An ICO investigation has found that HMRC breached data protection laws by collecting more than five million ‘voiceprints’ without explicit consent.
In a statement accompanying its decision, the Information Commissioner’s Office indicated that HMRC had obtained the biometric data “unlawfully” and gave the tax authority 28 days to delete the records.
Responding to the decision, HMRC confirmed that it is committed to complying with GDPR and has begun deleting the information.
The issue stems from HMRC’s collection of 5.1 million biometric voiceprints from callers to a number of its helplines from January 2017 to October 2018.
Callers to the child benefit, tax credits, self assessment and national insurance helplines were asked to create a voice ID by repeating the phrase “my voice is my password” before being able to access services. However, the tax authority came under fire for not obtaining users’ explicit consent for storing their biometric data.
In June advocacy group Big Brother Watch filed an official complaint about the use of voice authentication for customer verification, and late last week the ICO ruled that HMRC was in breach of the General Data Protection Regulation (GDPR).
Following an investigation, the ICO found that HMRC failed to give callers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.
The ICO issued a preliminary enforcement notice to HMRC compelling the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent. Under GDPR rules, biometric data is considered special category information and is subject to stricter conditions.
In a letter to the department’s data protection officer from HMRC chief Jon Thompson, the tax authority confirmed it has already started to delete records where it does not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline.
“These [records] total around five million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent,” said Thompson.
He also confirmed that HMRC will continue to use the Voice ID service. In October 2018 HMRC introduced changes to comply with GDPR requirements, including obtaining callers’ explicit consent for their voice data to be stored.
An HMRC spokesperson told AccountingWEB: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.
“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”
‘Fundamental right to privacy’
In a statement to accompany the ICO decision Steve Wood, Deputy Commissioner at the ICO welcomed HMRC’s “prompt action to begin deleting personal data that it obtained unlawfully”.
“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service,” continued Wood. “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy.
“Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
In a statement Silkie Carlo, director of Big Brother Watch, said: "This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country.
"To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law."
|What is Voice ID? Voice ID technology is a form of biometric identification and authentication, as sensitive as a fingerprint. Voice recognition technology is used to extract and analyse unique voice patterns and rhythms to identify a person using just their voice, checking over 100 behavioural and physical vocal traits including the size and shape of your mouth, how fast you talk and how you emphasise words.
Biometric voice ID is not the same as Automatic Speech Recognition (ASR), which automatically identifies words spoken and is not necessarily unique to each person. A biometric voice ID is a voiceprint that is unique to each individual.
Source: Big Brother Watch