The Information Commissioner’s Office (ICO) is investigating HMRC to establish whether or not the government tax body has been illegally recording and storing more than 5 Million Biometric Voice ID’s.
Watchdog Group ‘Big Brother Watch’ (BBW) lodged an official complaint with the ICO. The advocacy organisation said that the collection of Voice ID’s is not being done with explicit consumer consent, and information on how individuals can easily and securely have their voiceprint deleted is not publicly accessible. BBW says this is a direct violation of the recently implemented GDPR.
A ‘Freedom of Information’ (FOI) request by BBW revealed HMRC started Voice ID’s from callers back in January 2017. Callers were unable to speak to an advisor unless they recorded their voice first. BBW also requested a copy of the Privacy Impact Assessment for recording Voice ID’s, which HMRC declined to provide.
5.1 Million callers have been forced to complete the phrase “My Voice Is My Password”. Each voice recording is then stored and used as a high-tech security check. When the person calls back, their voice acts as a password to unlock their account. Callers are told they can avoid standard security questions, involving their names, birth dates, etc by simply using their voice.
The Technology is also used by high street banks, posing the question, what happens if there is a security breach? Criminals could use Voice ID’s to hack into private bank accounts, especially if these Voice ID’s are improperly stored.
The big problem for HMRC here is GDPR and Data Protection. A major overhaul of consumer rights, data protection and data storage has just taken place and HMRC, a government body is failing to meet basic data protection and collection rules. Capturing people’s Voice ID’s without their freely given consent, and not making clear what it’s being used for, would be an infringement of the Data Protection Act 2018 and the EU’s GDPR rules.
There is also no opt-out option in their system, meaning that if callers do not want to have their Voice ID’s recorded then they cannot go further with the call.
The ICO is now looking into the issue. They have the power to order HMRC to suspend the scheme.
In order to reassure the public that this software is safe and has a place in the customer identification process, HMRC needs to be transparent and answer some of the following questions:
Have the ID’s been shared with other government department’s?
Are they intending to use the Voice ID’s across all other government departments?
Are they adequately protected against cyber attacks?
Is the scheme privacy compliant?
How much has this cost the tax payer?
How can an individual delete their voice ID?
A spokesperson for HMRC said: “Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest government and industry standards for security”.
We will update this post once the ICO completes and publishes the results of the investigation.