[UK] UK HMRC falls foul of GDPR

Launched in 2017, HMRC’s Voice Biometric technology (Voice ID) service is designed to speed up customer recognition when contacting HMRC by telephone, “reducing the risk of fraud and making information safer”.  Voice recognition replaced normal security checks with the caller only having to say “my voice is my password” several times to confirm their identity.

But a complaint from Big Brother Watch said that HMRC had “railroaded” customers into using the service and, importantly, were not given the choice to opt out.  This is totally against the General Data Protection Regulation (GDPR) which came into force in May 2018 and covers the use of biometric data.  The Information Commissioner's Office (ICO) said on the 3rd of May 2019 that some of the data had been collected against the requirements of the Regulation and therefore illegally.  Their statement said:

“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

HMRC actually changed the way that it started obtaining permission from customers in October 2018 and this amounts to 1.5 million people who have given their consent and HMRC have not acted unlawfully.  These records will be retained but there are still 5 million or so records that HMRC will have to delate, i.e. the people that enrolled in the service before October 2018.

In a letter to HMRC’s Data Protection Officer Chris Franklin on the 3rd of May 2019, the CEO Jonathan Thompson confirmed that HMRC had accepted they had breached data protection and reaffirmed their commitment to protection in the future.  The letter also says that Voice ID will continue and their privacy notice outlines about how consent is obtained, how it can be withdrawn and how long data is kept.