You’ve heard a lot about the General Data Protection Regulation (GDPR) in the last few months. What you may not realise is that, until it comes into force and is tested, many of the effects of GDPR are difficult to predict. There will inevitably be some completely unanticipated consequences. We have identified one of them – and it means that many healthcare organisations are going to have to either stop recording telephone calls or are going to have to record them differently.
What is the issue with call recordings?
The problem hinges on being able to identify which patients are the subject of call recordings. As a broad summary:
- Article 15 of GDPR gives patients (“Data Subjects”) the right to access their data and also entitles them to a copy of the data;
- Article 17 gives patients the right to request erasure of personal data;
- Article 20 gives patients the right to transfer their personal data from one electronic processing system to another, without being prevented from doing so by the data controller; and
- Article 34 requires that patients are notified if there is an “adverse” data breach.
So why does this matter? In order to comply with these requirements, recordings need to be tagged or labelled with the identity of the patient they concern. If you can’t identify the patients, you are keeping sensitive personal data but cannot give patients the access, right to erasure, data portability and breach notifications required by GDPR. We confirmed this with the Information Commissioner’s Office on 4th May. The ICO guidance was that call recordings have to identify the subject patient to comply with GDPR.
What does this mean for call recordings after May 25th? It means the days of recording all incoming calls are likely over. We strongly recommend that organisations get legal advice, but our read of the situation is:
- Organisations cease recording calls that do not tag or identify the recording somehow;
- Organisations consider deleting old call records that are not tagged with patient identifiers; and
- Organisations only record calls using systems that allow patient identifiers to be tethered to the call recordings.
This doesn’t mean that you shouldn’t record any calls – a call recording is still the gold standard for medico-legal purposes. It is understandable that clinicians should want the additional protection offered by recordings for certain types of call. Consultant Connect’s system allows users to input a patient identifier (for example, NHS number) and that identifier is stored alongside the recording. Recordings can be given to patients, erased, moved and the patient can be notified if there is a data breach. Recordings made using Consultant Connect are, therefore, fully compliant with GDPR.
If you would like to discuss how Consultant Connect can provide GDPR-compliant call recording technology for any calls that require this medico-legal protection, please get in touch with us on 01865 261467 or firstname.lastname@example.org.