Recording calls and meetings

We wrote in our last Newsletter about call recording and the FCA’s view on any issues that might arise during the COVID-19 emergency. You can link to our previous articles on call recording here.

Now, as mentioned, Article 3 MiFID Exempt Firms have the option to create written file notes instead of recording calls and we believe that most take this alternative approach.

However, firms that do record calls or are one of the increasing number of firms that record client meetings might be interested to know how client audio is considered for the purposes of the Data Protection Act 2018 (DPA 2018).

As most readers will probably know, there are three different types of personal data under the rules:

  • Personal data
    this is ‘general’ information in relation to an identifiable living individual.
  • Special category data
    personal data revealing racial or ethnic origin;
    personal data revealing political opinions;
    personal data revealing religious or philosophical beliefs;
    personal data revealing trade union membership;
    genetic data;
    biometric data (where used for identification purposes);
    data concerning health;
    data concerning a person’s sex life; and
    data concerning a person’s sexual orientation.
  • Criminal offence data
    personal data relating to criminal convictions and offences, or related security measures.

The essential thing to know about the types of data is that a lawful basis is required to process personal data but a lawful basis and an additional condition are required to process special category data. Criminal offence data is a special case apart and we will not consider that here except to say that its processing requires careful consideration of the detailed guidance provided by the ICO.

Biometric …
What we are interested in for the purpose of this article, is special category data, spefically ‘biometric data’. This is defined as:

“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”

If you are a pub quiz fan you will want to note ‘dactyloscopic’. Not only because it is yet another great word that GDPR has introduced to a wider public alongside ‘pseudonymisation’ but also because, in the unlikely event of it coming up in a pub quiz, you will be the only person in the room that knows (or cares) what it means! It essentially means fingerprint data!

The real question arises from the mention of ‘voice’ in connection with biometric data in the legislation. And some readers might recall that HMRC was sanctioned by an ICO enforcement notice in 2019, in relation to voice data that was processed ‘unlawfully’ by HMRC .

So, is client audio from a recorded telephone call special category biometric data? The answer is NO – unless it is processed into a unique ‘voiceprint’ for the purposes of authenticating the individual’s identity. The same is true of all biometric data – it is always personal data but only becomes special category data when used for identification purposes, in which event the firm processing it as such will need to have a lawful basis under article 6 of the GDPR and an additional condition under article 9. The problem in the HMRC case was that they were using the voice data to authenticate the identity of callers but did not obtain a lawful basis or offer an opt out.

Regardless of whether it is special category data, the individual must always be informed that the call or meeting will be recorded and how the data will be used. Where possible, the individual should be given an opt out. This can be offered by Article 3 MiFID Exempt Firms in respect of relevant telephone calls as they are permitted under FCA rules to use the file note alternative or in relation to recording of a client meeting as there is always the alternative process of a paper/computer fact find, which is probably done as well as any recording anyway.

Other firms do not have this option and so would need to explain to the client that recording a ‘relevant’ call is a regulatory requirement where applicable. Other calls that do not strictly need to be recorded but where firms choose to do so, can normally be covered under the commonly heard ‘for training purposes’, or even the mutual ‘legitimate interests’ of both parties being able to prove subsequently what was discussed and said during the call.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

our opinion

Action Required By You

  • fulkcvbujhnnfn
  • something
  • something else
SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in