Her Majesty’s Revenue and Customs (HMRC) has been forced by the Information Commissioner’s Office (ICO) to delete the voice IDs for no less than five million taxpayers from its database, with civil liberties campaigner Big Brother Watch hailing the news a “massive success”.
Silkie Carlo, director of Big Brother Watch, asserted: “This decision restores the data rights for millions of ordinary people around the country. To our knowledge, it’s the biggest-ever deletion of biometric IDs from a state-held database and sets a vital precedent for biometrics collection and the database state going forward, showing that campaigners and the ICO alike have real teeth. No Government department is above the law.”
In June last year, a Big Brother Watch investigation revealed that HMRC had accumulated a little-known database of 5.1 million taxpayers’ voice prints from callers to its helplines without their consent. The Government scheme not only broke taxpayers’ trust, but it also breached their data protection and privacy rights.
According to Big Brother Watch: “HMRC was building a biometic ID database by the back door – the largest state-held voice database in the world.”
Big Brother Watch handed its investigation findings to the Information Commissioner and formally requested that the ICO conduct an investigation. An investigation subsequently began.
In January this year, Big Brother Watch then conducted a six-month review using Freedom of Information requests. It found that HMRC had updated its system such that callers who had previously been “railroaded” into the ID scheme were then offered the option to delete their voice print.
Big Brother Watch also found that the scheme had suffered a huge public backlash. Within months, 160,000 individuals had exercised the option to delete their voice records from the Government database.
At the time, Big Brother Watch cautioned that this change wasn’t enough. Silkie Carlo commented: “Now it’s down to the ICO to take robust action and show that the Government isn’t above the law. HMRC took millions of voice IDs without taxpayers’ legal consent. The only satisfactory outcome is for those millions of voice IDs to be deleted.”
The latest announcement from the ICO marks one of the most robust enforcement actions the Information Commissioner has taken against a Government department.
Giving or withholding consent
During its thorough investigation, the ICO found that HMRC had failed to give customers sufficient information about how their biometric data would be processed and also failed to afford them the chance to give or withhold consent. This is a breach of the EU’s General Data Protection Regulation.
The ICO issued a preliminary enforcement notice to HMRC on 4 April this year stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the voice ID system for which it doesn’t have explicit consent. The ICO then issued its final enforcement notice giving HMRC 28 days to complete the deletion process for all relevant records.
Steve Wood, deputy Information Commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law. HMRC appears to have given little or no consideration to it with regard to its voice ID service. Innovative digital services help make our lives easier, but this must never be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from individuals about how their information will be used. When that doesn’t happen, the ICO will take action to protect members of the public.”