in ,

Call Recording and Data Protection: UK Law Explained

How to make sure your contact centre stays compliant with data and privacy rules

Call recording is extremely common across all kinds of businesses which operate external facing contact centres. For monitoring and managing service levels, assisting professional development and for protecting against disputes, call recording adds value to operations by providing reliable evidence which can be referred to as and when needed.

Data protection
The use of call recording software is regulated by data protection laws.

However, any business which records telephone conversation for any purpose needs to be aware of data protection and privacy rules. In the UK, the relevant laws are contained within the Data Protection Act 1998, which adopted EU wide principles aimed at protecting individual’s privacy.

Although the Act does not refer to call recording explicitly, it does cover any activity involving the “processing” of personal data, including the creation, management and use of records. As telephone conversations between a business and a customer will often involve the sharing of personal details and information, call recording falls under these terms.

The main principles of the Act which apply to call recording are as follows:

  • Data cannot be used for any purpose other than that which it is gathered for.
  • Any business which collects and stores personal data must be registered with the Information Commissioner’s Office (ICO).
  • If a business does record and store personal data, it must have appropriate security infrastructure and protocols in place to keep it safe.
  • Personal data should only be stored as long as necessary.


In terms of what these principles mean in practice, the first point means that businesses have to be explicit about the fact that they are gathering information and what it is to be used for. Amendments made to the Data Protection Act in 2003, as well as articles in the Telecommunications Act 1984 and Human Rights Act 1998, require organisations to announce both to employees and customers whenever calls may be recorded, and give the option not to take part.

Some specific uses of recorded calls may require explicit consent from the parties involved, but these are specialist cases. If unsure, it is best to get legal advice on what you intend to do with your recordings.

For incoming calls, many companies choose to insert a recorded message announcing that calls may be recorded, and the reason why – usually for training and security purposes. This covers businesses to use recordings for activities such as staff appraisals, compliance, checking service levels, and to use as evidence in the event of a dispute. For outgoing calls, agents must read a similar script at the start of any call which may be recorded.

Employees must by law be provided with a means to make private calls which will not be recorded, even if this is via a pay phone.

Staying Compliant

The other principles govern the preparations a business must make to become and remain compliant with the data regulations. Registering with the ICO is a requirement in case a complaint is made prompting an investigation by the Information Commissioner.

Call Recording Data ProtectionData security is a key consideration in call recording compliance. Businesses are obliged to ensure that general network security, such as firewalls and encryption, are kept up to date and fit for purpose to prevent eavesdropping and theft from third parties. Procedures should also be put in place to ensure the safe storage of recorded calls, with permissions and access restricted as necessary to those who need to be able to hear the recordings.

There are no hard and fast rules as to how long recorded calls can be stored for. The onus is therefore on the business to be able to justify the length of time the keep recordings for – indefinite storage for the sake of monitoring service levels is unlikely to be considered appropriate, but longer periods will be tolerated for security and dispute resolution.

Businesses also need to bear in mind that there are special rules and regulations governing the recording of specific types of information. One example is the PCI-DSS rules on credit card transactions, which do not allow the recording of credit card details.

DPA Won’t Be Around Forever – GDPR is coming

On 25th may 2018 – less than a year from the date this article was published – DPA will be superseded by the GDPR (General Data Protection Regulation) guidelines. You’ll need to make sure that the following steps are taken before GDPR comes into force:

  • Elizabeth Denham, Information Commissioner
    Elizabeth Denham, Information Commissioner

    Plan for security breaches with a clear framework of key policies

  • Establish an accountability framework so that staff is constantly monitoring data and reviewing high-risk issues
  • Get a competitive advantage by making sure that privacy is embedded into your processing systems
  • Analyse personal data use, and make sure that your current documents and processes are well-informed and clear
  • Check policies and privacy notes and ensure that they’re in a clear, accessible format
  • Know your obligations and put your customer’s minds at rest by implementing modern regulations

Information Commissioner Elizabeth Denham has warned there’s no time to delay in preparing for GDPR, calling it:

“The biggest change to data protection law for a generation”

We have further articles relating to GDPR, keep checking back as more will be published over the coming year.

Related Posts:

Call Recording Series Sponsors


Gamma offer cloud based call recording and SIP trunk recording to via accredited channel partners across the UK.

Oak Innovation

Oak Innovation are a British company specialising in the call recording and reporting solutions. Oak call recorders work on many different types of phone systems.


Tollring are a British company and they offer both cloud based and locally installed call recording solutions, working across multiple platforms.


Voiceflex are a UK based company who specialise in SIP trunking and cloud based call recording. They sell though accredited channel partners.

Xarios Technologies

Xarios are a Manchester headquartered business offering server based call recording solutions. They sell through channel partners across the UK.

Leave a Reply

Paul Newham

Written by Paul Newham

Hi I'm Paul, I specialise in technology, covering telecoms, cloud and IT infrastructure and digital marketing.