Oli Scarff/Getty Images
show image

GDPR: HMRC’s database of 5.1m voice records raises “significant questions of lawfulness”

An HMRC database of 5.1 million taxpayers’ biometric voiceprints may breach new European data protection laws, according to privacy experts and campaigners.

Big Brother Watch has accused HMRC of failing to gain callers’ consent before asking them to read out a statement in an attempt to turn their voice into a password.

Pat Walshe, a privacy law expert working in partnership with Big Brother Watch, said the system raised “significant questions of lawfulness” under the new EU-wide General Data Protection Regulation.

NS Tech understands HMRC is now reviewing the system to resolve issues between implied and active consent. The Information Commissioner’s Office has also opened an investigation into Big Brother Watch’s complaint.

When HMRC announced the system last June, it claimed users could “choose to opt-out”, but Big Brother Watch’s findings cast doubt on this claim. If a caller rings HMRC’s tax credits or self-assessment helplines, they will be asked to repeat the phrase: “My voice is my password.” A refusal to do so prompts the system to state: “It’s important you repeat exactly the same phrase. Please say ‘My voice is my password’.”

A caller must refuse three times before the system connects them to an operator, according to a transcript published by Big Brother Watch. If a voice recording is successfully taken, it is then analysed and converted into a unique identifier.

Under GDPR, organisations are able to process users’ data without their consent in certain circumstances, such as if the processing is necessary for compliance with a legal obligation or to deliver a task in the public interest. But Big Brother Watch claims that this could not be a defence in this instance because the voice ID is not essential for HMRC to carry out its work.

The scale of the database was revealed under Freedom of Information laws to Big Brother Watch. But the organisation claims HMRC refused to respond to a number of further question, including about whether a privacy impact assessments (PIA) was carried out before the scheme launched last year.

HMRC told NS Tech that the data would only be used for security authentication purposes, could not be traced back to an individual and that it would not be shared with other government departments. The department did not comment on whether the ICO had been consulted before the scheme was launched or whether a privacy impact assessment had been carried out.

Silkie Carlos, the director Big Brother Watch, said there had been a “distinct lack of transparency” around the scheme. “The rapid growth of the British database state is alarming,” she said. “These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives. HMRC should delete the 5 million voiceprints they’ve taken in this shady scheme, observe the law and show greater respect to the public.”

The system is now under review. An HMRC spokesperson told NS Tech: “Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest government and industry standards for security.”

The Home Office revealed earlier this year that a framework for the use of biometric data in the public sector would be released in June, four and a half years after it was due to be published. A Home Office source told NS Tech last week that the department still intended to release the framework this month.