HMRC to wipe five million voice ID records after ICO intervention

delete icon on screen
istock_pashaignatov_aw
Share this content

An ICO investigation has found that HMRC breached data protection laws by collecting more than five million ‘voiceprints’ without explicit consent.

In a statement accompanying its decision, the Information Commissioner’s Office indicated that HMRC had obtained the biometric data “unlawfully” and gave the tax authority 28 days to delete the records.

Responding to the decision, HMRC confirmed that it is committed to complying with GDPR and has begun deleting the information.

Explicit consent

The issue stems from HMRC’s collection of 5.1 million biometric voiceprints from callers to a number of its helplines from January 2017 to October 2018.

Callers to the child benefit, tax credits, self assessment and national insurance helplines were asked to create a voice ID by repeating the phrase “my voice is my password” before being able to access services. However, the tax authority came under fire for not obtaining users’ explicit consent for storing their biometric data.

In June advocacy group Big Brother Watch filed an official complaint about the use of voice authentication for customer verification, and late last week the ICO ruled that HMRC was in breach of the General Data Protection Regulation (GDPR).

Following an investigation, the ICO found that HMRC failed to give callers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.

The ICO issued a preliminary enforcement notice to HMRC compelling the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent. Under GDPR rules, biometric data is considered special category information and is subject to stricter conditions.

In a letter to the department’s data protection officer from HMRC chief Jon Thompson, the tax authority confirmed it has already started to delete records where it does not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline.

“These [records] total around five million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent,” said Thompson.

He also confirmed that HMRC will continue to use the Voice ID service. In October 2018 HMRC introduced changes to comply with GDPR requirements, including obtaining callers’ explicit consent for their voice data to be stored.

An HMRC spokesperson told AccountingWEB: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.

“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”

‘Fundamental right to privacy’

In a statement to accompany the ICO decision Steve Wood, Deputy Commissioner at the ICO welcomed HMRC’s “prompt action to begin deleting personal data that it obtained unlawfully”.

“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service,” continued Wood. “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy.

“Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

In a statement Silkie Carlo, director of Big Brother Watch, said: "This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country.

"To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law."

What is Voice ID? Voice ID technology is a form of biometric identification and authentication, as sensitive as a fingerprint. Voice recognition technology is used to extract and analyse unique voice patterns and rhythms to identify a person using just their voice, checking over 100 behavioural and physical vocal traits including the size and shape of your mouth, how fast you talk and how you emphasise words.

Biometric voice ID is not the same as Automatic Speech Recognition (ASR), which automatically identifies words spoken and is not necessarily unique to each person. A biometric voice ID is a voiceprint that is unique to each individual.

Source: Big Brother Watch

About Tom Herbert

Tom is editor at AccountingWEB, responsible for all editorial content on the site. If you have a story that might interest us or wish to comment on the site's coverage get in touch via the site's private message function or Twitter DM (@AWebTom)

Replies

Please login or register to join the discussion.

avatar
08th May 2019 10:15

Has HMRC been fined for this breach of the law and if not why not?

Thanks (4)
08th May 2019 11:42

How stupid! My voice is my password but you can't keep a record of it! So what is the point of having it? It's as bad as a bag of peanuts saying it contains nuts! I suppose this legislation emanated from Brussels. It's hard enough getting through to HMRC at the best of times. Let's all go back to writing them letters. At least that will keep Royal Mail in business.

Thanks (3)
to tonyaustin
08th May 2019 15:57

Did you not read the article?

HMRC _can_ keep the records, when proper informed consent has been obtained. The ICO established this had not been done at the time these voiceprints were gathered, hence requiring their deletion.

Thanks (3)
avatar
By AAR
08th May 2019 11:43

Good point.

Thanks (0)