A complaint from the Big Brother Watch instigated an investigation into HMRC’s Voice ID service. The ICOs investigation mainly dealt with the voice authentication for customer verification on some of HMRC’s helplines since January 2017.
Customers were given insufficient information when it came to how their biometric data would be processed. Biometric data is considered special category information and is subject to stricter conditions. They were also denied the opportunity to give or withhold consent, which is a breach of GDPR.
Steve Wood, Deputy Commissioner at the ICO, said:
“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service”. “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
By now the ICO have issued its final enforcement notice, giving HMRC 28 days from that date to complete deletion of relevant biometric data records, held under the Voice ID system for which it does not have explicit consent.