The HMRC has been handed an enforcement notice by the UK’s privacy watchdog after contravening the GDPR over collection of biometric data from taxpayers.
In the first case of its kind since the EU-wide legislation was introduced, the Information Commissioner’s Office (ICO) called out the government agency over its Voice ID authentication system.
A complaint from rights group Big Brother Watch had argued that callers to the HMRC helpline were not given enough information about the service, there was no option to opt-out, and consent was not properly obtained from them to record their voice biometrics.
The commissioner claimed in her judgement that there was a significant imbalance of power between organization and individual, a data protection impact assessment (DPIA) was not in place before the system launched, and “little or no consideration to the data protection principles when rolling out the Voice ID service.”
The HMRC has now been ordered to delete any data it holds on taxpayers which was obtained without their consent.
Although the scale of the infringement was great — with over seven million voice records saved — the ICO decided not to impose a fine because it judged that the contravention was not likely to cause any persons “damage or distress.” It also noted the HMRC’s retrospective attempts to obtain explicit consent from users.
If the HMRC refuses to comply with the enforcement notice, the ICO has the power to fine it the maximum GDPR penalty of £17m or 4% of global annual turnover.
“This is the first enforcement action taken in relation to biometric data since the advent of GDPR when, for the first time, biometric data was specifically identified as special category data that requires greater protection,” said ICO deputy commissioner for policy, Steve Wood.
“Our guidance on informed consent provides advice for organizations planning to use these kinds of systems and we are currently developing our guidance on biometric data.”