Following a complaint, the Information Commissioner’s Office (ICO) has launched an investigation into HMRC for GDPR discrepancies.
The tax collector had apparently collected large amounts of biometric data in the form of voice recordings. The Voice IDs were used to speed up incoming customer calls and required individuals to repeat the phrase “my voice is my password” to register, which could then be used to confirm their identity as they manage their taxes. What the problem was though, was that users had no choice to opt-out.
After concluding its investigation the ICO decided on not imposing a fine as it was judged that the infringement was not likely to cause any persons “damage or distress”. But they have served the HMRC with an enforcement notice, for which the cost of non-compliance may reach £17 million or 4% of their global annual turnover.
This is the first enforcement action taken in relation to biometric data since the advent of GDPR, which for the first time, specifically identifies biometric data as a special category data that requires greater protection.