HMRC’s voice ID privacy notice comes under the GDPR lensby
HMRC has issued a privacy notice to accompany its voice identification scheme, following accusations from privacy campaigners that the tax authority had breached data protection laws by collecting more than five million ‘voiceprints’ without explicit consent.
However, a leading employment law expert has described the notice as unclear and questioned HMRC’s legitimacy for continuing to hold taxpayers’ biometric data under the system.
The voice ID scheme was launched in January 2017, and taxpayers can use it to access PAYE, national insurance, child benefit, tax credits and self assessment services. Earlier this year HMRC revealed that so far it has taken 5.1 million taxpayers’ biometric voiceprints.
The tax authority has come under fire for potentially breaching GDPR guidelines and not obtaining users’ explicit consent for storing their biometric data. According to an HMRC spokesperson, the department collected voiceprints on the basis of “the implied consent of the customer,” although a process of obtaining explicit consent is currently being established.
Callers to the helplines where voice ID is used are asked if they want to register for the scheme. If they do, they are then required to create a voice ID by repeating the phrase “my voice is my password,” which is then used by HMRC to create a biometric ‘voiceprint’.
According to the privacy notice, if the caller does not consent they can continue to answer security questions to access their HMRC account. When privacy campaigners investigated this option back in June, they found the only way to avoid creating a voice ID is to say ‘no’ to the system three times, but this has since been changed to allow callers to remain silent and enter their security details.
Article 4(11) of GDPR states consent must be freely given, specific, informed and unambiguous, and campaigners argue that the current system does not go far enough to inform users that their biometric data is being stored.
The notice states that HMRC will keep voice ID data for six years from the date it was last used unless consent is withdrawn or the system is replaced.
“HMRC will encrypt data and store it in a UK data centre where the tax authority is the data controller,” the notice continues, “and it will never share this information with anyone outside HMRC.”
An HMRC spokesperson told AccountingWEB that the data used in its voice ID system is only used for voice identification. Users of the service can ask for a copy of their voice recording by raising a subject access request.
One of the main criticisms levelled at the current voice ID process was the inability to opt out in a quick and efficient manner, with one caller from campaign group Big Brother Watch spending 35 minutes on the phone to HMRC trying to delete their data.
Article 7(3) of the GDPR rules states the data subject shall have the right to withdraw consent at any time, and goes on to say it shall be as easy to withdraw as to give consent.
The privacy notice clarifies that those who wish can call any of the HMRC services that use voice identification to either withdraw consent or ask for their data to be deleted, or to re-record their voice ID data (although in order to withdraw consent a caller will need to first pass the voice ID scan).
A call placed to the self assessment helpline at time of writing by AccountingWEB found that the automated system did now inform the caller that they could ask an operative to remove their data from the system (once the caller had got through).
Small and belated step in the right direction
Employment law specialist Annabel Kaye described the notice as a “small and belated step in the right direction,” but continued that “in the absence of clear consent and a simple way to withdraw it, the voice IDs collected before this are not being lawfully held.”
Kaye, who is director of employment law firm Irenicon, also questioned the timing of the privacy notice release. “Preferably they should have released it when they started gathering the data,” Kaye told AccountingWEB, “or at the very least they should have released it in May when they went through their GDPR compliance audit and worked out they hadn’t got one.
“I love the idea of more accessible government services,” said Kaye, “but they’ve got their attitude to compliance all wrong. I’ve every sympathy for a micro business struggling with GDPR, but as a government department collecting data on that scale HMRC is, they shouldn't have to be told to do this.”
What could happen next?
The ICO has confirmed that it is currently investigating following a complaint from campaign group Big Brother Watch. However, even if HMRC is found to have breached GDPR rules any action taken is likely to be minor.
“In theory, the ICO can issue an order for HMRC to destroy the data, and it would be interesting to see ICO and HMRC head-to-head, but this is not going to happen,” she said. “Amongst many other things, the ICO has said it’s an advisory year so if anything happens fines are more likely, but this would be a waste of taxpayers’ money”.
“The best thing to do would be to start over with the data and design a system that’s legitimate and fully GDPR-compliant,” continued Kaye. “They’re supposed to set the bar, not be below it."
An HMRC spokesperson told AccountingWEB that the department is working with the ICO to address the concerns expressed about voice ID.
“Our VoiceID system is very popular with customers as it gives a quick and secure route into our systems," they said. "Our customers’ data, including for VoiceID, is stored securely. ”
*10 Aug: This article was updated to include comments from HMRC*