It has been just over a month since the GDPR deadline passed in a whirlwind of consent requests and preference updates, but HMRC has already fallen foul of the new rules.
HMRC has revealed, in response to Freedom of Information requests, that it has taken 5.1 million taxpayers biometric voiceprints through its VoiceID scheme since January 2017. This data was collected under implied consent, with alternative methods of identification not clearly promoted. Investigation has also suggested that users can’t easily access or delete their records.
The issue has been brought to light by the advocacy group Big Brother Watch, which has submitted a complaint to the Information Commissioner’s Office (ICO) about this data harvesting.
Real choice and control
Big Brother Watch have various issues with the HMRC’s process, which serve as a timely reminder on the importance of getting GDPR right.
With voice prints being sensitive data, which are not necessarily required for dealing with tax data, the complaint to the ICO has asked if the data being collected is appropriate. Any personal data held must be limited to what is necessary, and you must be clear about what you are collecting and why.
There was no way of offering consent to data gathered under HMRC’s VoiceID scheme, and there was also no clear way to opt out and use another form of identification. Users could skip the process by saying ‘No’ three times, but would then have to go through the same process the next time they called.
Consent means offering individuals a real choice and control, so when gathering data you need to make sure you are not using implied consent. You also need to be sure you can meet the right to erasure – all individuals have the right to be forgotten, so you must be able to locate and delete any data you collect.
An organisation as large as HMRC being caught out serves as a timely reminder to make sure your GDPR processes meet the ICO’s principles.