A recent ruling by the Office of the Data Protection Commissioner (ODPC) has shown that even an internal human resource consultation call can spiral into legal liability if consent, transparency and clear purpose are ignored.

In the case of Andrew Alston against his employer Liquid Telecommunications Kenya Ltd, a single recorded call ultimately resulted in a KSh700,000 compensation order and an enforcement notice against the company.

The dispute arose from a virtual HR consultation call linked to an employee’s exit discussions.

According to the complainant, he expressly declined consent to the recording and was assured it would be deleted.

Instead, the audio was retained and later surfaced in separate arbitration proceedings involving a related company.

For regulators, that sequence of events triggered multiple red flags — not just about consent, but about how long data was kept, who accessed it, and why it was used beyond its original context.

One of the most striking findings from the ODPC was the classification of a voice recording as biometric personal data.

In simple terms, your voice is considered an identifying feature, just like a fingerprint or facial image.

That means recording a conversation is not a harmless administrative act; it is the collection of protected personal data.

The determination highlights three common pitfalls that can quickly turn an ordinary recording into a compliance nightmare:

1. Assuming a Beep Equals Consent
Automated “this call may be recorded” notices are not enough. The regulator found that organisations must clearly explain why data is being recorded, who might receive it, and how it will be protected.

2. Stretching the Purpose Later
Recording a meeting for “internal reference” and later using it for litigation or sharing it with affiliates breaches the principle of purpose limitation, a core rule that data should only be used for the reason it was first collected.

3. Ignoring Deletion Requests
When a person asks for their data to be erased, the law requires prompt action or formal notification if deletion is refused for legal reasons. Silence or delay can amount to a violation on its own.

The company argued that keeping the recording served a “legitimate interest” in case of future disputes.

The ODPC disagreed, finding that less intrusive alternatives, such as written minutes, could have achieved the same goal without retaining sensitive biometric data.

The lesson is stark: “just in case” is not a lawful basis on its own.
Without necessity and proportionality, that precaution can morph into unlawful processing.

Beyond the financial penalty, the enforcement notice signals that regulators are increasingly willing to scrutinize everyday corporate practices, especially in multinational structures where data may move across borders between affiliated companies.

For employers, HR teams, and managers, the message is clear: recording workplace conversations is no longer a casual administrative decision.

It is a regulated activity with legal consequences if mishandled.

In an era of virtual meetings and remote work, the record button can feel harmless.

But as this ruling demonstrates, a few seconds of audio can carry months of legal exposure.and a six-figure price tag.

The post How Recording a “Simple” HR Call Could Land You in KSh700,000 Trouble appeared first on Insider Bits News.