HMRC forced to delete 5m voice IDs in GDPR breach

taxHMRC might give taxpayers the heebeegeebees but the privacy watchdog has at least secured a victory for the millions of people who have felt aggrieved over its voice authentification system after ordering the taxman to delete all biometric data for which it does not have explicit consent.
An Information Commissioner’s Office investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct. The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017.
The ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of GDPR, under which biometric data is considered special category information and is subject to stricter conditions.
HMRC will keep about 1.5 million Voice IDs which are in use, but delete nearly 5 million where explicit consent was not received and where those people had never used the system since creating the ID.
The regulator issued a preliminary enforcement notice to HMRC on April 4, 2019 stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
The watchdog will issue its final enforcement notice next week, giving HMRC 28 days from that date to complete deletion of relevant records.
ICO deputy commissioner Steve Wood said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

Related stories
ICO reveals it has 10,000 data breach cases to probe
Have companies done enough to comply with GDPR?
Let battle commence: first GDPR complaints are filed
EU chief predicts first GDPR rulings before year-end

Print Friendly