HMRC accused of voice ID data protection breaches

voice on sound wave
istock_mrtom-uk_aw
Share this content

Privacy campaigners have accused HMRC of breaching data protection laws by collecting more than five million ‘voiceprints’ without explicit consent.

The Information Commissioner’s Office (ICO) is investigating a complaint made by advocacy group Big Brother Watch against HMRC after the tax authority used an ‘implied consent’ model to collect voice identification information on taxpayers.

Responding to Freedom of Information Requests from Big Brother Watch, HMRC revealed that since it launched the Voice ID scheme in January 2017 it has taken 5.1 million taxpayers’ biometric voiceprints in January 2017. These voice recordings are from those who called the tax credits and self assessment helplines.

After responding to initial account verification questions, callers to the helplines are asked to create a voice ID by repeating the phrase “my voice is my password” before being able to access services. The data is then used to create a ‘voiceprint’ that can identify them in the future.

Concerns over the service and other aspects of HMRC's 'data harvesting' were raised back in March in Wendy Bradley's piece for AccountingWEB on the tax authority going beyond its remit in demanding more information than the law requires taxpayers to submit.

The department said it collected these voiceprints “on the basis of the implied consent of the customer,” although a process of explicit consent is currently being established, and the data is held to the “highest government and industry standards for security”.

What is Voice ID? 

Voice ID technology is a form of biometric identification and authentication, as sensitive as a fingerprint. Voice recognition technology is used to extract and analyse unique voice patterns and rhythms to identify a person using just their voice, checking over 100 behavioural and physical vocal traits including the size and shape of your mouth, how fast you talk and how you emphasise words.

Biometric voice ID is not the same as Automatic Speech Recognition (ASR), which automatically identifies words spoken and is not necessarily unique to each person. A biometric voice ID is a voiceprint that is unique to each individual.

Source: Big Brother Watch

Opting out and deletion

Callers are able to access services without using voice ID, but HMRC admits to “encouraging customers who call to take advantage of the Voice ID service”. The department states that taxpayers can “choose to opt-out and continue to use HMRC’s services in the usual way if they prefer.”

But Big Brother Watch claims this is misleading. In a statement on its website, the group said that on calling HMRC’s self assessment helpline they were met with an automated system that “demanded that we create a voice ID by repeating the phrase ‘my voice is my password’

“Far from ‘encouraging’ customers,” continued the statement, “HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a government database.

The group found that the only way to avoid creating a voice ID is to say ‘no’ to the system three times before the system states that it will create your voice ID ‘next time’.

Responding to the claims, an HMRC spokesperson said: “if a customer wishes to opt out of Voice ID, they tell an advisor that they wish to opt out and whether they would like their voiceprint to be deleted”.

However, when a representative from Big Brother Watch called to delete a voice ID, they claimed that HMRC does not have an accessible process to do so.

During a call to HMRC to remove the data, the automated system did not recognise ‘removal of Voice ID’ as a valid call reason, prompting a 15-minute wait to be connected.

When connected to an advisor, a transcript of the 35-minute call revealed that although the caller was able to opt out of using voice ID on the system it was not possible for the HMRC representative to completely remove the caller’s biometric data from the system altogether, and the caller would have complete an HMRC subject access request.

Is the scheme GDPR-compliant?

The General Data Protection Regulation (GDPR), came into force across Europe on 25 May this year and requires organisations to obtain explicit consent before they use biometric data to identify someone, including voice recordings.

Big Brother Watch claims that because voiceprints are such sensitive data, and voice IDs are not necessary for dealing with tax issues, HMRC must obtain the explicit consent of each taxpayer to enrol them in the scheme under Article 9 of GDPR or delete the records.

According to ICO guidelines, consent means “offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

‘Biometric ID cards through the back door’

Silkie Carlo, director of Big Brother Watch, called for the deletion of the five million voiceprints. “Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing,” she said and added that HMRC was “building big brother Britain by imposing biometric ID cards on the public by the back door.

