HMRC forced to delete 5 million voice records after GDPR gaffe

HMRC (HM Revenue and Customs) has been told to delete more than five million people’s voice records after it was discovered that the way the information was collected breached the GDPR (General Data Protection Regulation).

The UK’s tax authority didn’t give individuals the option to opt out of a scheme in which it used voice records as part of its audio verification system.

Steve Wood, the deputy commissioner of the ICO (Information Commissioner’s Office), the UK’s data protection regulator, said there had been a “significant” breach of data laws.

What was HMRC’s mistake?

The civil liberties group Big Brother Watch was the first to raise the alarm about a potential GDPR breach at HMRC, complaining that people who phoned the organisation were “railroaded” into using a voice ID system.

The system verifies a person’s identity over the telephone by requiring them to utter the phrase “my voice is my password”. For this to work, HMRC needs to store a recording to compare with the person on the other end of the line. However, it didn’t obtain the information appropriately.

The trouble with consent

According to the ICO, HRMC’s failing was that it didn’t obtain explicit consent to record individuals’ voices (a form of biometric data, which the GDPR considers a special category of personal data).

However, organisations that process personal data should be aware that consent isn’t always the best lawful basis to rely on.

Of the six lawful grounds that organisations can use to collect personal data, consent is the least reliable, because any time a data subject withdraws consent, the organisation would have to remove any information related to them.

Organisations should therefore use one of the following where possible:

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
  • Compliance with a legal obligation: when you need to process personal data to meet other legal requirements.
  • Vital interests: when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as educational institutions, government departments, hospitals and the police.
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it’s not outweighed by negative effects to the individual’s rights and freedoms.

Things are a little more complicated when it comes to special categories of data, because organisations also need to identify a special category condition for processing (comprised of the same six grounds plus four others).

Explicit and free

This incident is the perfect example of how difficult it can be to get and keep consent. HMRC relied on it as a lawful basis but failed to give individuals an alternative if they didn’t want to provide their voice for the audio verification scheme.

This breaches the GDPR’s requirements that consent be given explicitly and freely. In other words, individuals need to perform a clear affirmative action for consent to be valid (such as signing an agreement or saying “Yes, I consent to this processing”), and there should be no negative consequences if they don’t consent.

HMRC will continue to use our voices

The ICO has issued HMRC with an enforcement notice, giving it until 5 June to delete all voice records that were obtained illegitimately. If HMRC complies, no fine will be levied. That seems likely, given that HMRC has said it has already begun to delete files.

However, this doesn’t signal the end of HMRC’s voice ID system. The organisation changed the way it obtained consent in October 2018, which the ICO says now complies with the GDPR.

Subscribe to the GRC Weekly for all the latest cyber security news and advice >>