HMRC Hit With an Enforcement Notice From the ICO

Following a complaint, the Information Commissioner’s Office (ICO) has launched an investigation into HMRC for GDPR discrepancies.

The tax collector had apparently collected large amounts of biometric data in the form of voice recordings. The Voice IDs were used to speed up incoming customer calls and required individuals to repeat the phrase “my voice is my password” to register, which could then be used to confirm their identity as they manage their taxes. What the problem was though, was that users had no choice to opt-out.

After concluding its investigation the ICO decided on not imposing a fine as it was judged that the infringement was not likely to cause any persons “damage or distress”. But they have served the HMRC with an enforcement notice, for which the cost of non-compliance may reach £17 million or 4% of their global annual turnover.

After the ICO launched its investigation the HMRC were given a deadline before 5 June 2019 to delete 5 million voice IDs where explicit consent was not received or for accounts that have not used the service since creating the ID. The HMRC will still keep about 1.5m Voice IDs and will continue to use the system but in line with GDPR rules and its own published privacy policy.

This is the first enforcement action taken in relation to biometric data since the advent of GDPR, which for the first time, specifically identifies biometric data as a special category data that requires greater protection.

3 thoughts on “HMRC Hit With an Enforcement Notice From the ICO

Leave a Reply

Your email address will not be published.