‘the Regulations’).

Pursuant to the Regulations the DQ operator can show lawful authority without obtaining consent if the interception is made to monitor or keep a record of the communication to (amongst other things):

(i) establish the existence of facts;
(ii) ascertain compliance with regulatory or self-regulatory practices; or(iii) demonstrate standards which are or ought to be achieved by persons using the system in the course of their duties (i.e for training and quality control purposes).

Overriding requirements

There are some overriding requirements in the Regulations which the DQ operator must also comply with, namely:

(i) The interception must be made solely for the purpose of monitoring or keeping a record of communications which are relevant to the operator’s business. This means that the DQ operator cannot record private calls made by employees, and should provide telephone lines which employees know are not monitored. If the DQ operator wants to make recordings for other purposes, for example, marketing purposes, it would need to obtain the consent of callers.(ii) The telephone system on which the interception is made must be provided wholly or partly in connection with the business; and
(ii) The DQ operator must have made all reasonable efforts to inform every person who may use the telephone system in question that communications may be intercepted. Note that the DTI guidance on the Regulations states that the persons who use the telephone system are direct users only i.e employees and not customers who call in from outside of the telephone system. The DQ operator must ensure that it informs its call centre staff about the interceptions, this can be done through employment contracts or by making literature or notices available to staff.

The Human Rights Act and Oftel Guidance

Outline

The Human Rights Act 1998 directly incorporates the European Convention on Human Rights into UK domestic law. Article 8 of the Convention provides as follows:

“1. Everyone has the right for respect to his private and family life, his home and correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, the protection of health or morals, or for the protection of the rights and freedoms of others.”

Although the Convention applies directly to public authorities the European Court has held that the state must in certain instances intervene where a person’s Convention rights are being violated by another private person, e.g. an employer / employee relationship. The Oftel Guidance on the recording of telephone conversations assumes that the Convention applies to all companies and not just public authorities.

Oftel Guidance

The Oftel Guidance was issued in response to a decision by the European Court of Human Rights in 1997 in a case which involved the monitoring of telephone calls on a private line by the Merseyside Police Authority of one of its Assistant Chief Constables. Broadly the Court held that the interception of a person’s office telephone could constitute an interference with the person’s right to privacy under Article 8 of the Convention. The Court stated that the monitoring must be lawful and there must be an effective remedy. As English law at the time did not address the question of monitoring over private networks the monitoring could not be said to be lawful.

The Guidance was issued when organisations had to comply with the Privacy of Messages conditions set out in the Self-Provision and Telecommunication Services Licences, i.e. that every reasonable effort is made to inform all parties to a telephone conversation that it may or will be recorded. The provisions of the licences were not designed to deal with the broader issues of employee privacy and did not provide employees with effective remedies if the employer breached the terms of the licence. The Privacy of Message conditions have now been replaced by the requirements of the Lawful Business Practice Regulations. The Oftel guidance is not legally binding but provides the following guidelines that a DQ operator should follow as a matter of best practice:

(i) It is not sufficient to simply warn employees that their phone calls at work may be recorded or monitored. Employees have a legitimate expectation for privacy for calls made or received that involve personal and domestic matters.
(ii) Employees should have some way of making or receiving calls at work that will not be recorded or monitored (satisfied if the DQ operator provides unmonitored pay phones).(iii) Employees should continue to be informed that recording or monitoring on official work phones may take place. The Guidance recommends that the information may be given within an employment contract, staff notices, posters and global e-mails. However, because of the continuous nature of the requirement, simply placing wording in the employment contract would not be sufficient, and a combination of methods should be used.
(iv) External callers should be advised of the possibility of recording or monitoring. The Guidance says that external callers could be informed through warnings in adverts or customer literature. All types of advert whether print, TV or radio should contain a warning such as “Please note that calls may be monitored and recorded for quality control and training purposes.” The DQ operator can also play a recorded message at the start of each call to state that calls may be monitored. Written terms and conditions could include a provision which states that the customer acknowledges that the DQ operator may monitor and record calls for quality control and training purposes, but it should also provide that any personal information recorded will not be disclosed to third parties. (v) Employers should restrict recording and monitoring to situations where they are necessary and proportionate.

The Data Protection Act 1998 (the “DPA”)

Outline

The DPA applies to the processing of personal data. A DQ operator would not need to comply with the provisions of the DPA if it were to only monitor the telephone calls and not to record them (or to make a record of the conversation in another way for example by making a paper record of the conversation including the personal details of the caller and that paper record was kept in a structured filing system). Processing is broadly defined and covers the recording of telephone calls.

