The UK's tax collector - HM Revenue and Customs (HMRC) has been forced to delete the biometric voice records of five million people because they did not have clear consent from customers to have them in the first place, according to ZDNet.
HMRC uses the Voice ID biometric voice security system to make it easier for callers to fast-track security processes while discussing their account. The system promises to reduce wait times and prevent unauthorized people from accessing accounts.
The UK's data privacy watchdog, however - the Information Commissioner's Office (ICO) sways that HMRC failed to properly inform customers about how their biometric data would be processed, and did not allow them to give or withhold consent in a "breach of the General Data Protection Regulation," according to the ICO.
ICO Deputy Commissioner Steve Wood said "We welcome HMRC's prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service."
Under the GDPR, biometric data is subject to stricter conditions as it is placed in a special category of information.
"Innovative digital services help make our lives easier but it must not be at the expense of people's fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn't happen, the ICO will take action to protect the public," Wood added.
HMRC's the scheme was criticised last year by privacy campaigners Big Brother Watch who said there was no option for callers to opt out of the ID scheme, or have their voiceprint deleted. A complaint by Big Brother Watch prompted the ICO investigation.
HMRC has written to the Information Commissioners Office (ICO) and said it will now only keep Voice ID enrolments where it holds explicit consent. That accounts for around 1.5 million customers, who have used the service since HMRC introduced changes in October 2018 to comply with GDPR requirements. -ZDNet
HMRC will now delete all records where they do not have explicit consent by June 5th, 2019 - a deadline set by the ICO.
According to Silkie Carlo, director of Big Brother Watch, "To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law."
HMRC CEO Jonathan Thompson said "These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent."
Of note, there are around 30 million taxpayers in the UK.
The agency will still continue to use Voice ID, which has shown to be popular with customers.
"HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes," added Thompson.