The voice records of approximately five million customers are being deleted by HM Revenue and Customs, which has been discovered to have given customers insufficient information regarding how their data would be processed.
The Information Commissioner’s Office (ICO) said that the voice data that were unlawfully collected by HMRC should be deleted.
An investigation that was conducted by the ICO into the Voice ID service of HMRC was prompted by a complaint from Big Brother Watch regarding the conduct of the department.
Since 2017, the customers have been able to use voice authentication on some of the helplines of HMRC, which means that they can by-pass some other security checks.
They need to repeat the phrase: “My voice is my password” in order to register.
The services that use Voice ID are Tax Credits, Child Benefit, Self-Assessment, Help to Save, National Insurance, and Taxes.
However, the ICO discovered that HMRC failed to give its customers adequate information regarding how their biometric data would be processed and was not able to give them the opportunity to give or withhold consent.
This is considered a breach of the General Data Protection Regulation (GDPR) of the European Union.
Under the new rules that came into force in 2018, biometric data is considered special category information and will be subject to stricter conditions.
The ICO has issued a preliminary enforcement notice to the HMRC. It stated the initial decision of the Information Commissioner to compel the department to delete all of the biometric data that are held under the Voice ID system for which it does not have explicit consent.
It said that it will issue its final enforcement notice next week giving the HMRC 28 days from that date to complete the deletion of relevant records.
HMRC is anticipating that it will complete work to delete records well before the June 5 deadline of the ICO.
It will now only retain the Voice ID enrolments where it holds explicit consent.
Currently, this is around 1.5 million customers who have used the service since the tax authority introduced the changes in October 2018 to comply with GDPR requirements.
The five million customers whose records are being deleted enrolled in the Voice ID service prior to October 2018 and have not called the HMRC or used the service since to reconfirm their consent.
People whose records are being deleted may apply again to use the service if they want to.
The deputy commissioner at the ICO, Steve Wood, stated: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully.”
He added: “Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.”
He continued: “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy.
Wood noted: “Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
A spokesperson of the HMRC said: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.”
He added: “Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”