Is Audio Recording Permitted Within My Company’s Premises in the UK?

Summary

• Audio recordings constitute personal data under the UK GDPR because a person’s voice can be used to identify them, making audio-enabled CCTV systems higher risk than visual-only systems and subject to strict data protection obligations.
• Businesses must carry out a Data Protection Impact Assessment (DPIA) before deploying audio recording devices, and can only use them where there is a legitimate and essential purpose such as crime prevention, excluding areas with a reasonable expectation of privacy such as bathrooms or staff rooms.
• Non-compliance with UK GDPR audio recording obligations risks fines from the ICO of up to £17.5 million or 4% of total annual worldwide turnover, whichever is higher, making robust policies, secure storage, staff training, and data minimisation essential.
• This article is a guide to audio recording compliance for businesses in the UK, explaining GDPR obligations when using audio recording technology in the workplace.
• LegalVision is a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.

Tips for Businesses

Complete a DPIA before installing any audio recording devices and document your lawful basis for use. Display clear warning notices near all recording devices and establish a written data retention policy specifying deletion timescales. Encrypt and password-protect all stored audio data, and train staff regularly on your data protection obligations and internal policies.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• The General Data Protection Regulation 
• The Information Commissioner’s Office
• How Can My Company Safely Use Audio Recordings in the UK?
• 1. Data Protection Impact Assessment 
• 2. Audio Recording Notification
• 3. Deletion of Audio Recording Data
• 4. Secure Storage of Audio Recordings
• 5. Providing Staff Training
• 6. Principle of Data Minimisation 
• Key Takeaways
• Frequently Asked Questions

Many UK businesses use CCTV for security, but adding audio recording to the mix raises serious data protection obligations under the General Data Protection Regulation (GDPR). Getting it wrong can result in a substantial fine from the Information Commissioner’s Office (ICO). This article will examine the circumstances in which your organisation can safely use audio recording technology in the workplace while fully complying with the GDPR.

The General Data Protection Regulation 

The GDPR is data protection legislation that applies to organisations in the UK. Its primary purpose is to ensure that all identifying information (known as ‘personal data’) is processed and handled in a sensible and secure manner.

The GDPR uses a broad definition of ‘personal data’. This definition includes;

• phone numbers;
• biometric data;
• photographs;
• email addresses;
• CCTV footage; and 
• audio recordings.

The Information Commissioner’s Office

The ICO exists to investigate alleged breaches of the GDPR. If the ICO concludes that an organisation has committed a GDPR violation, it will consider imposing a fine of up to the higher of £17.5m and 4% of your total annual worldwide turnover in the preceding financial year. The ICO has made numerous headlines over hefty financial penalties in the millions of pounds and is not shy of issuing these.

Naturally, most UK businesses will strive to avoid a fine.

How Can My Company Safely Use Audio Recordings in the UK?

The majority of UK businesses utilise CCTV systems on their premises, and modern CCTV systems often include audio recording capabilities.

There are two main types of audio recording systems within UK companies:

1. a CCTV system with audio recording built into the camera network; and
2. a discreet audio recording device, absent visual cameras.

Audio recordings mean you can have better control over your premises. However, they are classified as personal data because you can use a person’s voice to identify them, which constitutes voice data. Additionally, the conversation itself could contain confidential information about that data subject and involve details they would not wish others to hear. 

CCTV systems utilising audio data are high risk compared to visual-only CCTV footage and contain sensitive personal data. This is because they record more information than an image-only device, which risks breaching an individual’s right to privacy. Therefore, your organisation must ensure audio recordings comply with the GDPR by taking the following steps:

1. carry out a Data Protection Impact Assessment (DPIA);
2. inform individuals of audio recording devices;
3. delete audio recordings when no longer necessary; 
4. ensure robust and secure storage of audio data;
5. providing staff training; and
6. following the principle of data minimisation.

These steps are detailed below.

1. Data Protection Impact Assessment 

A DPIA is a review aiming to help your company identify data protection risks, including potential GDPR and Data Protection Act breaches.

In relation to audio recordings, a DPIA should consider the following:

1. whether audio recordings are essential for your business;
2. the lawful basis and legitimate interests justifying the audio recording devices;
3. what risks the audio recordings pose to individuals and steps taken to minimise these; and
4. the scope and size of the audio recording network.

Audio recordings are only likely to be considered necessary if they serve a fundamental and essential purpose.  Many businesses state that the primary purpose of audio recording is to assist in crime prevention. However, this will only be lawful if the devices are outside areas with a reasonable expectation of privacy, such as a bathroom.

The risk to individuals from an audio recording is greater than that posed by a visual-only CCTV system. It could give a business access to innocent and private conversations between staff members.  

The ICO believes that businesses should only use audio recordings in areas where they may aid the prevention of crime and not, for example, in a staff room to pick up workplace gossip.

UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now

2. Audio Recording Notification

Your business should ensure that it notifies staff of the presence of audio recording devices within a reasonable distance of each device. A warning sign similar to CCTV warning signs is usually sufficient.

Some organisations also publish a written policy warning of the use of audio recordings within their premises. Most of these policies will confirm where audio recording devices are and are not allowed.

3. Deletion of Audio Recording Data

One of the primary principles of the GDPR is to delete data when it is no longer necessary. In this way, your company will likely have no lawful reason for keeping audio recordings from three years ago unless they form part of an active disciplinary investigation (or similar).

It is also crucial to establish a clear data retention policy for audio data. This policy should specify the duration for which audio recordings will be stored and the process for securely deleting data once it is no longer necessary. Furthermore, regular audits of your audio recording practices can help ensure that your business remains in compliance with GDPR requirements. This will help to prevent issues that could result in costly fines or legal consequences.

4. Secure Storage of Audio Recordings

Given the high level of detail and risk of capturing private information by audio recording devices, the ICO is keen for all data to be securely stored.  

If your business fails to take active security measures, such as password protection and encrypting audio data, the ICO may consider imposing a substantial fine.

5. Providing Staff Training

Staff training is an essential consideration for any business. Your employees should be educated on the use of audio recording systems, the data protection policies in place, and how to handle the data responsibly. An awareness of GDPR compliance amongst your staff can significantly reduce the likelihood of accidental breaches.

6. Principle of Data Minimisation 

Businesses should also consider the principle of data minimisation. This principle ensures that only the minimum amount of data necessary for the intended purpose is collected and stored. If your business does not need audio recordings to fulfil a legitimate purpose, such as indicating possible criminal acts or threats to public security, you should refrain from using them.

Key Takeaways

Your business must comply with GDPR rules when handling personal data that could identify an individual. Audio recordings contain an individual’s voice and discussion of verbal information, whether through a listening device or a CCTV camera. Any violation of GDPR rules regarding audio recordings threatens a hefty fine of up to £17.5 million from the ICO. Therefore, your business needs to be transparent about audio recording monitoring systems.

If you need help using audio recording technology legally, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced Data, Privacy and IT lawyers help businesses across industries manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.

Frequently Asked Questions