ICO says that voice data collected unlawfully by HMRC should be deleted
Date 03 May 2019
The UK's Information Commissioners Office.
An ICO investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct. The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017.
The ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of the General Data Protection Regulation.
The ICO issued a preliminary enforcement notice to HMRC on April 4, 2019, stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
The ICO will issue its final enforcement notice next week giving HMRC 28 days from that date to complete deletion of relevant records.
Steve Wood, Deputy Commissioner at the ICO, said:
FTC Takes Action against Companies Falsely Claiming Compliance with the EU-U.S. Privacy Shield, Other International Privacy Agreements
European Data Protection Board – Eleventh Plenary session: Guidelines on Codes of Conduct, annex to the Guidelines on Accreditation, annex to the Guidelines on Certification