A quirk of the new ways of working established in the pandemic is that a patient may submit a query via an online consulting platform, which may prompt a member of the team to call them – this means that (unless the team member informs them that the call is being recorded) they may not be aware that the call is being recorded.
Why is this important?
You must have a lawful basis upon which to process a patient’s data and the patient has a right to be informed as to how their data is being processed, which means that you have obligations that include (but are not limited to) to:
- Informing patients about the collection and use of their personal data.
- Providing patients with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with (this is termed privacy information).
- Providing information in a concise, transparent, intelligible, easily accessible way, using clear and plain language.
- Providing privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
In June 2020, the Information Commissioners Office (ICO) issued a reprimand to Surrey and Sussex police on the basis that they had rolled-out an app that recorded both incoming and outgoing calls without appropriate safeguards, which resulted in them unlawfully processing personal data.
How should a practice protect themselves?
In accordance with the advice of the ICO, a layered approach could be adopted – this includes (but would not be limited to):
- Having an appropriately worded recorded message on the practice line informing patients that both incoming and outgoing calls from the practice are routinely recorded.
- If it is possible to do so, include a message on the online consulting platform that you use informing patients that both incoming and outgoing calls from the practice are routinely recorded.
- Having a prominent message on the practice website informing patients that incoming and outgoing calls from the practice are routinely recorded.
- Having a prominent notice in the waiting room informing patients that both incoming and outgoing calls from the practice are routinely recorded.
- Any messaging should state the reason for the recording (for example – for training and monitoring purposes).
- Devising a standard form of words to allow staff (including non-clinical staff) to opportunistically inform patients that incoming and outgoing calls are recorded.
- The Data Protection Impact Assessment (DPIA) for cloud based telephony should cover the risks associated with call recording (and how to mitigate them).
- Your Privacy Notice should reference the fact that both incoming and outgoing calls from the practice are routinely recorded and should include:
- the purpose(s) for which recordings are made.
- by whom call recordings can be accessed and in what circumstances.
- how the recordings are stored and for what period the recordings are held.
- how recordings are protected from unauthorised access or use (for example – restricted access, encryption), and
- completing the Data Security and Protection Toolkit assessment annually.
The other approach to consider is to routinely inform patients when you call them back that the call is being recorded – this could be problematic for a number of reasons (for example, it is not a good way of opening a consultation, the patient may have questions about why the call is being recorded, which may prolong the consultation etc).
You also need to consider what approach you would take in the event that the patient objects to the recording (for example – discontinuing the call and calling the patient back on a non-recorded line).
Irrespective as to whether or not the call is recorded, you should make a contemporaneous entry in the records in accordance with the GMC guidance, which can be found at paragraphs 19-21 of Good Medical Practice.