Emerging Data Protection Principles on Recorded Call Conversations
In Jeremy Obano v Kenya Airways Plc, the Complainant lodged a complaint alleging that the Respondent had denied him access to a recorded call conversation. The call arose from an incident in which the Complainant experienced inconvenience after his mother was denied a wheelchair while travelling on the Respondent’s airline.
In its determination, the Data Commissioner held that recorded call conversations constitute personal data. The Data Commissioner observed that an individual may be identifiable in a phone call through a combination of factors, including their voice and other identifiers including their name, telephone number, email address or contact details. As such, recorded calls fall within the scope of personal data protected under the Data Protection Act.
Similarly, in Andrew Alston v Liquid Telecommunications Kenya Limited, the Data Commissioner held that a call recording inherently contains the voice of the person speaking, which is a biometric and physiological identifier.
In Andrew Alston v Liquid Telecommunications Kenya Limited, the Complainant was a former employee of the Respondent for over ten years before being retrenched in 2024. Following the retrenchment, a consultative call was held between the Complainant and HR representatives of the Respondent, as well as an affiliate company associated with the Respondent. The call was recorded by the Respondent.
The Respondent stated that, at the beginning of the call, an automated notification generated by the meeting platform informed participants 1 www.mutie-advocates.com that the call was being recorded. However, the Data Commissioner held that this notification did not meet the requirements of the Data Protection Act. Specifically, the Respondent failed to demonstrate that the Complainant had been informed of:
- the purpose for which the personal data was being collected.
- the third parties to whom the data would be transferred and the safeguards applicable to such transfer; and
- the technical and organisational measures adopted to ensure the integrity and confidentiality of the data.
3. There Must be a Lawful Basis for Processing the Data
In Andrew Alston v Liquid Telecommunications Kenya Limited, the Complainant stated that during the call conversation, he expressly indicated that he did not consent to the recording of the call. He further stated that the Respondent assured him that the recording would be deleted immediately after the call.
Subsequently, the Complainant instituted arbitration proceedings against Liquid Telecommunications Mauritius in relation to a separate matter. The Respondent, who was not a party to the arbitration, nonetheless shared the recorded call outside Kenya with other entities within the wider Liquid Group. The Complainant contended that the recording had no relevance to the arbitral proceedings, as the call related to work permit issues, while the arbitration concerned a contractual dispute between himself and Liquid Telecommunications Mauritius.
On their part, the Respondent argued that they relied on the lawful basis of legitimate interests to process and retain the recording, asserting that the call was necessary for evidentiary purposes in support of its constitutional right to a fair hearing and an impartial determination of disputes involving the Respondent, its sister companies and the Complainant.
The Data Commissioner rejected this argument, holding that the claimed legitimate interest failed the necessity test. The Commissioner found that there were less intrusive means of achieving the same purpose, such as the use of written minutes. In addition, the Respondent failed to produce any evidence demonstrating the relationship between Liquid Telecommunications Kenya and Liquid Telecommunications Mauritius, or the lawful basis for the cross-border transfer of the Complainant’s personal data.
In Andrew Alston v Liquid Telecommunications Kenya Limited, the Data Commissioner held that, contrary to section 25(c) of the Data Protection Act and regulation 31 of the Data Protection (General) Regulations, 2021, the Respondent failed to inform the Complainant of the explicit and specified purposes for which his personal data was being collected, processed, and used.
The Commissioner also found that the Respondent shared the Complainant’s personal data with Liquid Telecommunications Mauritius without expressly informing the Complainant of the intended secondary use.
5. Data Subjects Have the Right to Access Recorded Call Conversations
In Jeremy Obano v Kenya Airways Plc, the Data Commissioner held, pursuant to section 2 www.mutie-advocates.com 26 (b) of the Data Protection Act and Regulation 9 (a) and (3) (a) of the Data Protection (General) Regulations 2021, that a data subject has the right to access their personal data. This right includes obtaining confirmation from the data controller as to whether personal data relating to them is being processed and, where this is the case, access to that personal data.
The Commissioner further noted that a data controller or processor is required to comply with a request for access within seven (7) days of the request being made. In this case, the Complainant exercised his right of access to his personal data, and the Respondent was therefore obliged to provide access to the requested information within the prescribed seven-day period.
6. When Granting Access, Implement Appropriate Measures to Safeguard Third-Party Personal Data
In Jeremy Obano v Kenya Airways Plc , the Respondent argued that releasing the recorded call to the Complainant would have infringed the data protection rights of a Customer Excellence Centre agent who had identified herself during the call.
The Data Commissioner found that telephone recordings often contain personal data relating to third parties and that this fact alone cannot justify a refusal to comply with a data access request.
Pursuant to section 41(1) of the Data Protection Act, the Commissioner held that the Respondent ought to have implemented appropriate safeguards, such as anonymisation or concealment of the Customer Excellence Centre agent’s personal data, to remove identifying information. These measures would have protected the agent’s privacy rights while still giving effect to the Complainant’s right of access.
7. Data Subjects have the right to Erasure of their Personal Data
In Andrew Alston v Liquid Telecommunications Kenya Limited, the Data Protection Commissioner held that the Complainant had exercised his right to erasure pursuant to section 40(1)(b) of the Data Protection Act.
While section 40(3) of the Act permits a data controller or processor to retain personal data for evidentiary purposes, this is conditional upon the controller or processor restricting the processing of the data and informing the data subject within a reasonable time.
The Commissioner found that the Respondent breached this obligation by failing to inform the Complainant, within a reasonable time, that his request for erasure had been declined. This was compounded by the fact that the Respondent continued to process the personal data for over one year after the recording was made.
