This article looks at the legal issues surrounding telephone call recordings and data protection in the context of the inception of credit hire agreements.
In particular, it will consider two recently reported appeal decisions (Roberts v Haven [2021] 12 WLUK 603 & Forster v RSA [2022] 5 WLUK 614) that both deal with the concept of ‘personal data’ in the prism of data protection law.
The Problem
The phrase ‘google ad spoofing’ has been coined to cover the situation when somebody carries out an internet search for an entity, such as their insurance company, and is then presented with the first ‘hit’ on their search with a company that appears to be their insurance company, when in fact it is not.
Such searches are often done by the roadside following a road traffic accident when, for obvious reasons, the insured will be stressed and prone to influence. What can then happen is that the ‘spoofer’ is able to manufacture a situation in which the insured is then signed up to a very expensive credit hire agreement when all they wanted was to inform their insurers about the accident, have their vehicle recovered and obtain a free courtesy car.
By the time the insured realises the situation months, if not years, have elapsed and the insured, understandably, is unable to recall what was said in that initial roadside call.
The credit hire provider will often pursue the at fault insurer for the full amount of credit hire charges. A defence open to the at fault insurer is one of misrepresentation. That is to say, if there was a misrepresentation by the credit hire provider (such as the vehicle they were providing was a courtesy vehicle, not a credit hire vehicle) then the agreement is voidable meaning it can be later declared void.
In order to be able to properly ascertain and put such an argument, the telephone call recordings are required. There is often some reluctance by the credit hire provider and, ostensibly, the insured; with arguments of control and relevancy often deployed to avoid disclosing the recordings. The parties and the court are therefore unable to properly consider whether there has been any misrepresentation.
The cases of Roberts and Forster put to bed the notion that the call recordings are not disclosable. The legal principles deriving from these decisions can be analysed as follows.
The Civil Procedure Rules
CPR 31.8 is the relevant procedural rule to consider on an application for disclosure of call recordings. It provides as follows:
- A party’s duty to disclose documents is limited to documents which are or have been in his control.
- For the purposes of that rule, a party has or had a document in his control if …
(b) he has or has had a right to possession of it
(c) or has or has had a right to inspect or take copies of it
HHJ Godsmark KC in Roberts, at paragraphs 12-13, found as follows:
12. What Mr Roberts was entitled to pursuant to a subject access request would be his personal data, therefore, his personal data within the purview of CPR 31.8. The question is are the audio recordings personal data? Under section 3 of the Data Protection Act 2018, personal data means any information relating to an identified or identifiable living individual.
13. It is not the recording which is personal data, it is the information contained therein which is the personal data. So the recordings themselves are not personal data and it is not Mr Roberts’ entitlement to obtain the recordings. What he is entitled to is the personal data within those recordings. (emphasis added)
The Data Protection Act
Section 45 of the Act states the following:
1. A data subject is entitled to obtain from the controller –
(a) confirmation as to whether or not personal data concerning him is being processed, and
(b) where that is the case, access to the personal data and the information set out in subsection (2).
2. That information is –
(a) the purposes of and legal basis for the processing;
(b) the categories of personal data concerned; ….
Section 3 of the Act defines personal data as follows:
2. ‘Personal data’ means any information relating to an individual or identifiable living individual …
4.‘Processing’, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(a) collection, recording, organisation, structuring or storage, …
Article 12 of the GDPR states:
- The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing of the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.
The guidance from the ICO also states:
What is the meaning of ‘relates to’?
- Information must ‘relate to’ the identifiable individual to be personal data.
- This means that it does more than simply identify them – it must concern the individual in some way.
