HMRC has begun deleting more than five million voice ID records after the Information Commissioner’s Office (ICO) found that the data had been unlawfully obtained.
HMRC has used voice authentication for customer verification on some of its helplines since January 2017. However, an ICO investigation, prompted by a complaint from campaigning organisation Big Brother Watch, found that HMRC failed to give customers sufficient information about how their biometric data would be processed, and failed to offer the chance to give or withhold consent.
“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its voice ID service,” commented Steve Wood, Deputy Commissioner at the ICO.
By failing to give customers sufficient information about how the data would be used and not gaining the required consent, HMRC breached General Data Protection Regulations (GDPR). The ICO issued a preliminary enforcement notice to HMRC on April 4, 2019. It stated that HMRC should delete all biometric data held under the voice ID system for which it does not have explicit consent.
In a letter from Sir Jonathan Thompson, Chief Executive and Permanent Secretary of HMRC, to Chris Franklin, HMRC’s Data Protection Officer, it was confirmed that customers who were enrolled in the voice ID service before October 2018, and have not since used the service to confirm their consent, will have their records deleted.
“I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline,” wrote Thompson.
“I have confirmed that HMRC will only retain voice ID enrolments where we hold explicit consent. As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.”
Steve Wood of the ICO welcome HMRC’s prompt action and added that, although innovative digital services help make our lives easier, they must not be at the expense of people’s fundamental right to privacy.
