HMRC Voice ID Data Seriously Breached GDPR, ICO Warn
The thin line between innovative technological progress and an invasion of privacy was crossed by HM Revenue and Customs after they unlawfully signed 5 million users up to a Voice ID service without seeking their express consent.
Following a complaint lodged by Big Brother Watch, the Information Commissioner’s Office (ICO) instigated a formal investigation into HMRC’s use of voice authentication from as far back as January 2017.
The ICO found that HMRC had failed in their duties, even prior to GDPR regulations, to give their customers adequate information into how their biometric data would be used, processed and stored.
Their policy also failed to allow customers the necessary time to ask for their information to be withheld.
The ICO’s enforcement notice has given HMRC until June 05 to delete the information of 5 million users. However, Chris Franklin, HMRC’s data protection officer has confirmed that the deletion process is already underway and will be complete long before the deadline passes.
In a public letter to the ICO, Chris Franklin, HMRC Data Protection Officer, commented:
“I have confirmed that HMRC will only retain Voice ID enrolments where we hold explicit consent. As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.
“I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline. These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent.
“I have reaffirmed HMRC’s commitment to being a responsible data controller and to complying with all data protection laws.”
Silkie Carlo, Director of Big Brother Watch, said:
“This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country.
“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”
Steve Wood, Deputy Commissioner at the ICO, said:
“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
Although HMRC were storing data and launching the system to ensure that customers receive a smoother, faster and more efficient experience if they were to ever commutate with HMRC in the future, the assumption that customers would consent because of the benefits is a fundamental overstepping of the proverbial mark.
Whilst it is fantastic that organisations, businesses and law firms are embracing technological breakthroughs to improve the customer journey, it is imperative that this does not come at the cost of a person’s fundamental right to privacy.
Does your law firm ensure that all communications and the way it stores data is compliant with GDPR?