- To decide whether or not data relates to an individual, you may need to consider:
- The content of the data – is it directly about the individual or their activities?;
- The purpose you will process the data for; and
- The results of the effects on the individual from processing the data
The Court of Appeal gave some guidance in respect of the DPA in the cases of Durant v Financial Services Authority [2003] EWCA Civ 1746 and Ittihadieh v Cheyne Gardens [2018] QB. In the latter, Lewison LJ stated the following:
63. The questions of what amounts to ‘personal data’ has also been considered in a number of domestic cases. The first of significance is Durant …The leading judgment was that of Auld LJ … At para 27, he referred to the purpose of section 7 as being to enable a data subject to check whether the data controller’s processing of his personal data unlawfully infringes his privacy … ‘mere mention of the data subject in a document held by the data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a lift event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person…’
65. Edem … was another case…They had applied the two ‘notions’ which Auld LJ had described … but Moses LJ held that they were wrong to do so, adding: ‘There is no reasons to do so. The information in this case was plainly concerned with those three individuals’. He also approved … the following statement from the Information Commissioner’s …
‘It is important to remember that it is not always necessary to consider ‘biographical significance’ to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual. Alternatively, data may be personal data because it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider ‘biographical significance’ only where information is not ‘obviously about’ an individual or ‘clearly linked to’ him.
66. Beatson and Underhill LJ agreed. I do not see any conflict between those two cases.
In the case of Roberts HHJ Godsmark KC considered the case of Durant in the context of an application for call recordings and upheld the decision of DJ Davies (with a slight amendment) such that Mr Roberts was ordered to disclose his personal data contained on the call recordings held by the credit hire provider.
A telephone call recording of a conversation between a claimant and a credit hire provider clearly contains that claimant’s personal data by reason of the following:
(i) It is likely to include their name and address.
(ii) It is likely to include the circumstances of their index accident.
(iii) It is likely to include details of the actual credit hire vehicle that claimant will be provided with and will personally use.
(iv) It is likely to include the broad terms of the credit hire agreement.
(v) It is likely to (or should) include details as to their financial circumstances regarding whether they are impecunious such that they need credit.
HHJ Freeman in Forster, whilst ultimately finding, at paragraph 51, that
…the subject matter of the recording was a road traffic accident which was personal to the appellant and is likely to contain personal details covered by the Data Protection Act
Had suggested at paragraph 42 that:
If it be the case that the conversation focused purely on the hire of a vehicle, the type of vehicle, the duration of hire and the cost of the vehicle, then, as it seems to me, the recording would not fit into either category identified by Auld LJ in Durant. Specifically, the information could not be described as biographical; nor could it be said that the information had the putative subject (“the appellant”) as its focus.
Whilst it is respectfully suggested this is wrong, he did qualify this later at paragraph 45 by stating:
Moreover, and given the nature of the transaction, it seems to be to be highly probable that there would have been a discussion about the appellant’s financial means … He may well have mentioned what, if any, job he held and how much he earned. This is likely to have triggered a discussion about credit hire arrangements … as soon as an identified person imparts information about their financial position, it seems to be to be beyond argument that that is ‘personal data’…
Other Points
The concepts of void/voidable; affirmation and restitution are all other arguments deployed on behalf of the credit hire provider to avoid disclosing the call recordings. As acknowledged in Roberts and Forster – these are arguments for Trial, not at a procedural application for disclosure.
Two final arguments, wrong party and proportionality, were also dealt with in Roberts: a party is free to choose who to make an application against. So far as proportionality is concerned, there should be very minimal cost to a claimant in requesting the digital call recordings via a simple subject access request. Indeed section 52(5) of the said Act requires this should be free of charge and section 54 that there should be a response within 1 month.
Conclusion
The cases of Roberts and Forster are a welcomed clarification of the law surrounding data protection and call recordings.
What they show is that personal data will be included in a telephone call between a claimant and the credit hire provider and it is disclosable by the claimant ie it is within the claimant’s control as they have a right to it via a subject access request.
This is more than just their name and address, but, instead, concerns the inception of their hire agreement and their financial status for needing credit. It is only then that the parties and the court can properly and fully consider whether there has been a misrepresentation by the credit hire provider and whether the credit hire agreements should be declared void.
There is also a public policy element to this: google ad spoofing and misrepresenting a credit hire vehicle for a courtesy vehicle should be discouraged and prevented. The primary and contemporaneous source for this is the call recording.
Contact related clerks:
