Call recording policy

Next

Worldwide Cancer Research has a telephone system that is capable of recording conversations. Like many other organisations, this is a standard practice that allows the recording of telephone calls for quality monitoring, training, compliance and security purposes.

Data protection law protects personal information held by organisations and enforces a set of standards for the processing of such information. In the course of its activities the Charity will collect, store and process personal data, including the recording of telephone calls, and it recognises that the fair and lawful treatment of this data will maintain confidence in the Charity and will provide for successful business operations.

All inbound and outbound calls made to or by the Charity via the Supporter Care team will be recorded and will be retained for a limited period of 90 days as per our Retention Schedule. These recordings will only be used for the purposes specified in this policy.

The call recording facility is automated and accommodates incoming calls made from outside the Charity and external calls being made by a member of the Supporter Care team.

There is a recorded message in place to inform inbound callers that their call is being recorded. When external calls are made by the Supporter Care team then staff members will advise the individual that the call is being recorded.

    1. Purpose

In order to maintain high standards and protect the public and our staff we need to record all inbound and outbound telephone calls made or received by the Supporter Care team and retain them for a limited period of time.

We shall ensure that the use of these recordings is fair and that we comply with the requirements of relevant legislation. This includes:

  • The Regulation of Investigatory Powers Act 2000
  • The Telecommunications (Lawful Business Practice) (Interception of
    Communications Regulations) 2000
  • Privacy and Electronic Communications Regulations 2013
  • The Data Protection Act 2018
  • The UK General Data Protection Regulation (GDPR)
  • The Human Rights Act 1998. 

 

  1. Scope

All calls made by or to the Supporter Care team will be recorded. A call can be retrieved or monitored when:

  • it is necessary to investigate a complaint.
  • it is part of a management ‘spot check’ that supporter service standards are being
    met.
  • it provides assurance of the Charity’s quality standards.
  • there is a threat to the health and safety of staff or visitors or for the prevention or
    detection of crime.
  • it is necessary to check compliance with regulatory procedures.
  • it will aid standards in call handling, through use in training of our staff.
  • it supports an assessment of economic risk in line with our Vulnerable Person
    Policy.

If the person making the call says that they do not wish to have their call recorded, the call recording will be stopped manually by the call operator.

  1. Purpose of Call Recording

The purpose of call recording is to provide an exact record of the call for:

  • staff training purposes, helping us to improve the quality of our supporter care and to ensure the information we provide is consistent and accurate.
  • accuracy checks to ensure we have an accurate record of the call, to support any customer transaction that takes place over the phone.
  • establishing the facts in the event of a complaint by a supporter or member of staff and used in evidence during any associated investigation.
  • protecting our supporters in line with our Vulnerable Person’s Policy and those who may be at particular economic risk.

 

  1. Collecting information

Personal data collected in the course of recording activities will be processed fairly and
lawfully in accordance with data protection laws. It will be:

  • used for the purpose(s) stated in this policy only and not used for any other purposes.
  • accessible only to managerial staff after securing permission from the Supporter Care Manager or Head of Marketing and Supporter Experience.
  • treated confidentially.
  • stored securely.
  • not kept for longer than necessary and will be securely destroyed once the issue(s) in question have been resolved.
  • where credit/debit payment details are collected over the phone by our staff, the recording will be automatically stopped/paused and automatically re-started once these details have been taken.
  • where bank payment details are collected over the phone by our staff, the recording will be manually stopped/paused and manually re-started once these details have been taken.

All call recordings are stored on a secure server and backed up each evening. Backups are held for a period of 90 days.

The Charity does not record the content of any telephone conversations outside of the team mentioned above or out with the operating system. For example telephone conversations made to and from work mobile phones or internal calls between extension users are not recorded.

  1. Procedures to prevent the recording of financial data

The purpose of this section is to:

  • advise all staff of our position on taking payment details from our supporters/clients and how to keep those details safe and secure.
  • it is our responsibility to protect credit card & bank account data and any other sensitive supporter and client information that may be shared with a member of staff.

We are required to comply with the Payment Industry Data Security Standards (PCI DSS) compliance programme. The programme aims to ensure that all merchants accepting card payments do so securely. A breach can make us liable for any fine incurred by Card
schemes in addition to the cost of remedying the breach plus any compensation payable.

The Charity will make every reasonable effort to ensure PCIl DSS compliance is upheld regarding the recording of such telephony stored data. Card details should not be accepted by email or other insecure messaging technologies such as social media. For compliance purposes the telephone recording system will provide for automated start/stop recording or manual pausing of the recording when completing certain fields within an application.

No member of staff is permitted to write down or retain card information under any
circumstance.

  1. Advising callers and staff that calls are being monitored/recorded

The Charity will make every reasonable effort to communicate when calls will be recorded.

This will include:

  • informing the caller when call recording facilities are being used on outbound calls.
  • for inbound calls a recorded message informs callers that their call is being recorded.
  • this policy is published on the website.
  • call recording/monitoring information can be found in the Privacy Policy.
  • this Policy is available to employees on the Policies Register and via internal policy promotion.

 

  1. Procedures for managing and releasing call recordings

  • The recordings shall be stored securely individual users setup with multi-factor
    authentication required. Access to recordings controlled and managed by the Head of IT, Supporter Care Manager or any other persons authorised to do so by the
    Head of Marketing and Supporter Experience.
  • Access to the recording is only allowed to satisfy a clearly defined business need and reasons for requesting access must be formally authorised by a relevant authorised person. All requests for access to call recordings should include:
    • valid reason for request.
    • date/time of call.
    • telephone extensions used to make /receive call.
    • any other information on the nature of the call.
  • The browsing of call recordings is not permitted.
  • Data Protection legislation allows persons access to information that we hold about them. This includes recorded telephone calls. Therefore, the recordings will be stored in such a way to enable the Data Protection Officer to retrieve information relating to one or more individuals as easily as possible. Requests from individuals for access to their data within call recordings will be processed in line with our Subject Access Request Policy.
  • The Charity uses Vidicode Apresa client for 3CX to record inbound and outbound calls. Apresa voice recordings are stored on a cloud server and can only be accessed with individual login with required permissions. Recordings can be quickly located using ‘telephone number” or date and time, search criteria to ensure GDPR requirements for data subject rights can be complied with.

 

  1. Retention of Call Recordings

All call recordings will be automatically stored on the server for 90 days.

However, if there is a justified need to retain a specific recording for a longer period; this may be reviewed by the Director in conjunction with the Information Governance and Compliance Manager.

Information will not be retained for a longer period than necessary.

It will be the responsibility of the Head of IT to ensure the recordings are deleted from the server. This process is a scheduled process and automated.