We wrote in our last Newsletter about call recording and the FCA’s view on any issues that might arise during the COVID-19 emergency. You can link to our previous articles on call recording here.
Now, as mentioned, Article 3 MiFID Exempt Firms have the option to create written file notes instead of recording calls and we believe that most take this alternative approach.
However, firms that do record calls or are one of the increasing number of firms that record client meetings might be interested to know how client audio is considered for the purposes of the Data Protection Act 2018 (DPA 2018).
As most readers will probably know, there are three different types of personal data under the rules:
- Personal data
this is ‘general’ information in relation to an identifiable living individual.
- Special category data
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.
- Criminal offence data
personal data relating to criminal convictions and offences, or related security measures.
The essential thing to know about the types of data is that a lawful basis is required to process personal data but a lawful basis and an additional condition are required to process special category data. Criminal offence data is a special case apart and we will not consider that here except to say that its processing requires careful consideration of the detailed guidance provided by the ICO.
What we are interested in for the purpose of this article, is special category data, specifically ‘biometric data’. This is defined as:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”
If you are a pub quiz fan you will want to note ‘dactyloscopic’. Not only because it is yet another great word that GDPR has introduced to a wider public alongside ‘pseudonymisation’ but also because, in the unlikely event of it coming up in a pub quiz, you will be the only person in the room that knows (or cares) what it means! It essentially means fingerprint data!
The real question arises from the mention of ‘voice’ in connection with biometric data in the legislation. And some readers might recall that HMRC was sanctioned by an ICO enforcement notice in 2019, in relation to voice data that was processed ‘unlawfully’ by HMRC .
So, is client audio from a recorded telephone call special category biometric data? The answer is NO – unless it is processed into a unique ‘voiceprint’ for the purposes of authenticating the individual’s identity. The same is true of all biometric data – it is always personal data but only becomes special category data when used for identification purposes, in which event the firm processing it as such will need to have a lawful basis under article 6 of the GDPR and an additional condition under article 9. The problem in the HMRC case was that they were using the voice data to authenticate the identity of callers but did not obtain a lawful basis or offer an opt out.
Regardless of whether it is special category data, the individual must always be informed that the call or meeting will be recorded and how the data will be used. Where possible, the individual should be given an opt out. This can be offered by Article 3 MiFID Exempt Firms in respect of relevant telephone calls as they are permitted under FCA rules to use the file note alternative or in relation to recording of a client meeting as there is always the alternative process of a paper/computer fact find, which is probably done as well as any recording anyway.
Other firms do not have this option and so would need to explain to the client that recording a ‘relevant’ call is a regulatory requirement where applicable. Other calls that do not strictly need to be recorded but where firms choose to do so, can normally be covered under the commonly heard ‘for training purposes’, or even the mutual ‘legitimate interests’ of both parties being able to prove subsequently what was discussed and said during the call.