HMRC’s voice ID privacy notice comes under the GDPR lens

voice recognition
istock_metamorworks_aw
Share this content

HMRC has issued a privacy notice to accompany its voice identification scheme, following accusations from privacy campaigners that the tax authority had breached data protection laws by collecting more than five million ‘voiceprints’ without explicit consent.

However, a leading employment law expert has described the notice as unclear and questioned HMRC’s legitimacy for continuing to hold taxpayers’ biometric data under the system.

Consent models

The voice ID scheme was launched in January 2017, and taxpayers can use it to access PAYE, national insurance, child benefit, tax credits and self assessment services. Earlier this year HMRC revealed that so far it has taken 5.1 million taxpayers’ biometric voiceprints.

The tax authority has come under fire for potentially breaching GDPR guidelines and not obtaining users’ explicit consent for storing their biometric data. According to an HMRC spokesperson, the department collected voiceprints on the basis of “the implied consent of the customer,” although a process of obtaining explicit consent is currently being established.

Callers to the helplines where voice ID is used are asked if they want to register for the scheme. If they do, they are then required to create a voice ID by repeating the phrase “my voice is my password,” which is then used by HMRC to create a biometric ‘voiceprint’.

According to the privacy notice, if the caller does not consent they can continue to answer security questions to access their HMRC account. When privacy campaigners investigated this option back in June, they found the only way to avoid creating a voice ID is to say ‘no’ to the system three times, but this has since been changed to allow callers to remain silent and enter their security details.

Article 4(11) of GDPR states consent must be freely given, specific, informed and unambiguous, and campaigners argue that the current system does not go far enough to inform users that their biometric data is being stored.

The notice states that HMRC will keep voice ID data for six years from the date it was last used unless consent is withdrawn or the system is replaced.

“HMRC will encrypt data and store it in a UK data centre where the tax authority is the data controller,” the notice continues, “and it will never share this information with anyone outside HMRC.”

An HMRC spokesperson told AccountingWEB that the data used in its voice ID system is only used for voice identification. Users of the service can ask for a copy of their voice recording by raising a subject access request.

Withdrawal process

One of the main criticisms levelled at the current voice ID process was the inability to opt out in a quick and efficient manner, with one caller from campaign group Big Brother Watch spending 35 minutes on the phone to HMRC trying to delete their data.

Article 7(3) of the GDPR rules states the data subject shall have the right to withdraw consent at any time, and goes on to say it shall be as easy to withdraw as to give consent.

The privacy notice clarifies that those who wish can call any of the HMRC services that use voice identification to either withdraw consent or ask for their data to be deleted, or to re-record their voice ID data (although in order to withdraw consent a caller will need to first pass the voice ID scan).

A call placed to the self assessment helpline at time of writing by AccountingWEB found that the automated system did now inform the caller that they could ask an operative to remove their data from the system (once the caller had got through).

Small and belated step in the right direction

Employment law specialist Annabel Kaye described the notice as a “small and belated step in the right direction,” but continued that “in the absence of clear consent and a simple way to withdraw it, the voice IDs collected before this are not being lawfully held.”

Kaye, who is director of employment law firm Irenicon, also questioned the timing of the privacy notice release. “Preferably they should have released it when they started gathering the data,” Kaye told AccountingWEB, “or at the very least they should have released it in May when they went through their GDPR compliance audit and worked out they hadn’t got one.

“I love the idea of more accessible government services,” said Kaye, “but they’ve got their attitude to compliance all wrong. I’ve every sympathy for a micro business struggling with GDPR, but as a government department collecting data on that scale HMRC is, they shouldn't have to be told to do this.”

What could happen next?

The ICO has confirmed that it is currently investigating following a complaint from campaign group Big Brother Watch. However, even if HMRC is found to have breached GDPR rules any action taken is likely to be minor.

“In theory, the ICO can issue an order for HMRC to destroy the data, and it would be interesting to see ICO and HMRC head-to-head, but this is not going to happen,” she said. “Amongst many other things, the ICO has said it’s an advisory year so if anything happens fines are more likely, but this would be a waste of taxpayers’ money”.

