Regulators found tax authority had given ‘little or no consideration’ to data protection when setting up its biometric service
HMRC has begun deleting the voice records of some five million users after reguators found a “significant” breach of data protection rules.
The Information Commissioner’s Office (ICO) has issued a preliminary enforcement notice to the tax authority and said it would issue its final notice next week, giving HMRC 28 days to complete its removal of the data.
HMRC said it anticipates completing the deletion “well before” the ICO’s 5 June deadline.
The Information Commissioner launched a probe into Voice ID following a complaint by Big Brother Watch, which claimed users were “railroaded” into using the system.
Voice ID allows speedier access to HMRC’s telephone helpline by matching the user’s voice to a sample that’s held on file.
To set the system up, users repeat the phrase: “My voice is my password”.
A 2017 investigation by the BBC found that such systems, which are used by banks and other organisations, can be tricked by twins.
Child Benefit, Tax Credits, Help to Save, Self-Assessment, Taxes and National Insurance are using Voice ID.
Under GDPR data protection rules that came into force last May, biometric data, including voice samples, come under special rules and organisations require explicit consent to collect and use them.
The ICO said HMRC appeared to have given “little or no consideration” to data protection law when setting up Voice ID, and hadn’t given users enough information about how their data would be processed.
“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service,” the ICO said.
HMRC changed the way it obtains consent in October and said that since then, 1.5 million users have said they wish to continue using Voice ID.
It said it would delete the data of the remaining 5 million who either haven’t used the service since October or haven’t said they want to use Voice ID.
Those whose data is deleted can still reapply to use the Voice ID service, HMRC said.
“We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018,” an HMRC spokesman said.
“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”
Big Brother Watch said the deletion was a “massive success” for privacy.
“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database,” said the group’s director, Silkie Carlo.
“This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”