If you weren’t already convinced GDPR was a bit of a shambles, this week HM Revenue and Customs (HMRC) made headlines for allegedly storing the biometric data of millions of UK taxpayers without permission.
As part of its Voice ID system, users can log into their tax accounts over the phone by saying the phrase “My voice is my password”. Having already recorded this phrase when callers register, the system then matches the voice to the stored data to authenticate the user. It’s quick, convenient and generally secure against casual fraud.
But it also opens a whole can of data protection worms. According to campaign group Big Brother Watch, the Voice ID system violates GDRP because callers are not given the choice to opt out
“These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives,” Silkie Carlo, director of Big Brother Watch, told the BBC. HMRC, she said, should “delete the five million voiceprints they’ve taken in this shady scheme”.
In its defence, an HMRC spokesperson said that identifying details were stored separately from the audio recordings, and that the service was popular with customers. That may be the case, but the GDPR does say that explicit consent is required before using biometric information to identify people, and the Information Commissioner’s Office (ICO) has said it’s following up on complaints about the Voice ID service.
This could end badly for the taxman.
Whatever comes next, this case is a stark reminder that even public sector bodies are struggling to navigate the complexities of the UK’s data laws. Just a few months prior to this, the Crown Prosecution Service was fined £325,000 for losing interview footage of child sex abuse victims. Before that, Kensington and Chelsea council was fined for sharing the identities of 943 property owners, after journalists requested the information under the Freedom of Information Act. And this month, Gloucestershire Police had to pay £80,000 for sending a bulk email to child abuse victims, adding all their email addresses to the ‘To’ field, instead of the ‘BCC’ section, meaning everyone who got that email could see all the other recipients’ email addresses.
These organisations, and ones like them, enforce our laws and determine the public’s relationship with the state. If they can’t get data protection right, what chance do the rest of us have?
Follow us on social media. We're on Twitter, Facebook and LinkedIn.