HMRC issued with enforcement notice following GDPR violation
Released 14 May 2019
HMRC has been ordered to delete voice recognition data after contravening the General Data Protection Regulation (GDPR).
Following a complaint from the privacy watchdog, Big Brother Watch, the Information Commissioner’s Officer (ICO) conducted an investigation into HMRC for failing to gain explicit consent from individuals about their biometric data. The ICO reported that there had been a “significant breach” of data protection laws after concluding that HMRC did not have adequate consent from its customers. The ICO have ordered HMRC, via an enforcement notice, to delete any data it continues to hold without consent.
The Commissioner highlighted the scale of the data collection and that “HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers…..It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.”
For more information, see HMRC handed an enforcement notice following GDPR violation.