Her Majesty’s Revenue and Customs (HMRC) has agreed to delete more than five million voice recordings after the UK Information Commissioner’s Office (ICO) declared the data had been unlawfully obtained.
HMRC collected for use in a voice authentication service, introduced in 2017. The callers were asked to repeat the phrase ‘my voice is my password’, which HMRC would then use to authenticate the identity of callers wishing to access their information. Nearly 7 million individuals registered with the service.
Big Brother Watch, a non-profit non-party British civil liberties and privacy campaigning organisation, informed the ICO of their concerns surrounding caller privacy following the introduction of the Voice ID services.
The ICO investigated HMRC’s use of Voice ID. The investigators discovered that callers were advised there was a ‘quicker and more secure’ way of verifying their ID over the phone by using voice identification.
However, HMRC failed to inform callers about how the data would be processed or that they could opt out of the service.
Due to these failings, the ICO ruled that HMRC’s use of Voice ID was in breach of the EU’s General Data Protection Regulation.
The ICO website said: “In short, HMRC did not have adequate consent from its customers and we have issued an enforcement notice ordering HMRC to delete any data it continues to hold without consent. In the notice, the Information Commissioner says that HMRC appears to have given `little or no consideration to the data protection principles when rolling out the Voice ID service’.”
ICO said that the characteristics of a person’s voice constitute biometric data, which HMRC processed to identify customers.
“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database,” said Big Brother Watch’s director, Silkie Carlo. “This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”
Steve Wood, Deputy Commissioner for Policy at the ICO said: “While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data. The case raises significant data governance and accountability issues that require monitoring”.
In October 2018, HMRC changed how it sought permission from its customers to use voice recordings as identification and required individuals to inform them whether they consented to use the service. Around 1.5 million people contacted HMRC, informing them that they wished to continue using the Voice as ID service, and HMRC retained their records. The 5 million remaining voice files were deleted.
This notice is the first of its kind under following the implementation of GDPR. HMRC was not fined for any privacy violations.