a close up of a white wall with wavy lines

Data Protection for Audio Recordings and Telephone Calls

red corded home phone
red corded home phone

Recording telephone conversations can be valuable for schools—supporting training, quality assurance, dispute resolution, and legal compliance. However, such recordings qualify as personal data under the UK General Data Protection Regulation (UK GDPR) and must therefore comply with strict data protection requirements.

Security Measures

Organisations should implement strong safeguards, including:

  • Encryption of recordings;

  • Strict access controls; and

  • Cybersecurity protections and monitoring.

Individual Rights under UK GDPR

Individuals retain rights over their recorded data, including the ability to:

  • Access recordings;

  • Request corrections;

  • Object to processing; and

  • Request erasure under Article 17 (Right to Be Forgotten) where:

    • Data is no longer needed;

    • Consent is withdrawn and no other lawful basis applies;

    • Processing is unlawful; and

    • Data must be erased to comply with legal obligations.

Organisations must respond to valid erasure requests within one month, unless an exemption applies (e.g., data needed for legal claims or compliance).

Data Protection Impact Assessments (DPIA)

A DPIA should be conducted where call recording may pose a high risk to individuals’ rights, particularly when:

  • New technology is used; and

  • Monitoring employees on a large scale.

Employee Monitoring

Call recording in the workplace is subject to additional safeguards under the ICO’s Employment Practices Data Protection Code, requiring clear justification and transparency with staff.

Retention Periods for Call Recordings

  • There is no single rule—retention depends on context;

  • Financial Services – the FCA requires retention for at least five years (seven in some cases); and

  • Other sectors – retention must align with GDPR’s storage limitation principle: keep recordings only as long as necessary.

Best practice

  • Define a clear retention policy;

  • Communicate this policy to staff and customers; and

  • Regularly review and securely dispose of outdated recordings.

Key Takeaways

  • Always identify a lawful basis before recording;

  • Be transparent with individuals about the purpose and retention of recordings;

  • Follow GDPR principles, including data minimisation and storage limitation;

  • Apply robust security measures;

  • Respect individual rights, including access and erasure;

  • Consider DPIAs where risks are high; and

  • Review retention policies regularly.

Additional Resources

To learn more about Data Protection, consult the Handsam Quick Guides by using the Topic Tag DATA PROTECTION. Handsam also offers a range of Data Protection policies, and you can reach out to us at 03332 07037 or email info@handsam.co.uk for further details or pricing.

Legal Framework

In the UK, call recording is primarily regulated under:

  • UK GDPR (retained from EU GDPR after Brexit); and

  • Privacy and Electronic Communications Regulations (PECR.)

Both aim to protect the privacy and rights of individuals whose data is being collected, used, or stored

Lawful Basis for Recording

You must have a clear and justifiable legal basis. Common options include:

  • Consent – explicit agreement from all parties, informed about purpose and use;

  • Contractual Necessity – recording required to deliver or perform a contract;

  • Legal Obligation – recording mandated by law or regulation;

  • Legitimate Interests – e.g., training, quality assurance, dispute resolution—provided this does not override individuals’ rights; and

  • Public Interest / Official Authority – where processing serves the public good or an official role.

Transparency and Notification

  • Inform participants at the start of the call (e.g., pre-recorded message or verbal notice); and

  • Be clear about the purpose, intended use, and retention period of the recording.

Data Protection Principles

When handling recordings, you must comply with GDPR principles:

  • Lawfulness, Fairness & Transparency – process data openly and legally;

  • Purpose Limitation – use recordings only for declared purposes;

  • Data Minimisation – capture only what is necessary;

  • Accuracy – keep data relevant and up-to-date;

  • Storage Limitation – delete or anonymise when no longer required;

  • Integrity & Confidentiality – secure recordings against unauthorised access or loss; and

  • Accountability – demonstrate compliance at all times.

gray and black film projector
gray and black film projector
white and red analog weighing scale
white and red analog weighing scale

Office 27, East Moons Moat Business Centre

Oxleasow Rd, Redditch B98 0RE

Phone: 0333 207 0737

info@handsam.co.uk