HMRC breached data privacy laws with voice records of 5 million UK residents.

The UKs HM Revenue and Customs (HMRC) “significantly” breached datya privacy laws whn it failed to obtain explicit consent from individuals, before signing them up to a voice ID system for telephone enquiries.

Privacy campaigners have accused HMRC of creating “biometric ID cards by the back door”, while The Information Commissioner’s Office (ICO) said this is a “significant” breach of data laws.

Steve Wood, deputy commissioner at the ICO said:

Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy,

HMRC will be served an enforcement notice this week, giving the department 28 days from that date to delete the records.

The BBC reports that the HMRC’s system will continue despite the deletion of the 5 million records.

Sir Jon Thompson, HMRC chief executive, said: “I am satisfied that HMRC should continue to use voice ID.” In a letter to the ICO he said. “It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster,”

Privacy campaigner Big Brother Watch lodged a complaint about the audio signatures system, claiming users were “railroaded” into using it as they were not given any opportunity to opt out.

According to the GDPR, organisations are required to gain explicit consent before using biometric data to identify individuals. This includes voice recordings. HMRC was told by the ICO that it had failed to comply with data protection rules. Basically it had automatically pushed people into the system without their consent.

No fine (again) for a UK government department

The ICO has issued the first enforcement notice of its kind to HMRC, under GDPR rules, to ensure the data is deleted. As a result, no fine will be levied.

Last month the Home Office violated data privacy regulations on two separate ocasions, when it exposed personal information of 500 and 240 UK residents. The Home Office was not fined, despite the seriousness of the two incidents.

HMRC changed the way it sought permission for voice ID in October. Some 1.5 million people have called HMRC since then, and said they wanted to continue using the service. Their records have been retained.

However, HMRC has started to delete the voice records of the remaining five million who enrolled into the system before October and who have not called or used the service since.

Silkie Carlo, director of Big Brother Watch, said:

This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. …To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.

Mr Wood, deputy commissioner at the ICO, said:

We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law. HMRC appears to have given little or no consideration to it with regard to its voice ID service.

Sources: BBC News