ICO says HMRC breached GDPR by collecting biometric voiceprints

The Information Commissioner's Office has found HMRC guilty of violating GDPR for collecting biometric voiceprints of over five million taxpayers without their express consent and has directed HMRC to "delete all biometric data held under the Voice ID system" at the earliest.

In June last year, privacy campaign group Big Brother Watch alleged that HMRC collected biometric voiceprints (that are used to authenticate callers as they are unique to each individual) of over five million taxpayers without their express consent and also shared such voiceprints with other government departments and services such as tax credits, self-assessments, pay as you earn, child benefits and National Insurance.

YOU MAY ALSO LIKE:

HMRC's Voice ID system forced citizens to provide voice samples

Big Brother Watch said that the HMRC automated system literally forced callers to provide a sample of their voices by repeatedly asking callers to say "My voice is my password" without giving them an option to decline.

"Upon calling HMRC’s self-assessment helpline we were met with an automated system. After the account verification questions, the system demanded that we create a voice ID by repeating the phrase “my voice is my password”.

"Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database. In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”, the group said.

"HMRC has in fact railroaded taxpayers into this unprecedented ID scheme. On our analysis, that means HMRC must now delete this giant biometric database. We have registered a formal complaint with the ICO, which is now investigating," it added.

ICO directs HMRC to delete all biometric data obtained without consent

Last Friday, ICO announced that it had found HMRC guilty of breaching GDPR for collecting biometric voiceprints of taxpayers without obtaining their express consent and directed HMRC to "delete all biometric data held under the Voice ID system" at the earliest.

HMRC was served a preliminary enforcement notice by the ICO on April 4 and if it fails to delete all biometric data held under the Voice ID system, it will be served a final enforcement notice 28 days from that date to complete deletion of relevant records.

"We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service," said Steve Wood, Deputy Commissioner at the ICO.

"Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public," he added.

ALSO READ: HSBC's voice ID authentication glitch raises questions on biometric security