31st May 2019 - Jax Floro

Following a complaint filed by Big Brother Watch, a non-profit liberties and privacy campaigning organisation in the United Kingdom, the Information Commissioners Office (ICO) found that HM Revenue and Customs (HMRC) had violated the General Data Protection Regulation (GDPR).

ICO says HMRC failed to provide their customers with adequate information about how their biometric data would be processed and failed to give them the opportunity to give or withhold consent, saying there had been a “significant” breach of data laws.

The HMRC uses Voice ID as a biometric voice service in order to ease caller access through security processes when discussing customer accounts. According to HMRC, Voice ID is a high-tech system to improve customer service and security.

Big Brother Watch, however, complained that the system did not follow data protection laws and non-compliant voice files should be deleted. The self-assessment helpline system was misleading to customers because it “forced” people to create a Voice ID by repeating the phrase “my voice is my password” without giving the customer an option to withdraw from the ID scheme or to delete their voiceprint.

HMRC was compelling the public into a mass ID scheme in breach of data protection laws because users were not given the option to opt out. This contravenes EU data law because the GDPR requires explicit consent from data subjects before biometric data can be used as a means of identification.

HMRC must delete the voiceprint records of 5.1 million taxpaying people who have registered through the service before October 2018 but have not used the service since. Big Brother Watch said that so far, this is the biggest ever deletion of biometric data from a government agency’s database in the UK.

More than 160,000 users of the service chose to opt out deciding it was a “shady” scheme. Consequently, HMRC revised the way the system asked permission for Voice ID in October 2018 .

According to Steve Wood, Deputy Commissioner of the ICO, “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair, and, when necessary, obtain consent from the people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

Says Big Brother Watch director, “This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country”.

Takeaway Points

• HMRC, a government agency in the UK breached the GDPR rules on gathering biometric data which is considered to be a special category of personal data and therefore subject to stricter conditions.
• HMRC failed to provide customers enough information as to how their biometric data would be processed and also failed to give an option to give or withhold consent.
• Big Brother Watch filed a complaint that convinced the ICO to investigate the matter.
• As a result, HMRC will delete the biometric data of more than 5.1 million taxpayers.
• Organisations must obtain consent from people about how their personal data will be used in accordance with the strict requirements of data protection laws. Government departments are not above the law either!

Jaclyn-Mae Floro, BCompSc

Contact W3IP Law on 1300 776 614 or 0451 951 528 for more information about any of our services or get in touch at law@w3iplaw.com.au.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.