An ICO investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct. The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017.
The ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent in breach of the General Data Protection Regulation. Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.
HMRC has 28 days from the date of issue of the enforcement notice to complete deletion of relevant records. To read the ICO’s announcement in full, click here.