“The best thing to do would be to start over with the data and design a system that’s legitimate and fully GDPR-compliant,” continued Kaye. “They’re supposed to set the bar, not be below it."

An HMRC spokesperson told AccountingWEB that the department is working with the ICO to address the concerns expressed about voice ID.

“Our VoiceID system is very popular with customers as it gives a quick and secure route into our systems," they said. "Our customers’ data, including for VoiceID, is stored securely. ”

*10 Aug: This article was updated to include comments from HMRC*

About Tom Herbert

Tom is editor at AccountingWEB, responsible for all editorial content on the site. If you have any comments or suggestions for us get in touch.

Replies

Please login or register to join the discussion.

avatar
By tedbuck
10th Aug 2018 10:26

If there were three personas whom I wouldn't trust with my personal data HMRC would be one. The number of errors they make is substantial and with their desire for more and more information to close the tax gap I wouldn't believe anything they say. I am thinking of going back to paying with cash so that they cannot data mine my credit card. Big Brother isn't coming - it is here already - we just aren't aware of it. When HMRC gets hold of all the information held by internet companies which they will in due course they will know more about us than we do ourselves. Yes I am a bit paranoid but everyone wants to collect data on me and it's for their benfit not mine so I always say no wherever I can and, as I am sure you all will have found, no is not always an acceptable answer.

Thanks (2)
avatar
to tedbuck
14th Aug 2018 09:49

Indeed. I just could not believe on my January call an organsation so big had not sought advice from specialist data protection solicitors.

My sister drives to a building society and gets out a cheque for her tax and posts it to them as she does not use things like internet banking, does not have a smart phone etc. We certainly need to hold on to a variety of methods of payment to ensure they are preserved for those who need them or want them.

I use cash at petroal stations and in food shops out of choice (I've no income or cash to hide as I am paid by eveyone on line) but I want cash to be preserved and I don't think it's anyone's business if I fill up at a certain garage on a certain day although I have not gone to the lengths of face covering to avoid the CCTV!

Thanks (0)
10th Aug 2018 13:18

The article says that when callers phone HMRC they are given the option to use 'my voice is my password'. When I last phoned there was no option - you had to do it or remain silent whilst the machine tried to record your voice. That was one of the main complaints. In contrast when I phoned HSBC recently I was given the option: press 1 to set it up or 2 to bypass it.

Thanks (1)
avatar
to kevinringer
14th Aug 2018 09:45

Exactly. It was the same for me. It did not even say if you stay silent you can continue the call. That is where they breached the law and could be subject to an up to £500,000 fine under the previous data legislation.

Thanks (0)
avatar
14th Aug 2018 09:44

In January I called HMRC with a question on my self assessment form. I had to wait at least 30 minutes going gthrough various automatic messages until I was appalled to be told by an automated voice that if I wanted to continue to call I had to record my voice data for future recognition use. i could not believe what I was hearing as it was a clear breach of the then Data Protection Act 1998 not to give an opt out and HMRC are big organisation that ought to know that. I was determined not to let them take my voice but I ran a huge risk I would then not be able to proceed with the call and have lost 30 minutes of my working day which you can be sure HMRC would not be paying for. I waited. It kept asking me again and again for my voice sentence and never once gave me an opt out option.
It then did let me continue without recording or so I hoped and the call continued. I was so appalled by this breach of the law I remember posting on the FT website about it at the time. I cannot remember if I also emailed the ICO.
Last week I made a data access request to HMRC - the first I have ever made - to ask if they would check the call ( I had the number and time of the call) and they complied very quickly and said my voice data had not been recorded. However about 5m people not knowing there was a legal right to opt out or that they should only have actively to opt in will have had their voice data taken without consent.

I then read the new privacy notice about this from HMRC when it came out and I am afraid I agree with the lady quoted - it is not clear enough under the new data rules - GDPR etc - I had quite a few questions on it and I will not be calling HMRC any time soon if I can possibly help it.

Thanks (0)