“These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives.”

Responding to the claims an HMRC spokesperson said: “Our voice ID system is very popular with customers, as it gives a quick and secure route into our systems. The voice ID data storage meets the highest government and industry standards for security.”

HMRC sources also told the BBC that identifying details were stored separately from voice recordings.

An ICO spokesperson said: “We have received a complaint about HMRC’s voice ID scheme and will be making enquiries.”

Pat Walshe, director of a separate group, Privacy Matters, stated that the scheme was “failing to meet basic data protection principles,” and it was possible that the ICO could issue a notice requiring its temporary suspension.

*29 June 2018 - This article was amended to include a reference to a previous AccountingWEB piece on the subject*

About Tom Herbert

Tom is editor at AccountingWEB, responsible for all editorial content on the site. If you have any comments or suggestions for us get in touch.

Replies

Please login or register to join the discussion.

avatar
By ralan
02nd Jul 2018 10:32

HMRC are just a set of bullies by the sound of this.
It is just as bad as having to give them a mobile/landline number to have them send a pin number to be able to access the Government Gateway.
They have too much information already and we know how rubbish their IT systems are so security on them will be just as bad I expect.
Proper checks on software should be taken before implementation is what we tell clients except HMRC don't seem capable of this. RTI is a good example where payments just get allocated willy nilly and they expect us to sort the problems out!!!!!!!!!!

Thanks (3)
avatar
By rbw
02nd Jul 2018 14:24

Successive governments have wanted HMRC (and its predecessors) to be more businesslike. So it seems to me HMRC may just have done what many businesses do on such matters (including on tax matters): decide it's cheaper to pay the fine and fix the non-compliance *if* caught than to build a system that is guaranteed to be fully compliant in every respect from the outset.

Thanks (2)
avatar
02nd Jul 2018 11:43

I am horrified to read this and certainly wouldn't want my voice print to be saved. They MUST make it clear that it is voluntary, otherwise I suspect that many people would feel obliged to do it.

Thanks (1)
avatar
02nd Jul 2018 11:50

This is just as bad as the "Verify" system which is needed for a DBS check. AND who requires that all accountants have a DBS check for AML purposes - HM Treasury. Talk about Big Brother.

Thanks (1)
avatar
02nd Jul 2018 15:46

I was particularly taken with the phrase: "and the data is held to the “highest government and industry standards for security”.

I have twice received personal information from HMRC in recent days relating to people I no longer act for. In one case I haven't acted for many years. This is not uncommon and I have on occassion received information relating to people I've never even heard of. It appears government standards are not that high.

Thanks (1)
avatar
02nd Jul 2018 16:09

I don't like having to be deemed/forced to agree to various terms and policies in order to comply with the tax legislation.

What if I genuinely disagree with the policy? How do I then comply with the tax law and reporting requirements that I am trying to follow?

As people are saying, being forced to hand over mobile numbers etc and now voiceprints is not right - neither is effectively being forced to agree to T&Cs.

I'd love to see a case one day where the terms are ruled unenforceable as the taxpayer was effectively forced to 'accept' them.

I don't think it's helpful to always be nitpicking at exactly how things get done - I'm all for getting things done with the minimum of fuss - but when HMRC are severely overstepping the mark of what is necessary/reasonable/a good idea and for their own ends - that's an issue for me.

Thanks (2)
avatar
02nd Jul 2018 19:51

Wouldn't it be lovely if instead of having to go through all the tedious, timewasting identity verification stuff, we could get straight down to business because our voice had been recognised and automatically verified by the equipment at the other end?

Thanks (0)
avatar
04th Jul 2018 20:50

I called a revenue office today and went through the voice ID password experience. It really is pushy. I remained silent whilst it asked three times for me to comply.

I do not consent and yes, it certainly feels like the government having no regard for GDPR.

Thanks (1)