The DPA requires the DQ operator to comply with amongst other things the eight data protection principles when it processes personal data. The key principles relevant to call recording are:

(i) transparency – the fair processing code in the DPA obliges organisations to inform individuals about whom they collect personal data, and the purpose of the processing – including, in this case, monitoring; and
(ii) proportionality/necessity – the data protection principles provide that personal data may only be collected where it is necessary for one of the lawful bases for processing, and where it is relevant and not excessive for the purpose for which it is collected. It must not be retained longer than is necessary.

These tests of transparency, necessity and proportionality are, in broad terms, consistent with the principle stated at a high level in Article 8(2) of the European Convention of Human Rights.

The Monitoring Code

The Code was developed by the Information Commissioner’s Office to provide guidance on all types of monitoring including telephone monitoring. At present it is in a draft form although the final version is expected in Summer 2003. The Code provides guidance and benchmarks to employers of how to comply with the DPA (although the legal requirement is still to comply with the actual provisions of the DPA).

Privacy Assessments

The DPA, following on from Article 8 of the European Convention on Human Rights, restricts the processing of personal data to circumstances in which there is a lawful basis for the processing, and where it is necessary and proportionate. Compliance with this principle requires the employer to balance its legitimate interests with the employee’s right to privacy.

The Code recommends that an impact assessment is carried out to ensure that the monitoring does not intrude unnecessarily on the right of workers to expect respect for their private lives and correspondence. The Code recommends that employers consider the following questions:

(i) what is the likely adverse impact of the monitoring of workers who will be subject to it?(ii) what benefits to the business will be delivered?
(iii) are there other less intrusive methods that would deliver those benefits?
(iv) can the monitoring be targeted on specific areas of the business where the risk is greatest?(v) are there technical means that can be employed to keep the intrusion to a minimum?
(vi) can the business comply with the obligations that will follow from monitoring? e.g. secure storage and access to the results of the monitoring.

In relation to monitoring in general, the Information Commissioner suggests that the assessment should consider the following elements (which are applicable to call recording):

(i) is there an alternative method to monitoring?
(ii) can established methods of monitoring (e.g. spot checks) be undertaken instead of continuous monitoring?
(iii) can the monitoring be targeted at business areas that pose a high risk, or at individuals about whom complaints have been made or where there are grounds to suspect wrong doing, as opposed to being applied to the entire business?
(iv) can the monitoring be automated - so as to reduce the extent of information which is available to other persons?

Policies and Procedures

The Code also recommends that an organization puts in place policies and procedures to set out how monitoring will be conducted in accordance with the DPA. Such policies and procedures should address the following:

(i) who authorises monitoring? Ensure this person understands the implications of their decision. The level of authority needed may depend on the monitoring concerned
(ii) consult with trade unions or workers representatives in advance. This is not a requirement of employment law, but will help promote fairness.
(iii) keep to a minimum those who need to see personal data collected through monitoring. Ensure they keep such information confidential and have appropriate training. It may be less intrusive if HR/security hold this information, as opposed to a colleague.
(iv) only use the information for the purpose for which it was obtained (e.g. quality control), unless it reveals evidence no reasonable employer would ignore.
(v) allow employees to make representations about information obtained about them before taking action.
(vi) ensure the information obtained can be made available in response to a request.

Informing employees

The Code consistently emphasises the need for an employer to make workers aware that monitoring is carried out, in a sufficient level of detail so that workers understand what data may be collected about them and when and how it will subsequently be used. The employer must provide this information so as to comply with the obligations of transparency imposed by the DPA. In addition to documenting internal policies and procedures which set out how monitoring must be authorised and how it must be used, employers will, therefore, in addition, need a series of documents aimed at employees.

The general obligation to notify workers states that employers should “tell workers what monitoring is taking place and why, and periodically remind them of this, unless covert monitoring is justified.” The implication, therefore, is that employers cannot hide this information away in an employee handbook and then never again draw it to workers’ attention. This suggests that workers should be told not only that communications may be monitored but when and why the monitoring is carried out.

In limited circumstances, an employer need not advise workers that monitoring is being carried out. The limited exceptions to the transparency obligation apply where informing the worker that information is being obtained would, in a particular case, be likely to prejudice national security, the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty. The Code helpfully suggests that the test an employer should apply is whether the reason for the monitoring is sufficiently serious for the police to be involved. This does not mean that the organisation need involve the police, merely that there is an investigation which is of a similar magnitude.

Informing customers

In relation to telephone monitoring, the Code states that the employer must notify those making calls to or receiving calls from workers that the calls may be monitored. This requirement to notify both parties to the call goes beyond the requirements of the Lawful Business Practice Regulations.

There are clearly practical difficulties in providing this information to those who contact an organisation. In the case of telephone calls, the Code suggests that information could be provided in recorded messages. If there is no better way of providing the information, then the Code suggests that workers should be instructed to inform callers that the calls may be recorded and to explain why this is the case.