Call Record Policy

1 General Principles

The Data Protection Act 1998 (the Act) protects personal information held by organisations on computer and relevant filing systems. It enforces a set of standards for the processing of such information. In general terms it provides 85 in any way incompatible with these purposes.

In the course of its activities Merlin Telecommunications will collect, store and process personal data, including the recording of all telephone calls, and it recognises that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.

2 Call Record Overview Purposes of call recording

The purpose of call recording is to provide an exact record of the call which can:  Help identify Merlin’ staff training needs;  Help improve Merlin’ staff performance;  Help protect Merlin’ staff from abusive or nuisance calls;  Establish the facts in the event of a complaint either by a customer or a member of staff and so assist in resolving it;  Assist in quality control to identify any issues in processes, with a view to improving them;  A call recording may also be used as evidence in the event that an employee’s telephone conduct is deemed unacceptable. In this situation the recording will be made available to the Company Directors and Data Protection Office, to be investigated as per the Merlin Disciplinary Policy.

The telephone call recording system in operation will record incoming and outgoing telephone calls and recordings may be used to investigate compliance with Merlin’s call quality standards, to provide further training, to support the investigation of complaints, to ensure that Merlin complies with regulatory procedures and to provide evidence for any regulatory investigation.

Merlin will record telephone conversations from its hosted telephone system. Merlin currently does not record the content of any telephone conversations outside of this operating system i.e. telephone conversations made to and from work provided mobile telephones.

3 Communicating the Call Recording System

Merlin will make every reasonable effort to communicate that calls will be recorded. This will be done by:  Publishing this policy on Merlin website www.merlin-telecom.co.uk  General notification e-mail to all staff to inform that telephone calls will be recorded for training and monitoring purposes.  Informing all clients in the first instance via a recorded announcement for Incoming calls.

4 Procedures to prevent the recording of sensitive data

The purpose of this section is to advise all staff at Merlin of our position on taking credit card details from clients and how to keep those details safe & secure. It is our responsibility to protect credit card data.

Our credit card provider requires us to comply with their Payment Card Industry Data Security Standards (PCI DSS) compliance programme. The programme aims to ensure that all merchants accepting card payments do so securely.

A data breach can make us liable for any fines incurred by Card schemes in addition to the cost of remedying the breach plus any compensation payable. Merlin will make every reasonable effort to ensure (PCI DSS) compliance is upheld regarding the recording of such telephony stored data. Credit Card information should only be taken from the client either in person or over the phone.

Card details should not be accepted by e-mail or other insecure messaging technologies. For compliance purposes clients wishing to make payment via credit card over the phone will have the call transferred to an unrecorded line. No member of staff is permitted to write down or retain card information under any circumstance.

5 Procedures for managing and releasing call recordings

1. The recordings shall be stored securely, with access to the recordings controlled and managed by Company Directors and Data Protection Officer.

2. Access to the recordings is only allowed to satisfy a clearly defined business need and reasons for requesting access must be formally authorised only by senior management. All requests for call recordings should include the following:

a. The valid reason for the request. b. Date and time of the call if known c. Telephone extension used to make/receive the call. d. External number involved if known. e. Where possible, the names of all parties to the telephone call. f. Any other information on the nature of the call.

3. The browsing of recordings for no valid reason is not permitted.

4. The Data Protection Act allows persons access to information that we hold about them. This includes recorded telephone calls. Therefore, the recordings will be stored in such a way to enable the Data Protection Officer to retrieve information relating to one or more individuals as easily as possible.

5. Requests for copies of telephone conversations made as Subject Access Requests under the Data Protection Act must be notified in writing to the Data Protection Officer immediately and, subject to assessment, he/she will request the call recording and arrange for the individual concerned to have access to hear the recording.

6. In the case of a request from an external body in connection with the detection or prevention of crime e.g. the Police, the request should be forwarded to the Data Protection Officer who will complete the request for a call recording.

7. Requests for copies of telephone conversations as part of staff disciplinary processes will only be released with the written agreement of the DPO, or any other person authorised by the DPO, who will consult with the Data Protection Officer before approval is granted.

8. Recordings of calls will be stored electronically in a secure environment. Call recordings will be automatically deleted, in line with the Retention Policy of 90 days.