Her Majesty’s Revenue and Customs (HMRC) has vowed to continue using its controversial Voice ID system – but promised to delete the records of 5.1 million customers who did not consent to the harvesting of their biometric voice data.
The decision comes after the Information Commissioner’s Office (ICO) on May 3 found HMRC to be in breach of GDRP, saying its investigation “exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service”. It has ordered the department to delete the records.
Taxman won’t be taxed for GDPR breach, says ICO
HMRC got off lightly: it will not be fined, the ICO confirmed to Computer Business Review, saying more details on the enforcement action will be published this week.
The ICO’s Deputy Commissioner Steve Wood said: “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used.”
“When that doesn’t happen, the ICO will take action to protect the public”.
Voice ID: Now GDPR-Compliant, Says HMRC
In a letter to the ICO late last week, HMRC Chief Executive Sir Jonathan Thompson wrote: “I am satisfied that HMRC should continue to use Voice ID.”
“It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster.”
Content from our partners
He added: “HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes.”
The letter came after advocacy group Big Brother Watch last year found that since January 2017, HMRC had been taking voice recordings from those who call the tax credits and self-assessment helplines to create a voiceprint to identify callers in the future. It did not offer an opt-out, with a transcript of a call reading as follows.
The Transcript that Triggered Trouble
System: Finally what’s your date of birth?
Caller: *DOB provided*
System: Thank you. For some calls we are introducing a quicker and more secure way for you to identify yourself. You can skip these security questions in the future by using your voice to confirm who you are. Voice ID uses the sound and rhythm of your voice to identify a numerical pattern. This pattern is unique to you in the same way your fingerprint is. It works if you have an accent or are unwell. For example, you can still use Voice ID if you have a cold. It is the fastest and most secure way for us to know it is really you we are talking to. It’s easy to setup. You’ll be asked to repeat the sentence ‘My voice is my password’ multiple times. I’ll need you to say exactly those words. It takes about a minute. So, please say ‘My voice is my password’.
Caller: No
System: Sorry, it’s important you repeat exactly [emphasis in recording] the same phrase. Please say ‘My voice is my password’
Caller: No
System: Sorry, it’s important you repeat exactly [emphasis in recording] the same phrase. Please say ‘My voice is my password’
Caller: No
System: Sorry, I wasn’t able to create a Voice ID for you. This is often because of background noise or a bad connection. Don’t worry – next time we’re able to offer you Voice ID, we’ll try again. Please hold on a moment and I’ll transfer you to one of our advisors. For quality and security this call might be recorded. We may need to ask you additional security questions before being able to help you.
The HMRC’s chief executive added in his letter: “I have confirmed that HMRC will only retain Voice ID enrolments where we hold explicit consent. As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.”
He added: “I have reaffirmed HMRC’s commitment to being a responsible data controller and to complying with all data protection laws.”
See also: Home Office: We May Give Police Automatic Facial Recognition on their Phones
