UK Tax Authority Falls Foul of EU Data Protection Regulation

Her Majesty’s Revenue & Customs have been collecting voice recordings of UK citizens for a couple of years now, but this practice has been deemed unlawful.

The tax authority recorded and databased voice recordings of anyone calling in to their telephone helplines with questions about their tax accounts and National Insurance records.

There was no escaping being recorded when calling up HMRC. It really did feel that Big Brother had finally arrived.

However, the European Union’s recently introduced General Data Protection Regulation has come to the rescue and now HMRC must delete its voice records or face hefty fines (which of course the British taxpayer would stump up for).

Here’s a press release received yesterday from the Information Commissioner’s Office, which oversees and enforces Britain’s data protection laws:

ICO says that voice data collected unlawfully by HMRC should be deleted

An ICO investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct. The investigation focussed on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017.

The ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of the General Data Protection Regulation.

The ICO issued a preliminary enforcement notice to HMRC on April 4, 2019 stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.

The ICO will issue its final enforcement notice next week giving HMRC 28 days from that date to complete deletion of relevant records.

Steve Wood, Deputy Commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.

“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

The ICO’s investigation was carried out under the GDPR, new rules that came into force last year. Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.