Call Centres and the Data Protection Act

Some Legal Points to Note

Please note the Law may have changed since the publication of article.

  1. Customers should be advised if their details are to be stored, by whom and for what purpose. So, if the call-centre is taking details on behalf of another company, the customer must be advised of the name of that company. The principle behind this is that a customer (a person who is a living individual and thus a “data subject” for the purposes of the Data Protection Act 1998) has the right to choose who they give data to.
  2. If the call centre collects data for its own purposes, the customer has the right to choose not to have their data used and stored by the call centre.
  3. A call centre can only use the data it has for the purposes it was collected. So, if a customer gives information in response to an “insurance survey”, those details cannot be shared with banks offering insurance products unless the customer has agreed to data about them being used and shared.
  4. Data cannot be shared or transferred to third parties without the customers consent and may not be transferred to a party in a country outside the EU unless the country has laws which provide equivalent data protection laws or such laws have been deemed “adequate” by the Information Commissioner.
  5. All EU countries have “adequate” protection as the DPA stems from a European Directive on data protection.
  6. Data must only be stored for a reasonable length of time. Call centres must therefore ‘fillet’ their records periodically.
  7. There has not been any data protection prosecutions so far, but the Commissioner has indicated that now the transitional phases are over, a tough stance will be taken against offenders.

All call centres should have a data protection policy in force and should ensure that the “legals” are read to customers at the beginning of the call so that the customer can choose whether to proceed. Some are still guilty of not doing this and of expecting customers to “opt-out” of having their details shared when in fact “opt-in” (i.e. a customer has to positively agree to have their details shared) is now the most legal approach. Call centres can also store data they collect from their clients and cross-seed the lists used for one “campaign” with another. Unless customers have agreed to this, such practices breach the DPA.

The “legals” used include giving the customer the choice of whether or not their details be retained and shared. Often the “legals” also include details of whether calls may be monitored and indeed if they are, customers must be made aware of this.

© This article is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.