The UK's tax authority is to delete the biometric voice records of five million people because it did not have clear consent from its customers to have those files.
HM Revenue and Customs (HMRC) uses the Voice ID biometric voice security system to make it easier for callers to pass its security processes when discussing their account. It says using the system will reduce the time it takes to speak to an advisor and will help prevent anyone else accessing accounts.
But the UK's data privacy watchdog the Information Commissioners Office (ICO) said that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. "This is a breach of the General Data Protection Regulation," the ICO said.
SEE: IT pro's guide to GDPR compliance (free PDF)
Steve Wood, deputy commissioner at the ICO, said: "We welcome HMRC's prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service."
Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.
"Innovative digital services help make our lives easier but it must not be at the expense of people's fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn't happen, the ICO will take action to protect the public," Wood said.
HMRC's scheme was criticised last year by privacy campaigners Big Brother Watch who said there was no option for callers to opt out of the ID scheme, or have their voiceprint deleted. A complaint by Big Brother Watch prompted the ICO investigation.
HMRC has written to the Information Commissioner's Office (ICO) and said it will now only keep Voice ID enrolments where it holds explicit consent. That accounts for around 1.5 million customers, who have used the service since HMRC introduced changes in October 2018 to comply with GDPR requirements.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
It will now have to delete all records where it does not hold explicit consent and said it will complete that work before the 5th June 2019 deadline set by the ICO.
Director of Big Brother Watch Silkie Carlo, said: "To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law."
"These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent," said Jonathan Thompson, HMRC CEO. There are around 30 million taxpayers in the UK, showing the scale of the work the HMRC has to do.
But he said the agency would continue to use Voice ID, which he said was popular with customers. "HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes," he said.