HMRC’s Taxpayer Voice ID Database Could Breach GDPR Rules

The HMRC has amassed a database of 5.1 million UK taxpayers’ voice IDs without their consent, potentially contravening the GDPR, a leading rights group has claimed.

Big Brother Watch argued that when individuals call the tax credits and self-assessment helplines they are asked to create a voiceprint which will be used to identify them in future.

However, although the tax office claims that “they can choose to opt-out and continue to use HMRC’s services in the usual way if they prefer,” the reality is very different, according to the privacy group.

“Upon calling HMRC’s self-assessment helpline we were met with an automated system. After the account verification questions, the system demanded that we create a voice ID by repeating the phrase ‘my voice is my password’,” it explained in a blog post.

“Far from ‘encouraging’ customers’, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a government database.”

The only way to avoid creating the voice ID is apparently to say “no” three times — something most users wouldn’t think to do.

Big Brother Watch claimed the system may break the law because it doesn’t obtain explicit consent from users in the form of a positive opt-in, as required by the GDPR.

Under the European privacy law, now part of UK law in the form of the Data Protection Act 2018, individuals should have a 'right to erasure', meaning the HMRC has to delete their voice ID if requested.

However, the Big Brother Watch investigation concluded that HMRC doesn’t have an accessible process to do so. Although taxpayers can de-select the use of their voice ID as a security check, they can’t have the ID itself deleted from the government database.

“We sent HMRC a Freedom of Information request, asking how an individual could securely delete their voice ID and use the usual method to access the helpline. Disturbingly, HMRC refused to answer our question under FOIA Exemption s31 (1) (a) — prejudice to the prevention or detection of crime,” the group claimed.

“This suggests that taxpayers’ voiceprints are being used in ways we do not know about.”

The ICO is said to be investigating the case.

What’s Hot on Infosecurity Magazine?