Behind the Headset: The Privacy Pitfalls of Call Centres and How They're Putting Your Business at Risk

By Sharon Bauer

Call centres are often the first point of contact between customers and businesses. Organizations that rely on call centres, either in-house or outsourced, for customer support are not putting enough attention to the privacy risks that stem from the collection, use and disclosure of personal information during customer calls.

In the past several years, we have seen heightened privacy risks with organizations that have call centres. This article explores on a high level how call centres may violate privacy and what they can do to reduce their risk of non-compliance. Many of these risks can also apply to online customer support chats.

Disclosure of personal information

Call centre agents have access to sensitive information, including personal details, financial information and account information. For example, an organization may grant call centre agents access to their customer relationship management (CRM) system to add or review information. Most of the time there is a legitimate need to have access to this information to address customer queries. However, organizations should be mindful of not providing agents with more information than is necessary for them to provide their service. Call agents also request personal information directly on calls that is not already in their system.

It is imperative that organizations review the agents' scripts from a privacy perspective and only have them ask for personal information they need to provide a service and nothing more. Check scripts for proper consent when one is needed. For example, is the agent asking a customer for their username and password to assist them with a technical issue? Does the agent have access to the customer's desktop? Organizations must ensure that they minimize the personal information collected unless it is necessary to address and resolve the query. Arguably, passwords should never be sought from a customer. Reviewing scripts and changes to scripts with a privacy lens is essential, which means that there needs to be an open line of communication between the call centre manager and the privacy officer.

Transparency, consent or legitimate interest

Any collection and use of personal information need to be communicated to the customer and, as a default practice, explicit consent should be sought unless the business has a legitimate interest in processing the information. If the call centre is recording the calls, which most do, it is necessary to be transparent about that before the call starts. We have all heard the standard "your call may be recorded for quality assurance and training purposes." In these circumstances, there is likely a legitimate interest in recording the call, so long as the call centre only processes the recording for quality assurance or training purposes, and for no other purpose. If the call centre or the organization will use the recording for other purposes, such as marketing, sales, or analytics, the legitimate interest lawful basis may not apply, and the call centre may need to seek explicit consent from the individual to record the call. In that instance, the call centre needs to be prepared for a customer to decline to have the call recorded and therefore still be able to serve in the same manner.

As an organization, think about which systems and tools you are sharing the recordings with and what those systems or tools will do with that information. For example, will the CRM system you record call data in be shared with a marketing tool that will start to send target the caller with ads? If that is the case, legitimate interest may no longer qualify and consent may need to be sought.

In recent years, more call centres have been relying on AI tools to assist with customer identification, such as voice recognition, or tools that allow the call centre to identify customer sentiment. Organizations that use biometric information must consider whether explicit consent needs to be sought. For the most part, given that voice recognition is sensitive personal information, explicit consent should be obtained unless it falls under an exception such as the prevention of fraud.

Determining if explicit consent is necessary for AI tools that assess customer sentiment may not be clear-cut. An organization should analyze to identify the purpose of the tool and how the data will be used. Regardless of whether explicit consent is required, providing customers with transparency around these practices is necessary both in the pre-call message as well as in the privacy notice. Pre­call messages should inform the customer that they can review the privacy notice and direct them to the website.

Outsourcing and vendor risks

Many call centres are outsourced to third parties, which may result in data being transferred to other jurisdictions that do not have the same level of protection as the jurisdiction the data originated from. Organizations must ensure they enter into proper contractual arrangements with their outsourced call centres to implement proper contractual, organizational and technical measures in place. The organization should limit how the call centre uses the data so that it is only used to provide the organization with a service and for no other secondary purpose.

Outsourced call centres should have a robust privacy program with proper policies and procedures in place that are both monitored and enforced. The organization should ensure that they have the right to audit the call centre around its privacy and security practices. Proper privacy training must be put in place for all agents to understand what information they are permitted to seek during calls, what information they may have access to in their existing systems, as well as how to identify potential fraudsters looking to steal customer data, which can lead to identity theft.

Retention of recordings or transcripts

Most calls are recorded leaving the call agency and/or the organization with the recording and often a transcript as well. These recordings and transcripts can be flooded with sensitive personal information, including information that if in the wrong hands, can cause serious harm to the individual. Retention periods must be set to permanently destroy the recordings and transcripts. These retention periods should apply both to the organization and the call centre if there are different instances of the same data. Many organizations fear the destruction of recordings if there will be future complaints. The retention policy should have exceptions built into it to retain data for events such as suspicion of future complaints or lawsuits. Furthermore, some tools can help to redact sensitive personal information in transcripts and recordings so that the risk of retaining this information is reduced significantly.

Conducting due diligence on the call centre is essential in ensuring that agents are following scripts properly and not deviating in a way that can create a privacy risk. While the privacy officer is not necessarily the stakeholder to conduct due diligence on calls, the stakeholder that is accountable for call centre quality assurance should have a direct line of communication with the privacy officer to address potential and hidden privacy risks that resides in the department. Finally, if the organization outsources the call centre, making sure it has appropriate indemnity clauses will be essential as well as ensuring the call centre must investigate and report on its agents for any privacy and security complaints, incidents and breaches.

This article was originally published by Law360 Canada, part of LexisNexis Canada Inc.