The Information Commissioner's Office (ICO) has issued Her Majesty's Revenue and Customs (HMRC) with an enforcement notice for collecting, retaining and using customers' biometric data in breach of the General Data Protection Regulation (GDPR).
An ICO investigation was launched after it received a complaint about HMRC's use of voice authentication for caller verification on some of their helplines. The characteristics of a voice constitute biometric data which is classed as special category personal data under the GDPR. As such, the individual must be given sufficient information about the processing of their biometric data and the opportunity to give or withhold their consent.
The enforcement notice requires HMRC to do the following:
- Delete all biometric data it holds under the Voice ID system for which it does not have explicit consent.
- Require its suppliers who operate, manage or are involved in the Voice ID system to delete all the biometric data that they process under the Voice ID system for which they do not have explicit consent.
Interestingly, this is the first enforcement action taken in relation to biometric data since the introduction of the GDPR in May 2018, which specifically identifies biometric data as special category data.
At Markel Law we regularly comment on SME related matters.
Follow this link to find out more about Markel Law and how we can assist your business on health and safety related matters.
An ICO investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct. The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017. The ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of the General Data Protection Regulation.