HM Revenue & Customs (HMRC) has said it will continue to use its Voice ID service despite criticisms from the Information Commissioner’s Office (ICO) about its retention of the biometric data.
It is, however, complying with the ICO’s demand to delete the data of about 5 million customers for whom consent has been judged to be out of date.
This follows an investigation by the ICO, prompted by a complaint from privacy campaign group Big Brother Watch, that found HMRC failed to give customers sufficient information about how their voice biometrics would be processed, and to enable them to give or withhold consent.
On 4 April the ICO issued a preliminary enforcement notice compelling HMRC to delete all of the data for which it does not have explicit consent. Next week it will issue a final enforcement notice giving the department 28 days to complete the deletions.
Formal letter
Sir Jonathan Thompson, HMRC’s permanent secretary, has written a letter to its data protection officer Chris Franklin saying he is satisfied it should continue to use Voice ID. Also, it will retain the data on 1.5 million customers from whom it has obtained specific consent since it made changes in October of last year to comply with the General Data Protection Regulation (GDPR).
An HMRC spokesperson said: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.
“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.
Steve Wood, deputy commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used.”
Compliance
The department has insisted that it has complied with the requirements of the GDPR on consent after changes were made in October 2018, and that customers have always been able to request to have their data removed from the system.
It stores digital signatures based on over 100 measures of the voice passed through an algorithm. This is then encrypted and stored securely with no account identifier details so it cannot be traced back to an individual outside the system.
It has also said that the data is not shared with any other organisation and is all stored in the UK.
Image by Dun.can, CC BY 2.0 through flickr
