HMRC Deletes Voice Files Following UK Information Commissioner’s Office GDPR Warning

Her Majesty’s Revenue and Customs (HMRC) has deleted five million voice recordings used for taxpayer identification after receiving a warning from the UK Information Commissioner’s Office that they could face ‘enforcement action’ due to privacy concerns surrounding the voice files. 

HMRC used the recordings as part of a voice authentication service which asked callers to record their voice and use it as their password. Security and privacy campaigners accused HMRC of creating “biometric ID cards by the back door”.

HMRC introduced the voice authentication service in 2017, and nearly 7 million taxpayers were involved with the service.  The Voice ID tech works by authenticating customers when they use HMRC’s helplines by their voice alone. Callers were then told to repeat “my voice is my password” to register for the service, and HMRC stored the recordings.

Big Brother Watch, a non-profit non-party British civil liberties and privacy campaigning organisation, informed the ICO of their concerns surrounding the use of the technology.

The ICO investigated HMRC’s use and implementation of the technology. According to their findings, callers were advised there was a ‘quicker and more secure’ way of verifying their ID over the phone by using voice identification. However, HMRC did not inform callers that they could opt out or given further information. Effectively, callers did not give explicit consent for their voice to be used as identification.

The ICO website said: “In short, HMRC did not have adequate consent from its customers and we have issued an enforcement notice ordering HMRC to delete any data it continues to hold without consent. In the notice, the Information Commissioner says that HMRC appears to have given `little or no consideration to the data protection principles when rolling out the Voice ID service’.”

ICO said that the characteristics of a person’s voice constitute biometric data, which HMRC processed to identify customers.

Steve Wood, Deputy Commissioner for Policy at the ICO said: “While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data. The case raises significant data governance and accountability issues that require monitoring”.

Silkie Carlo, director of Big Brother Watch, said: “This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law”.

In October 2018, HMRC altered how it sought permission to use voice recordings as identification. Around 1.5 million people contacted HMRC informing them that they wished to continue using the Voice as ID service, and HMRC retained their records. The 5 million remaining voice files were deleted.

This notice is the first of its kind under following the implementation of GDPR. HMRC was not fined for any privacy violations.