1. Introduction

This policy outlines the Practice’s approach to the recording of telephone calls. Call recording is implemented to support operational quality, compliance with legal obligations, and staff/patient safety. This policy ensures that recordings are handled in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Telecommunications Act 1984.

2. Purpose

The purpose of call recording is to provide an exact record of incoming and outgoing calls which can:

• Protect the interests of both patients and staff
• Identify staff training and development needs
• Protect staff from abusive or nuisance calls
• Establish facts in the event of a complaint or incident
• Support investigations into medico-legal claims
• Improve processes and ensuring compliance with regulatory requirements
• Provide evidence in staff disciplinary or grievance matters
• Support clinicians with records of telephone consultations

3. Scope

This policy applies to:

• All external incoming and outgoing calls made via the practice telephone system
• Internal calls and call transfers

Recording automatically stops when the call is terminated by the staff member.

4. Call Recording Overview

• All calls are recorded via the practice telephone system
• Recordings are encrypted (256-bit) and stored on a secure server at the system provider’s headquarters as required by NHS Security standards.
• Access is strictly controlled and monitored by the Data Controller
• Calls can be accessed through password-protected logins

5. Informing Callers

The Practice will make all reasonable efforts to inform callers that calls are being recorded. This is done by:

• An automated pre-recorded message at the start of all incoming calls
• A summary of this policy on the Practice website
• Information displayed in the waiting room.

Continuing with the call after hearing the message is considered implied consent.

6. Playback and Monitoring

Playback or monitoring of calls will be undertaken by:

• GP Partners
• Senior management (Practice Business Manager, Assistant Practice Manager and Operations Manager)

Playback will occur in a private and secure setting

• Monitoring is only permitted for specific business reasons (e.g. training, complaint investigation, or legal compliance)
• Browsing recordings without valid reason is prohibited

7. Access, Retention, and Subject Requests

a) Access and Control

• Access to recordings is limited to authorised individuals
• Any request must state a clear, justified purpose
• Requests must include details such as date/time of call, parties involved, and relevant extensions

b) Subject Access Requests (SARs)

• Patients can request to hear or receive recordings of calls involving them
• All SARs must be submitted in writing under the provisions of the UK GDPR
• The Practice will respond in accordance with standard data protection timelines
• Where appropriate, patients may be invited to listen to recordings on-site

c) Third-Party & Legal Requests

• Requests from bodies such as the police must be directed to the Data Controller or Practice Business Manager
• In disciplinary matters, call recordings may be accessed only with written approval from the Data Controller
• Any breach of this policy or unauthorised access will be treated as a serious offence and may result in disciplinary action

8. Retention

Call recordings will be retained for up to 12 months, unless legally required to be held longer.

9. Opt-Out Policy

If a patient requests that their call is not recorded, then they are to be advised that it is organisation policy to record all calls to ensure the safety and security of both patient and staff/Clinicians.  They will be asked to visit the surgery in person.

10. Confidentiality and Compliance

• Recordings are treated as personal data under the UK GDPR
• All recordings must be stored and accessed in a way that protects individual privacy
• The Practice is registered with the Information Commissioner’s Office (ICO) for relevant processing activities

Any suspected or actual breach of this policy must be reported immediately to a line manager or the Data Controller.