Table of Contents
- The General Data Protection Regulation
- The Information Commissioner’s Office
- How Can My Company Safely Use Audio Recordings in the UK?
- 1. Data Protection Impact Assessment
- 2. Audio Recording Notification
- 3. Deletion of Audio Recording Data
- 4. Secure Storage of Audio Recordings
- Key Takeaways
- Frequently Asked Questions
As a business owner, you know the importance of ensuring good security at your work premises. Many businesses in the UK use CCTV systems for security purposes to protect their staff, money and company property. However, there is an increasing trend toward using audio recording alongside CCTV video cameras for added security.
This article will explore the circumstances in which your organisation can safely use audio recording technology in the workplace in full compliance with the General Data Protection Regulation (GDPR). This should help your company avoid the risk of a hefty fine from the Information Commissioner’s Office (ICO) for GDPR violations.
The General Data Protection Regulation
The GDPR is data protection legislation that applies to UK organisations. Its primary purpose is to ensure that all identifying information (known as ‘personal data’) is processed and handled sensibly and securely.
The GDPR uses a broad definition of ‘personal data’. This definition includes;
- phone numbers;
- biometric data;
- photographs;
- email addresses;
- CCTV footage; and
- audio recordings.
The Information Commissioner’s Office
The ICO exists to investigate alleged breaches of the GDPR. If the ICO concludes that an organisation has committed a GDPR violation, it will consider imposing a fine of up to £17.5m. The ICO has made numerous headlines over hefty financial penalties in the millions of pounds and is not shy of issuing these.
Naturally, most UK businesses will do their utmost to avoid a fine.
LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
How Can My Company Safely Use Audio Recordings in the UK?
The majority of UK businesses use CCTV systems on their premises, and modern CCTV systems tend to include audio recording.
There are two main types of audio recording systems within UK companies:
- a CCTV system with audio recording built into the camera network; and
- a discreet audio recording device absent visual cameras.
Audio recordings mean you can have better control over your premises. However, they are classed as personal data as you can use a person’s voice to identify them, which is voice data. Additionally, the conversation itself could contain information confidential to that data subject and involve details they would not wish others to hear.
CCTV systems utilising audio data are high risk compared to visual-only CCTV footage and contain sensitive data. This is because they record more information than an image-only device and risk breaching an individual’s right to privacy. Therefore, your organisation must ensure audio recordings comply with the GDPR by taking the following steps::
- carry out a Data Protection Impact Assessment (DPIA);
- inform individuals of audio recording devices;
- delete audio recordings when no longer necessary; and
- ensure robust and secure storage of audio data.
These steps are detailed below.
1. Data Protection Impact Assessment
A DPIA is a review aiming to help your company identify data protection risks, including potential GDPR and Data Protection Act breaches.
In relation to audio recordings, a DPIA should consider the following:
- whether audio recordings are essential for your business;
- the lawful basis and legitimate interests justifying the audio recording devices;
- what risks the audio recordings pose to individuals and steps taken to minimise these; and
- the scope and size of the audio recording network.
Audio recordings are only likely to be considered necessary if they serve a fundamental and essential purpose. Many businesses state that the primary purpose of audio recording is to assist in crime prevention. However, this will only be lawful if the devices are outside areas with a reasonable expectation of privacy, such as a bathroom.
The risk to individuals from an audio recording is wider than a visual-only CCTV system. It could give a business access to innocent and private conversations between staff members.
The ICO believes that businesses should only use audio recordings in areas where they may aid the prevention of crime and not, for example, in a staff room to pick up workplace gossip.
2. Audio Recording Notification
Your business should ensure that it notifies staff of audio recording devices within a reasonable distance of each device. A warning sign similar to CCTV warning signs is usually sufficient.
Some organisations also publish a written policy warning of audio recordings within the premises. Most of these policies will confirm where the audio recording devices are and are not.
3. Deletion of Audio Recording Data
One of the main principles of the GDPR is to delete data when no longer necessary. In this way, your company will likely have no lawful reason for keeping audio recordings from three years ago unless they form part of an active disciplinary investigation (or similar).
The ICO is particularly keen on deleting audio data, given the vast amount of information within any audio recording and the chance of picking up private conversations.
4. Secure Storage of Audio Recordings
Given the high level of detail and risk of capturing private information by audio recording devices, the ICO is keen for all data to be securely stored.
If your business fails to take active security measures such as password protection and encrypting audio data, the ICO will consider the imposition of a hefty fine.
Key Takeaways
Your business must follow GDPR rules when handling personal data that could identify a person. Audio recordings contain an individual’s voice and discussion of verbal information, whether through a listening device or a CCTV camera. Any violation of GDPR rules regarding audio recordings threatens a hefty fine of up to £17.5m from the ICO. Therefore, your business needs to be transparent about audio recording monitoring systems.
If you need help using audio recording technology legally, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
This is because you can use a person’s voice (known as voice data) to identify them, and the conversation could contain confidential information about that data subject.
CCTV systems utilising audio data are high risk and contain sensitive data as they record more information than an image-only device and risk breaching an individual’s right to privacy
We appreciate your feedback – your submission has been successfully received.