HMRC Voice ID Scheme ‘Breaks GDPR’, Claim Campaigners

An HMRC telephone identification system that has collected and analysed millions of taxpayers’ speech patterns may break new pan-European data protection laws, campaigners have alleged.

HMRC said its Voice ID system, launched last June, was “extremely popular”, and said users had the choice to opt out of it.

The campaign group Big Brother Watch accused HMRC of using “shady” methods to collect the voice prints, and said the programme was creating “biometric ID cards by the back door”.

The programme has collected 5.1 million audio signatures to date, according to HMRC figures obtained by Big Brother Watch through a freedom of information request.

Legal questions

The Information Commissioner’s Office (ICO) said it has opened an investigation into Big Brother Watch’s complaint.

The EU’s General Data Protection Regulation (GDPR), which came into force last month, requires organsations to obtain explicit consent before they use biometric data, including voice recordings, to identify someone.

When it launched Voice ID last year, HMRC said users could opt out of the system.

But Big Brother Watch said this option is far from obvious. According to the group, callers to HMRC’s tax credits or self-assessment helplines are asked to repeat the phrase “My voice is my password”, and must refuse three times before they’re connected with an operator.

If a caller repeats the phrase, it’s used in future to help identify them.

GDPR allows organisations to process users’ data without consent in some cases, such as if it is necessary for compliance with a legal obligation or to deliver a task in the public interest. Big Brother Watch claims this loophole dosen’t apply, since Voice ID is not essential for HMRC’s work.

‘Shady scheme’

Big Brother Watch director Silkie Carlos said there was a “distinct lack of transparency” around the scheme and said the size of the database already accumulated was “alarming”.

“These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives,” she said. “HMRC should delete the 5 million voiceprints they’ve taken in this shady scheme, observe the law and show greater respect to the public.”

HMRC said the programme was useful and secure.

“Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems,” it said in a statement. “The Voice ID data storage meets the highest government and industry standards for security.”

The agency said the data would only be used for authentication purposes, could not be traced back to an individual and would not be shared with other government departments.

The Home Office has said it plans to publish a framework for the use of bioimetric data in the public sector this month, four and a half years after it was originally due to be released.

How much do you know about privacy? Try our quiz!