HMRC launched its Voice ID service in January 2017 with the aim of creating a voice recognition system to act as a secure password for its customers. Customers were asked to repeat a set phrase in order to join the service. The ICO concluded that personal data from approximately 7 million individuals was unlawfully collected over the period from January 2017 to October 2018.
An individual's voice pattern is classed as "biometric data" for the purpose of the General Data Protection Regulation ("GDPR"). Biometric data falls within the special categories of personal data, and is therefore subject to stricter requirements than other personal data. As with any personal data, an organisation is required to have a lawful processing ground under the GDPR for dealing with special category personal data, but the grounds for processing special category data have higher thresholds to meet. For example, for HMRC to be able to rely on the data subject's consent to process biometric data, the data subject must give explicit consent. The ICO stated that consent of the data subject was the only potentially relevant condition for HMRC to rely on, and as there was no clear method of opting out and customers were not informed that they did not have to sign up, explicit consent had not been obtained by HMRC in these circumstances.
As HMRC did not have a lawful basis for processing biometric data, it was in breach of the GDPR which requires data to be processed lawfully, fairly and in a transparent manner.
HMRC attempted to contact the individuals whose data it had collected, but only received responses from approximately 1.25 million of those affected. About 20% of those who responded withheld their consent for HMRC to continue processing their data. HMRC deleted some records of those data subjects who withheld consent, but continued to be in breach of the GDPR not only by retaining the records of some data subjects who had expressly withheld consent, but also by retaining the records of the data subjects who had not responded at all.
The ICO found that as the requirement to have a lawful processing ground was "a matter of central importance to data protection law," the breach of these GDPR obligations by HMRC was significant enough to warrant enforcement action to ensure HMRC complies with them. The ICO therefore required HMRC to take the following steps within 28 days:
- delete all biometric data in relation to the Voice ID system for the data subjects who had not given explicit consent; and
- require any suppliers who operate, manage or are involved in the Voice ID system to delete any biometric data for which it does not hold explicit consent.
Failure to comply with the enforcement notice would potentially lead to a fine of up to €20,000,000 or 4% of HMRC's worldwide turnover (whichever is higher).
This enforcement action serves as a reminder of the importance of having a lawful basis for processing personal data, and in particular of the stricter requirements for processing special category personal data. (For further information and guidance on identifying the correct processing ground, please click here)
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.