Privacy: HMRC forced to delete 5 million unauthorized voice recordings of UK taxpayers
The UK tax authority, HM Revenue and Customs (HMRC), has been forced to deleted voice recording of five million taxpayers. The recordings were made without consent, which the Information Commissioner's Office (ICO) said constituted a "significant" breach of data and privacy rules.
Before being allowed to access HMRC services, callers were required to repeat the phrase "My voice is my password". This recording was fed into the authority's biometric voice ID database, and violated GDPR rules.
The privacy concerns stemmed from the fact that people were not given the ability to opt out of using the system and having their voice recordings saved. ICO has now told HMRC that it failed to adhere to data protection rules. "This is a breach of the General Data Protection Regulation," it said.
In response to the ICO's ruling, Sir Jonathan Thompson, Chief Executive and Permanent Secretary of HMRC wrote to HMRC Data Protection Officer Chris Franklin, to make three points:
- I have confirmed that HMRC will only retain Voice ID enrolments where we hold explicit consent. As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.
- I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO's 5 June 2019 deadline. These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent.
- I have reaffirmed HMRC's commitment to being a responsible data controller and to complying with all data protection laws.
Steve Wood, Deputy Commissioner at the ICO, said: "We welcome HMRC's prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law -- HMRC appears to have given little or no consideration to it with regard to its Voice ID service."
HMRC says that it remains committed to using the voice ID security system.