The Information Commissioner’s Office (ICO) has ordered HMRC to delete voice data collected from around 5m taxpayers who enrolled for its Voice ID service before October 2018. Following changes to its enrolment process, HMRC will continue to use Voice ID for taxpayers who have given their explicit consent, in compliance with GDPR.
In a preliminary enforcement notice issued in April, the ICO found HMRC had failed to provide taxpayers with sufficient information about how their data would be processed and had also failed to offer them the chance to give or withhold consent, in breach of the General Data Protection Regulation (GDPR).
The ICO has given HMRC a deadline of 5 June 2019 to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
HMRC chief executive, Sir Jonathan Thompson, has written to HMRC’s data protection officer confirming that the department has already started to comply with the ICO’s ruling by deleting records for which HMRC does not have explicit consent, ‘and will complete that work well before ICO’s 5 June 2019 deadline’.
This process will involve ‘around 5m customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent’, Sir Jonathan’s letter said.
HMRC has received consent from around 1.5m taxpayers for retention of their Voice ID data since the department introduced changes in October 2018 to comply with GDPR. The letter also confirmed that HMRC will continue to use Voice ID, which ‘is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster. HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes’, Sir Jonathan wrote.
HMRC launched its Voice ID service in January 2017 for taxpayers using the tax credits and self-assessment helplines. Towards the end of July 2018, HMRC issued its ‘Voice identification privacy notice’ to explain how it collects and uses taxpayers’ voice identification data in connection with PAYE, child benefit, NICs and debt management for tax credits and self-assessment.
Commenting on the ruling, ICO deputy commissioner, Steve Wood, said: ‘We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service’.
‘Innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy’, Wood added.
The Information Commissioner’s Office (ICO) has ordered HMRC to delete voice data collected from around 5m taxpayers who enrolled for its Voice ID service before October 2018. Following changes to its enrolment process, HMRC will continue to use Voice ID for taxpayers who have given their explicit consent, in compliance with GDPR.
In a preliminary enforcement notice issued in April, the ICO found HMRC had failed to provide taxpayers with sufficient information about how their data would be processed and had also failed to offer them the chance to give or withhold consent, in breach of the General Data Protection Regulation (GDPR).
The ICO has given HMRC a deadline of 5 June 2019 to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
HMRC chief executive, Sir Jonathan Thompson, has written to HMRC’s data protection officer confirming that the department has already started to comply with the ICO’s ruling by deleting records for which HMRC does not have explicit consent, ‘and will complete that work well before ICO’s 5 June 2019 deadline’.
This process will involve ‘around 5m customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent’, Sir Jonathan’s letter said.
HMRC has received consent from around 1.5m taxpayers for retention of their Voice ID data since the department introduced changes in October 2018 to comply with GDPR. The letter also confirmed that HMRC will continue to use Voice ID, which ‘is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster. HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes’, Sir Jonathan wrote.
HMRC launched its Voice ID service in January 2017 for taxpayers using the tax credits and self-assessment helplines. Towards the end of July 2018, HMRC issued its ‘Voice identification privacy notice’ to explain how it collects and uses taxpayers’ voice identification data in connection with PAYE, child benefit, NICs and debt management for tax credits and self-assessment.
Commenting on the ruling, ICO deputy commissioner, Steve Wood, said: ‘We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service’.
‘Innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy’, Wood added.
