The Information Commissioner's Office (ICO) has issued HM Revenue and Customs (HMRC) with a notice which says the tax authority must delete five million biometric records taken from its users without consent.
The records refer to the voice recordings taken by HMRC between January 2017 and October 2018 without consent to use for the authority's over-the-phone verification process.
HMRC introduced the option for users to participate in the service in October. However, prior to that opting-in to the verification service and handing over one's biometric data was compulsory - something that's against privacy rules.
HMRC 'disregards data protection', collecting 5m UK citizens' voice recordings General Data Protection Regulation (GDPR) EU Parliament green-lights massive biometric database for immigration control
The service will continue in its current operational form, despite the deletions, which according to Silkie Carlo, director of privacy campaigning group Big Brother Watch, "is the biggest ever deletion of biometric IDs from a state-held database".
"This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no Government department is above the law," Carlo added.
Those who have made contact with HMRC over the phone in the past few years may have been confronted with a message prompting them to repeat 'my voice is my password' in order to verify future phone correspondence with the service.
The security measure allowed users to verify their identity over the phone simply by saying the phrase which could be linked to the user's account details, replacing the need to verify one's identity using a bank card number or a passport number, for example.
This is the service in question and it still runs today but with the added bonus of being able to opt-out.
HMRC will have to delete the five million records it obtained prior to October 2018, but the 1.5 million records it has collected lawfully since then will be retained.
The GDPR which came into effect in May last year requires organisations to obtain explicit consent from the user to gather and control their data. HMRC's pre-October practises wouldn't have fulfilled this requirement.
"I am satisfied that HMRC should continue to use voice ID," said Sir Jon Thompson, HMRC chief executive in a letter to HMRC's DPO. "It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster."
The ICO issued HMRC with a preliminary enforcement notice on 4 April 2019 stating its intent to compel the authority to delete the five million records and will issue the final enforcement notice next week, giving HMRC 28 days to complete the deletion. HMRC said that it will fulfil the notice "well before" the deadline set.
"We welcome HMRC's prompt action to begin deleting personal data that it obtained unlawfully," said Steve Wood, deputy commissioner at the ICO. "Innovative digital services help make our lives easier but it must not be at the expense of people's fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used."
The focus on HMRC began in June last year when the results of a Freedom of Information (FOI) request submitted by Big Brother Watch revealed the five million records were collected unethically.
Big Brother Watch managed to bypass the voice ID system by saying 'no' three times but this method of getting around the data collection was not made clear on the hotline.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
