Big Brother Watch hails ICO decision as HMRC forced to delete five million voice IDs

Her Majesty’s Revenue and Customs (HMRC) has been forced by the Information Commissioner’s Office (ICO) to delete the voice IDs for no less than five million taxpayers from its database, with civil liberties campaigner Big Brother Watch hailing the news a “massive success”.

Silkie Carlo, director of Big Brother Watch, asserted: “This decision restores the data rights for millions of ordinary people around the country. To our knowledge, it’s the biggest-ever deletion of biometric IDs from a state-held database and sets a vital precedent for biometrics collection and the database state going forward, showing that campaigners and the ICO alike have real teeth. No Government department is above the law.”

In June last year, a Big Brother Watch investigation revealed that HMRC had accumulated a little-known database of 5.1 million taxpayers’ voice prints from callers to its helplines without their consent. The Government scheme not only broke taxpayers’ trust, but it also breached their data protection and privacy rights.

According to Big Brother Watch: “HMRC was building a biometic ID database by the back door – the largest state-held voice database in the world.”

Big Brother Watch handed its investigation findings to the Information Commissioner and formally requested that the ICO conduct an investigation. An investigation subsequently began.

Six-month review

In January this year, Big Brother Watch then conducted a six-month review using Freedom of Information requests. It found that HMRC had updated its system such that callers who had previously been “railroaded” into the ID scheme were then offered the option to delete their voice print.

Big Brother Watch also found that the scheme had suffered a huge public backlash. Within months, 160,000 individuals had exercised the option to delete their voice records from the Government database.

At the time, Big Brother Watch cautioned that this change wasn’t enough. Silkie Carlo commented: “Now it’s down to the ICO to take robust action and show that the Government isn’t above the law. HMRC took millions of voice IDs without taxpayers’ legal consent. The only satisfactory outcome is for those millions of voice IDs to be deleted.”

The latest announcement from the ICO marks one of the most robust enforcement actions the Information Commissioner has taken against a Government department.

Giving or withholding consent

During its thorough investigation, the ICO found that HMRC had failed to give customers sufficient information about how their biometric data would be processed and also failed to afford them the chance to give or withhold consent. This is a breach of the EU’s General Data Protection Regulation.

The ICO issued a preliminary enforcement notice to HMRC on 4 April this year stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the voice ID system for which it doesn’t have explicit consent. The ICO then issued its final enforcement notice giving HMRC 28 days to complete the deletion process for all relevant records.

Steve Wood, deputy Information Commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law. HMRC appears to have given little or no consideration to it with regard to its voice ID service. Innovative digital services help make our lives easier, but this must never be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from individuals about how their information will be used. When that doesn’t happen, the ICO will take action to protect members of the public.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts