HMRC begins deleting unlawful voice biometric data

The Information Commissioner’s Office (ICO) has welcomed the prompt response by HM Revenue and Customs (HMRC) to begin deleting voice data collected unlawfully from five million UK taxpayers, but HMRC plans to continue using the system despite the controversy.

The ICO ordered the data to be deleted after conducting an investigation into HMRC’s Voice ID service in response to a complaint from civil liberties and privacy campaigning non-profit organisation Big Brother Watch, which accused HMRC of building a biometic ID database by the back door.

The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017. The system was introduced to help speed up security checks for taxpayers using HMRC’s helpline by registering voice prints to confirm identity.

The ICO found HMRC had breached the General Data Protection Regulation (GDPR) by failing to give customers sufficient information about how their biometric data would be processed and failing to give them the chance to give or withhold consent.

The ICO issued a preliminary enforcement notice to HMRC on 4 April 2019, stating the information commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.

The ICO will issue its final enforcement notice this week, giving HMRC 28 days from the date of the notice to complete the deletion of all relevant records.

“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully,” said Steve Wood, deputy commissioner at the ICO.

“Our investigation exposed a significant breach of data protection law. HMRC appears to have given little or no consideration to it with regard to its Voice ID service.

“Innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy.

“Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

The ICO’s investigation was carried out under the GDPR, which came into full force on 25 May 2018. Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.

Big Brother Watch director Silkie Carlo described the ICO’s decision as a “massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country”.

She added: “To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. It sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”

Big Brother Watch began its investigation into HMRC’s voiceprint database in June 2018 and handed its findings to the ICO, requesting a formal investigation.

In January 2019, Big Brother Watch conducted a six-month review using Freedom of Information requests and found that HMRC had updated its system so that callers who had previously been added to the Voice ID system were offered the option to delete their voiceprint.

The campaign group found that 160,000 people had used the option to delete their voice record from the government database, but called on the ICO to take action to show that the government is not above the law.

Big Brother Watch is among several privacy and civil liberties groups campaigning against the gathering and storing of biometric data and the use of biometric-based systems such as automatic facial recognition (AFR) technology by police, but despite the opposition, HMRC chief executive Jon Thompson has indicated that his department plans to continue to use the Voice ID system.

“I am satisfied that HMRC should continue to use voice ID,” he said in a letter to Chris Franklin, HMRC’s data protection officer.

“It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster.

“HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes.

Thompson said he had confirmed to the ICO that HMRC will retain Voice ID enrolments only where it holds explicit consent.

“As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements,” he wrote to Franklin.

Thompson said he had also informed the ICO that HMRC had already started to delete all records where it does not hold explicit consent and will complete that work before the ICO’s deadline of 5 June 2019.

“These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent,” he said.

Thompson said he had reaffirmed HMRC’s commitment to being a “responsible data controller” and to complying with all data protection laws.