Recorded (or voice) data and GDPR

Posted · Add Comment

We have all heard that dreadful message when calling a company “This call is being recorded for training and data quality purposes”.  In truth, normally that’s really only a part of the reason.  The “data quality” part really means that the recording would be used to determine who is right.  Don’t get me wrong, there’s nothing that’s really incorrect about the message (and some find it comforting – for good reason). Some people just don’t understand what “data quality purposes” really means and can, therefore, miss out on obtaining information.

Behind the scenes

So, what is missing here?  From other blogs I have written you may see that the recorded message does not tell you how long the recording will be stored for, or how it will be destroyed.  If this is not mentioned in the recorded message then this should be mentioned in the terms & conditions somewhere.  The mention could only be very straight forward. It could say something like “any recording would be deleted within 12 months of the guarantee of that product expiring”.

In all probability the recorded data will be stored digitally in a cloud server somewhere. Now, “back in the day” tapes were used, but neither method is a reason to panic.  The important thing is that the organisation has to ensure that it controls access to its recordings.

Its policies should ensure restricted access so that not everyone has access to the recording, unless you have a very small number of staff – and then that’s just impractical.

Recorded data can be one of the easiest sets of data to destroy.  If your documentation takes over from your voice data quickly then recordings can be regularly and quickly destroyed, e.g. within a month, or two. If your process is defined enough, deletion of voice data can be selective, retaining only those that cannot be convert to other media.

What can get in the way

The length of time recorded information can be stored is dependent on many things. For example, whether the personal information within the recording will play any part in a dispute, or legal proceedings.  If you do have a dispute with an organisation, you have every right to make a subject access request to find out what is held. This is your right and works in the same way you would request any other piece of information.  Once any qualifying period has elapsed, you can request the removal of this information under your right to erasure.

As with everything, data protection legislation (including GDPR) stresses that responses to requirements are appropriate.  In this case it would primarily be to the size and/or sophistication of the organisation. It should also take into account the sensitivity of the data that has been recorded. Both these things should be the determinants of appropriateness.

There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.

If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.

Leave a Reply

Your email address will not be published. Required fields are marked *