Call Recording and standards compliance

What are the benefits of call recording and which legislation do I need to be aware of?

Call recording has many benefits but businesses must be aware of the legislation to navigate in order to ensure compliance with the law. 

The core benefits of call recording are:

  • Improved staff training and performance (this impacts directly on customer service).
  • Protecting against disputes and to deter crime (our call recording is admissible in court).
  • Supporting compliance (see section on compliance).
  • Tangible insights on customers, campaigns and products. (ROI).
Compliance and Legislation
GDPR (General Data Protection Regulations) - EU wide from 25/05/2018

GDPR provides a single set of rules handling the data of EU citizens. In relation to call recordings, the key elements are consent, responsibility and accountability. These can be boiled down to simply ensuring that people are aware of being recorded and that the recording/file access is controlled and secure. Consumers will have greater data rights than the current Data Protection Act such as the right to know the scope of personal data collection and rights to port data or be forgotten and all at no charge to the consumer. The role of the data controller to facilitate this with a clear data policy and concise processes is imperative to avoid financial penalties. 

Please contact us for details on Data Protection Impact Assessments (DPIAs) and for further information and details for the data protection officer (DPA)
http://www.eugdpr.org/the-regulation.html

MiFID (Markets in Financial Instruments Directive) - EU wide from 03/01/2018

MiFID I and II apply to businesses/persons offering financial markets advice/transactions and mandates as compulsory rather than best practice previously, that all calls incurring financial advice and/or subsequent transactions should be recorded and stored for a prescribed period of up to 7 years. MiFID II grants clients the right to receive copies of records and as such integrity and provenance will become a prominent evidential factor in firm-client disputes.

  • VoiceHost ensures file integrity with cloud storage.
  • Recording can be enabled on inbound numbers or outbound calls
  • Dial-Through application available to enable any telephone call to be recorded originating from any device and any network (See more on dial-through here)
  • Mobile application for Android and iOS enabling all VoiceHost routed calls to be recorded.

https://www.fca.org.uk/markets/mifid-ii
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014L0065&from=EN  See Article 16(7)

PCI-DSS (Payment Card Industry Data Security Standard)  - Worldwide and non-compulsory (last updated in 2016)

PCI-DSS is not compulsory and was introduced by payment providers (Card Companies) in a bid to curb credit card fraud. As far as call recording is concerned, there are particular sensitivities around the storage of private card details and the standard has required businesses to make “best endeavors” to ensure the three-digit CV2 security numbers are not recorded or are not identifiable on any call recordings.
https://www.pcisecuritystandards.org/pci_security

VoiceHost can provide you with compensating controls to help negate the recording of CV2 codes. You can enable start/stop call recording via the control panel.

How does call recording work on the VoiceHost platform and what are the features?
  • Complete Call Recording - Call recording is configurable per inbound number and/or per outbound hosted seat or SIP trunk. This allows the account holder to set recorded and non-recorded routes. If enabled, an optional warning prompt can be played to callers but inbound only.
  • Legal Notice - VoiceHost offers a built-in recording notification to help you stay compliant with legal requirements and avoid litigation (available for both inbound and outbound call scenarios). The VoiceHost platform plays a recording announcement at the beginning of the conversation to notify the customers, that the call may be recorded.
  • Flexible Retention - VoiceHost enables users to easily configure the retention period for call recordings. Different retention periods can be selected for different types of calls to keep storage costs down.
  • Secure Storage and Transfer - VoiceHost can deliver call recordings via FTP or  FTPS made nightly direct to the customer. Recordings are de-crypted for FTP delivery otherwise playback would not be possible. Call recordings remain encrypted on network storage until the user-defined period has elapsed. Call recordings are then permanently deleted and cannot be recovered.
  • Fine-grained privileged access - Access to data is password-protected and provided to authorised users only. Role-based access control allows defining user’s rights, such as playback, live monitoring, administration, resources access etc.
  • File Watermarking - VoiceHost call recordings are admissible in court and VoiceHost can ensure that call recording remains intact and unaltered whilst within our network
  • PCI-DSS Start-Stop - VoiceHost can provide you with compensating controls to help negate the recording of CV2 codes. You can enable start/stop call recording via the control panel.
Admissible in court

Once a call is recorded, it is stored using 256-bit encryption and each recording has a unique key and modification hash (checksum) to ensure authenticity at the network generation level which makes the recording admissible in a court of law.

No archiving of call-recordings is allowed at a network level and once the defined call-recording storage period has elapsed, the recording is permanently deleted.

FTP and FTPS (File Transfer Protocol with optional encryption)

The delivery of call recordings via FTP or FTPS is available. Access to the VoiceHost edge is not permitted and delivery is made nightly via FTP to the customer. Recordings are de-crypted for FTP delivery otherwise playback would not be possible. Call recordings will remain encrypted on network storage until the used defined period has elapsed. Call recordings are then permanently deleted and cannot be recovered.

  • Create an FTP server and user with read/write privileges
  • Pass the user details to VoiceHost so that we may start sending you the call recordings each night.
Other Legal Considerations

Call recordings are pursuant to the following legislation which is applicable in England and Wales.

  • Regulation of Investigatory Powers Act 2000 ("RIPA")
  • Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 ("LBP Regulations")
  • Data Protection Act 1998
  • Telecommunications (Data Protection and Privacy) Regulations 1999
  • Human Rights Act 1998
  • The Computer Misuse Act 1990
Storage

Call recordings are compressed using MPEG layer 3 encoding @ 24Kbps. 1GB of storage should accommodate 92.59 hours of audio recorded or approximately 10.8 MB per hour of audio recorded.

All storage is within the United Kingdom and encrypted at rest within ISO27001, ISO9001, PCI-DSS and GDPR compliant Data centres.

How do I ensure my telephony complies with PCI-DSS best practices and other regulations?
  1. Enable encryption
  2. Use call recordings with operator mute functionality if you are taking card payments over the telephone.
  3. Enable Call recording storage (VoiceHost storage is encrypted and kept is PCI-DSS compliant data centers).
Conclusions

Given that VoiceHost offers unlimited call recording stored FREE for 30 calendar days makes it an obvious choice in deciding whether to enable it.

The VoiceHost privacy policy is available here: https://www.voicehost.co.uk/privacy-policy

Simon
Business Operations Manager
All Posts
Simon has been with VoiceHost for 10+ years and his management duties include operations, regulatory, standards, industry and internal process compliance.