UK Government Agency Given GDPR Warning for Recording Caller Voices

In the UK the Information Commissioner’s Office has sanction ‘Her Majesty’s Revenue and Customs’ (HMRC) with an enforcement action a voice authentication service was implemented which asked callers to record their voice and use it as their password.

This service was introduced in January 2017, and has enrolled around 7 million customers to date.  The Voice ID tech works by authenticating customers when they use HMRC’s helplines by their voice alone. Big Brother Watch, a non-profit non-party British civil liberties and privacy campaigning organisation, brought the calls to the attention of the ICO.

According to the ICO, callers were advised there was a ‘quicker and more secure’ way of verifying their ID over the phone by using voice identification, but were not advisaed they could opt out or given further information. The ICO website said: “In short, HMRC did not have adequate consent from its customers and we have issued an enforcement notice ordering HMRC to delete any data it continues to hold without consent. In the notice, the Information Commissioner says that HMRC appears to have given `little or no consideration to the data protection principles when rolling out the Voice ID service’.”

ICO said that the characteristics of a person’s voice constitute biometric data, which HMRC processed for the purpose of identifying customers. Callers were then told to repeat “my voice is my password”, and the recordings were stored by HMRC.

The ICO has given HMRC until early June to delete all the biometric data it holds within its Voice ID system which was wrongly obtained. Steve Wood, Deputy Commissioner for Policy at the ICO said:  “While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data. The case raises significant data governance and accountability issues that require monitoring”.

Privacy Advocate Groups such as Big Brother Watch are ensuring that all companies and groups are meeting the required standards under GDPR. Silkie Carlo, director of Big Brother Watch, said: “This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law”.

This course of events further highlights how important it is for every company and organisation to review every means and method that they use for gathering the personal data of their accoutns, either within the European Union or around the world.