'Voice records for more than five million taxpayers were obtained unlawfully by the taxman, a watchdog has ruled.
HM Revenue & Customs failed to properly alert callers they were being signed up to a service that would use their voice to verify their identity when making an inquiry.
The Information Commissioner’s Office (ICO) ruled this was a major breach of privacy law. HMRC will be served a final enforcement notice next week, giving the taxman 28 days from that date to delete the records.
Voice recognition software replaces the need for passwords and is thought to be more secure.
It is increasingly used by major banks, including HSBC and Santander. But customers must give firm permission before they are allowed to store a recording.
Taxpayers have been allowed to use it on some HMRC helplines since 2017, including child benefit, tax credits, self-assessment, taxes and national insurance. Customers must repeat the phrase: ‘My voice is my password’ to register.
But the taxman had not given customers sufficient information about how the biometric data would be processed and failed to give them the chance to give or withhold consent.
This was a breach of the General Data Protection Regulation, which came into force in 2018, the ICO said.
Silkie Carlo, of campaign group Big Brother Watch, which alerted the ICO to the breach, said: ‘This sets a vital precedent for biometrics collection and the database state, showing no government department is above the law.’
A HMRC spokesman said: ‘We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.
‘Over 1.5million people who have phoned HMRC since have told us they want to continue using the service and we’re already deleting the records of those who haven’t.’
The spokesman added that the data was stored in the UK and not shared with any other organisations.'
Source - Mail