ICO orders HMRC to delete 5 million biometric records

The Information Commissioner’s Office has ordered HMRC to delete 5 million biometric records after an investigation concluded HMRC obtained the records unlawfully.  It had not given users enough information about how it would use their data. It had also not allowed them to agree or disagree to HMRC using it. This meant that it did not have valid consent to using the data and had breached the General Data Protection Regulation. 

What was the ICO investigating MMRC for?

The ICO investigated HMRC over its use of voice recordings to identify callers to its helpline. It investigated after data privacy group Big Brother Watch alerted it to the issue.

HMRC introduced voice verification services from January 2017. It intended to use the technology to increase security and reduce the risk of fraud. People who called HMRC were asked to repeat 'my voice is my password' so HMRC could check their identity for future phone calls. 

Until October 2018, HMRC did not tell users they did not have to agree to using their voice as their password, nor how it would be using their biometric information. 

What were the investigation’s findings?

The ICO found that HMRC had not given users enough information about how it would use their biometric data and had not given them the chance to give or withhold consent. This was a breach of the General Data Protection Regulation (GDPR). 

What does the GDPR require?

One of the key changes made by the GDPR was to raise the bar for using consent as a lawful basis for processing personal data. To rely on consent, the consent must be:

• Freely given
• Specific
• Informed and
• Unambiguous

When asking for consent, the data controller must use plain language and tell the individual they have the right to withdraw their consent at any time. Crucially, it must be as easy for the individual to withdraw consent as it was for them to give it. Controllers must also be able to show that individuals have given their consent to the particular processing. 

Voice recordings are special category data under the GDPR as they are biometric data. This means the hurdle for consent is even higher, as the individual must give explicit consent. They must give a clear statement that they agree to the data controller using their biometric data. They must also give this consent separately from any other consents sought. 

What does HMRC have to do?

The ICO’s enforcement notice requires HMRC to delete all the biometric data it holds for which it did not get explicit consent. This means that it will have to delete the data of users who enrolled on to the system between January 2017 and October 2018. However, it will be able to keep the voice recordings it obtained since October 2018, when it introduced the option to opt out. 

HMRC released a statement confirming that it will comply with the enforcement notice.

What is the impact of the ICO’s enforecement on HMRC?

As HMRC’s phone services did not allow callers to opt out of a using voice identification until October 2018, it is not surprising the ICO decided they had not given valid consent. Using this data was therefore unlawful. However, this incident reinforces the difficulties of relying on consent as a lawful ground for processing data if the correct processes are not in place. When introducing new technologies, organisations must consider data privacy issues and how to address them to ensure they do not fall foul of the law.