The HMRC has started deleting the voice biometric data of five million taxpayers collected unlawfully but say they still plan to continue using the system despite the controversy.
The UK’s Information Commissioner’s Office (ICO) has ruled the collection of voice biometric data from five million people by the UK’s tax authority is in violation of the EU’s General Data Protection Regulation (GDPR) and therefore the records must be deleted.
In a bid to speed up the much-criticised HMRC helpline, people were invited to use the voice recognition system, rather than the normal security checks.
The scheme, launched in 2017, asks callers to repeat the phrase “my voice is my password” to register.
But they failed to gain explicit consent from individuals before signing them up to the voice ID system for telephone enquiries. claiming users were “railroaded” into using it as they were not given the choice to opt out.
Breach of data laws
Privacy campaign group Big Brother Watch filed a formal complaint, and the ICO launched an investigation. ICO Deputy Commissioner Steve Wood criticised HMRC’s implementation and said that there had been a “significant” breach of data laws.
GDPR, which came into force last May, requires organisations to obtain explicit consent before they use biometric data to identify someone, including voice recordings.
HMRC were told by the ICO that it was not adhering to the data protection rules. In effect, it had automatically pushed people into the system without explicit consent.
The commissioner is issuing the first enforcement notice of its kind to HMRC, under GDPR rules, to ensure the data is deleted. As a result, no fine will be levied.
However, despite the deletions, the tax authority’s system will continue.
Sir Jon Thompson, HMRC chief executive, said: “I am satisfied that HMRC should continue to use voice ID.”
“It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster,” he said in a letter to HMRC’s data protection officer.
The tax authority changed the way it sought permission for voice ID in October. Some 1.5 million people have called HMRC since then, and said they wanted to continue using the service. Their records have been retained.
The ICO issued a preliminary enforcement notice to HMRC on 4 April 2019, stating the information commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
The ICO will issue its final enforcement notice this week, giving HMRC 28 days from the date of the notice to complete the deletion of all relevant records.
The UK Home Office is yet to carry out the deletion of face biometric images from its database as ordered by the High Court in 2012.