We heard a lot about the introduction of the EU wide GDPR (General Data Protection Rules) last year. New cases of rule breaking are emerging all the time, as people understand the system more fully and different practises are questioned. These rules apply just as much to government departments as they do to businesses. HMRC are facing the consequences of their voice recognition scheme violating GDPR.
What HMRC voice recognition?
If you weren’t part of the 2017 trial, you perhaps don’t know that HMRC give some users the option to use voice recognition as one of the security layers on their tax account. This is part of HMRC’s plan to rectify the long waiting times that taxpayers face when they contact them by phone.
Each person is required to say the phrase “my voice is my password.” The voice recognition software is sophisticated enough to identify each individual and then becomes a quicker step in the security process when dealing with your tax affairs.
What’s the problem?
The problem is with consent. Did HMRC seek proper consent from individuals before signing them up to their new security system? Having a recording of your voice is considered collection of biometric data, like retina scanning, and requires explicit written consent according to GDPR.
The privacy campaigners Big Brother Watch said that this was making “biometric ID cards by the back door”. Who is to say that HMRC don’t automatically share this information with all other government departments?
They found that HMRC did not have proper consent and had not given their users the chance to opt out of joining the system. This conclusion was upheld by the UK’s Information Officer.
What are the consequences for HMRC?
HMRC have been required to delete the voice recognition records of five million taxpayers. These are the people who started in the system before October 2018 and haven’t used it since.
They are allowed to continue using the system because they have corrected the way they get permission to come into line with GDPR. 1.5 million taxpayers who signed up before October 2018 have since been given the opportunity to agree with HMRC keeping their biometric data on file.
HMRC chief executive, Sir Jon Thompson, said: “I am satisfied that HMRC should continue to use voice ID. It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster.” This opinion is part of a letter to the HMRC data protection officer, as reported by the BBC.
Director of Big Brother Watch, Silkie Carlo, said: “This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”