HM Revenue and Customs (HMRC) has been found to be in ‘significant breach’ of data protection law by the Information Commissioner’s Office (ICO) and must now delete some five million voice recordings.
An ICO investigation was launched into HMRC’s Voice ID service last year following a complaint by privacy campaign group Big Brother Watch. The investigation explored the use of voice authentication used for identification purposes on the HMRC’s telephone helplines.
Since January 2017, callers to HMRC had been asked to repeat the phrase “my voice is my password”. This was recorded and an algorithm was used to identify the caller on subsequent calls. The system was intended to increase the efficiency of the HMRC telephone helpline by reducing the need for more traditional security checks. Similar schemes have also been used in the financial services sector, including some banks.
The ICO noted that HMRC had not obtained explicit consent from individuals when it recorded their voices and signed them up to the system.
Under the General Data Protection Regulation (GDPR), organisations are required to obtain explicit consent for using biometric data to identify individuals. Biometric data is considered ‘special category’ information and is therefore subject to stricter conditions.
Steve Wood, Deputy Commissioner at the ICO, said ‘our investigation exposed a significant breach of data protection law. HMRC appears to have given little or no consideration to it with regard to its Voice ID service. Innovative digital services make our lives easier but it must not be at the expense of people’s fundamental right to privacy.’
This is a timely reminder that organisations need to be fair and transparent when collecting and processing personal data. Organisations should be clear about their lawful basis for handling data and should be particularly careful when handing special category data such as biometrics.
If you need any support with GDPR, RWA can assist by reviewing your data protection processes and helping you identify and fix any gaps in your controls. Whether you need external support or not, we would urge all firms to take heed of this reminder and ensure compliance with data protection law.