The U.K. privacy advocate group Big Brother Watch published a report about the biometric data — specifically voice data — collection practices of HM Revenue and Customs (HMRC). The report shows that the HMRC, U.K.’s tax authority which offers a number of services to citizens, has collected 5.1 million taxpayers’ voiceprints as part of its new voice identification (voice ID) policy. According to the report, the HMRC apparently needs to meet lawful processing requirements outlined by the current U.K. Data Protection Act (DPA) and the EU’s General Data Protection Regulation (GDPR).
HMRC adopts new technology reliant on biometric data
On January 2017, the HMRC modernized its call-in helplines with voice ID, which is a unique voiceprint that can identify an individual. Customers can enroll by calling in and saying a phrase up to five times. Voice recordings are analyzed and stored, to be used to authenticate a customer’s identity on their succeeding calls. The HMRC has stated that this process is voluntary and that any user can opt out and still be able to use their services properly.
However, Big Brother Watch reported that the HMRC system repeatedly asks users to create their “voice ID” without giving them instructions on how to opt out of the service. The automated system reportedly kept requesting users for a voice ID until one was created. Big Brother Watch also discovered by trial that saying “No” to the system thrice allows the caller to postpone the voice ID collection. In addition, the members of the privacy group tried to have their voice ID data erased from the HMRC database but it was not clear if erasure was possible. The right to data modification and deletion is an essential right users have as per new privacy regulations.
Big Brother Watch has filed a formal complaint with the U.K.’s Information Commissioner’s Office (ICO), an independent authority that upholds information rights and that can fine organizations not compliant with the DPA. The ICO is currently investigating the issue.
Rights under the GDPR and the DPA
Big Brother Watch cited some areas where HMRC has not met the GDPR’s and DPA’s requirements. Under the U.K.’s recently adopted DPA and the EU’s GDPR, processing and handling biometric data such as voiceprints are allowed only if strict requirements are met. The organization must provide a legal basis for the data processing, ensure user consent is given, and data is securely stored. With these regulations, users are granted more control over their data, too, and are assured of more rights. Organizations dealing with personal data, biometric data especially, are required to overhaul their policies and satisfy the regulations’ requirements.
As Big Brother reported, organizations like the HMRC should provide a lawful basis for data collection and processing. Otherwise, they must gain explicit consent from users. In this context, “consent” is based on a user’s understanding what data is collected and for what purpose. Users need to know details such as how data will be stored and who will have access to it. Active opt-in to providing personal data should be the default — consent cannot be assumed or the default standard. For biometric data, like voice ID, the rules for consent and processing are even more stringent.
While the HMRC’s case is pending investigation by the ICO, organizations in private and public sectors should stay up to date with compliance-related news.
For more information about the GDPR and other data protection regulations, visit our resource center. Companies and organizations still on their journey towards compliance will be able to find guides, thought leadership pieces, and videos on how to effectively navigate data protection legislations.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).