The campaign group Big Brother Watch has accused the HMRC of creating ID cards by stealth after a Freedom of Information (FoI) request revealed they had amassed a database of 5.1 million people’s voiceprints.
Introduced in January 2017, HMRC’s Voice ID system required taxpayers to call HMRC and record key phrases. These were then used to create a digital signature. This signature allows the system to unlock the correct account when HMRC phones back.
However, Big Brother Watch said HMRC had failed to give users enough information on the scheme – such as how to opt out or delete their data.
In response, HMRC refused to set out exactly how deletion would work and admitted that no customers had opted out in the 20 days to 13th March.
Big Brother Watch’s FoI raised questions as to whether the HMRC scheme is legal, especially under the General Data Protection Regulations (GDPR) which came into force on 25th May this year.
Under GDPR any system which uses voice recognition to identify users would probably meet the criteria of processing of biometric data. This places certain obligations on organisations over and above other forms of personal data.
Where biometric processing takes place, GDPR says that the person must give explicit consent. Consent also means a ‘freely given, specific, informed and unambiguous’ indication of the person’s wishes, and it must be a ‘clear, affirmative action.’
It is difficult to square these requirements with what seems to have taken place here. Callers were apparently given no option to opt out, let alone opt in.- Jon Baines: Data Protection Advisor, Mischon de Raya Law Firm
Under the GDPR, member states can introduce laws to justify biometric processing without consent – but this would require a parliamentary debate before it can be enacted.
Meanwhile the Information Commissioner’s Office (ICO) weighed in to confirm that they had received a complaint about HMRC’s Voice ID system and were making further inquiries.
This does raise the possibility of HMRC being issued with a large fine and being ordered to delete the 5.1 million database entries.
HMRC responded to the charges stating that all of its customer databases, including VoiceID, are stored securely. They refused an FoI request for further details on their storage protocols, but did concede that opting in or out could be improved.
HMRC currently operates VoiceID on the basis of the implied consent of the customer but is developing a new process which will be operated on the basis of the explicit consent of the customer.- HMRC: Public statement
Big Brother Watch also raised concerns as to whether HMRC is sharing the data with other departments. Particularly since there have been examples of such practices.
Recently, the Home Office and NHS Digital were forced to stop sharing patient data for immigration enforcement. And the Department for Education was criticised for a similar scheme in 2016.
The government is under immense pressure over its custody image database. The database contains 21 million shots of faces and identifying features, despite the fact that a 2012 High Court judgement found that keeping images of presumed innocent people on file was unlawful.
HMRC declined to confirm or deny they had been sharing the data, saying it risked prejudicing the prevention or detection of crime.