HMRC has agreed to delete more than five million people’s voice records after the UK’s privacy watchdog ruled it had collected the data unlawfully.
An investigation by the Information Commissioner’s Office found that the tax authority had failed to inform callers about how their data would be processed or give them the opportunity to withhold consent.
The system, which enables people to use their voice as a form of authentication, was therefore in breach of the EU’s General Data Protection Regulation, the ICO ruled.
The investigation was launched after a complaint was submitted by Big Brother Watch. “To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database,” said the organisation’s director Silkie Carlo. “This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”
Steve Wood, the ICO’s deputy commissioner, said HMRC had given “little or no consideration” to data protection law, but added that he welcomed “HMRC’s prompt action to begin deleting personal data that it obtained unlawfully”.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
An HMRC spokesperson said: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.
“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”