So Call Me, Maybe: HMRC ordered to delete voice records of 5 million people

May 21, 2019

2 min read

Sign up to our mailing list! 👇

What's going on here?

In 2017, HMRC launched a voice ID system for telephone enquiries with the aim of speeding up its much-criticised helpline process.

However, HMRC failed to gain explicit consent from individuals before signing them up to the voice ID system. Privacy campaigner Big Brother Watch complained about the new scheme, claiming that users were “railroaded” as they were not given the choice to opt out.

What does this mean?

The General Data Protection Regulation (GDPR), which came into force in May last year, requires organisations to obtain explicit consent before they use biometric data to identify someone. HMRC has been informed by the ICO (a public body that protects the information rights of the genral public) that its voice ID system did not adhere to the data protection rules. Steve Wood (Deputy Commissioner at the ICO) said that “innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy.”

The ICO has issued the first enforcement notice of its kind to HMRC to ensure that the data is deleted. 1.5 million people have agreed that they wish to continue using the service and so their records have been retained. In order to reassure taxpayers, HMRC stated that the data is encrypted, stored in a data centre in the UK, and is never shared with anyone outside the agency. The tax authority also announced that the records of all other affected customers who did not wish to remain part of the scheme would be deleted “well before” the ICO’s deadline set for the 5th June.

What's the big picture effect?

Silkie Carlo (Director of Big Brother Watch) said that “this is the biggest ever deletion of biometric IDs from a state-held database. It sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth, and no government department is above the law.”

Similar projects have been launched by banks, however they have not always proven successful. In 2016, HSBC introduced a voice-based security system which measured 100 different characteristics of the human voice to verify a customer’s identity. However, a BBC reporter Dan Simmons and his non-identical twin brother Joe, revealed that the system was not as secure as HSBC had hoped. Joe was able to access his brother’s bank balances and recent transactions.

Professor Vladimiro Sassone (an expert in cyber-security from the University of Southampton) said, “biometrics could be an effective security layer, but there were dangers if companies put too much faith in something that was not 100% secure.

Is our privacy and security being side-lined for convenience with these new technologies?

Report written by Erin S

If you’d like to write for LittleLaw, click here!

Share this now!

Check out our recent reports!