HMRC has been given 28 days to delete an estimated five million taxpayer biometric ‘voice prints’ obtained from callers to its helplines, after an investigation by the Information Commissioner’s Office (ICO) found they were being held illegally in contravention of data protection rules
The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines, including those for child benefit, tax credits, self assessment and national insurance, over the period January 2017 to October 2018.
Callers were asked to create a voice ID by repeating the phrase ‘my voice is my password’, but the ICO found that HMRC failed to give taxpayers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of the General Data Protection Regulation (GDPR).
The ICO issued a preliminary enforcement notice to HMRC on April 4, and has now given the department 28 days to complete deletion of relevant records.
Steve Wood, deputy commissioner at the ICO, said: ‘We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its voice ID service.
‘Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used.’
The ICO’s investigation was carried out under the GDPR, which considers biometric data to be special category information, which is subject to stricter conditions. The move was prompted by a complaint from lobby group Big Brother Watch about the department’s conduct.
Silkie Carlo, director of Big Brother Watch, said: ‘To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database.
‘This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.’
Earlier this month HMRC CEO Jon Thompson wrote to the department’s data protection officer about the ICO’s action, confirming that HMRC will only retain voice ID enrolments where it holds explicit consent.
Thompson said: ‘As you know, this is currently around 1.5m customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.
‘I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline.
‘These total around 5m customers who enrolled in the voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent.’