The UK privacy regulator, the Information Commissioner’s Office (“ICO“) has recently found Her Majesty’s Revenue and Customs (“HMRC“) liable for a “significant” breach of the GDPR relating to the collection of consents with respect to biometric data. The enforcement action is a timely reminder that a higher standard of (explicit) consent is required with respect to so-called special category data (including biometric data). However, the enforcement action is also interesting because the ICO chose not to fine HMRC but to instead require certain action to be taken (namely the deletion of records), demonstrating that GDPR enforcement is not necessarily all about big monetary penalties.
HMRC tried to make its helpline more efficient by allowing individuals to use a voice recognition system (i.e. by saying the phrase “my voice is my password” on the phone) in lieu of more traditional security checks (i.e. an operator asking for your date of birth or postcode). The voice recognition scheme launched in 2017 and by October 2018, HMRC had changed the way it gathered consent from individuals. Before this change, five million individuals had signed up to the voice recognition system.
Voice samples, which are classified under the GDPR as biometric data and therefore special category data, require explicit consent from individuals to allow organisations – public or private – to collect them. The ICO stated that HMRC seemed to have given “little or no consideration” to data protection legislation when creating and rolling out its voice recognition system, and that HMRC had not given individuals enough information relating to how HMRC would process this personal data.
HMRC have since said that they will delete the voice samples of the affected five million individuals who have not used the service since HMRC changed their procedure for gathering consent and those who have not explicitly consented to their personal data being used for the HMRC Voice ID system.
The ICO categorised this failure to collect adequate consent as a “significant breach of data protection law”. However, interestingly, the ICO opted to require HMRC to delete the relevant data by 5 June 2019, and if so, no fine will be levied against HMRC. As we are all aware, the potential fines which supervisory authorities can levy against organisations who are held to be in breach of the GDPR are significant and it is interesting to note the measure of enforcement which the ICO has chosen to levy against this controller organisation.
That said, it is notable and important that the ICO have found a public authority in breach of the GDPR. This decision serves as an important reminder that the GDPR applies to public bodies as much as it does to private organisations – and gives an interesting early insight into the ICO’s approach to levying fines and enforcements in a post-GDPR world.
Following the enforcement, the data protection officer for HMRC, Sir Jonathan Thompson, has written this letter to the ICO (which he has also made public for reasons of transparency), in which he affirms that HMRC’s Voice ID system will continue to be made available to customers after such customers have given GDPR compliant consent.