The Information Commissioner’s Office say that the voice data collected unlawfully by HMRC should be deleted.
The information Commissioner’s Office started investigating HMRC back in June 2018, after learning the government body had been illegally storing the biometric voice ID’s of more than 5 million people.
Watchdog Group ‘Big Brother Watch’ (BBW) lodged an official complaint with the ICO. The advocacy organisation said that the collection of Voice ID’s was not being done with explicit consumer consent, and information on how individuals can easily and securely have their voiceprint deleted is not publicly accessible. BBW says this is a direct violation of GDPR. A ‘Freedom of Information’ (FOI) request by BBW revealed HMRC started Voice ID’s from callers back in January 2017. Callers were unable to speak to an advisor unless they recorded their voice first. BBW also requested a copy of the Privacy Impact Assessment for recording Voice ID’s, which HMRC declined to provide.
5.1 Million callers have been forced to complete the phrase “My Voice Is My Password”. Each voice recording is then stored and used as a high-tech security check. When the person calls back, their voice acts as a password to unlock their account. Callers are told they can avoid standard security questions, involving their names, birth dates, etc by simply using their voice. The Technology is also used by high street banks, posing the question, what happens if there is a security breach? Criminals could use Voice ID’s to hack into private bank accounts, especially if these Voice ID’s are improperly stored.
Following their investigation, the ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. Under GDPR, biometric data is considered special category information and is subject to stricter conditions. The ICO has given HMRC 28 days to delete all of the relevant records.
Deputy Commissioner at the ICO, Steve Wood said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its voice ID service. Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”