UK tax agency said to have collected 5.1 million biometric voiceprints without explicit consent
The UK tax agency has collected 5.1 million biometric voice records through its Voice ID authentication service since January 2017, according to a report by Big Brother Watch.
Her Majesty’s Revenue and Customs (HMRC) said it would allow callers to opt-out when it announced the service, but it does not present any option to British taxpayers calling the agency’s self-assessment helpline. Instead, it asks users to repeat the phrase “my voice is my password,” though Big Brother Watch discovered through investigation that it is possible to avoid providing the biometric record by saying “no” three times at certain points in the process.
The first two times the user says “no,” the system responds: “Sorry, it’s important you repeat exactly [emphasis in recording] the same phrase. Please say ‘My voice is my password’” Big Brother Watch reports.
“The EU General Data Protection Regulation (GDPR), incorporated in UK law through the Data Protection Act 2018, prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless the there is a lawful basis under Article 6,” Big Brother Watch says in the report. “However, because voiceprints are such sensitive data – and voice IDs are not necessary for dealing with tax issues – HMRC must also request the explicit consent of each taxpayer to enrol them in the scheme, as required by Article 9 of GDPR. However, HMRC has in fact railroaded taxpayers into this unprecedented ID scheme. On our analysis, that means HMRC must now delete this giant biometric database.”
The privacy group has filed a formal complaint with the Information Commissioner’s Office (ICO), which is investigating. While the number of Voice ID records was revealed by HMRC in response to requests filed under the freedom of information act (FOIA), the agency did not disclose whether the records are shared with third parties or other government agencies, or how users could have their records deleted from the database.
“HMRC’s voiceprint scheme appears to be almost surreptitious, failing to meet basic data protection principles,” said Privacy Matters Director and data protection law expert Pat Walshe. “The non-transparent manner harvesting of people’s data and significant questions of lawfulness are troubling. Given the significant number of citizens involved, and the potential for broader use of biometric voiceprints by government agencies, the ICO could issue a notice requiring the temporary suspensions of the scheme.”
“Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems,” an HMRC spokesperson responded. “The Voice ID data storage meets the highest government and industry standards for security.”
The use of biometrics by the UK’s Home Office and police have drawn criticism for a lack of clear governance rules and slow oversight procedures.