DWF logo


DWF logo

            The ICO takes Enforcement Action against HMRC

            On 9 May 2019 the UK Information Commissioner's Office (ICO) issued an enforcement notice against HM Revenue & Customs (HMRC), requiring it to delete personal data that was unlawfully obtained and processed in relation to HMRC's Voice ID service.

            Date: 25/06/2019

            HMRC launched its Voice ID service in January 2017 with the aim of creating a voice recognition system to act as a secure password for its customers.  Customers were asked to repeat a set phrase in order to join the service. The ICO concluded that personal data from approximately 7 million individuals was unlawfully collected over the period from January 2017 to October 2018.

            An individual's voice pattern is classed as "biometric data" for the purpose of the General Data Protection Regulation ("GDPR"). Biometric data falls within the special categories of personal data, and is therefore subject to stricter requirements than other personal data. As with any personal data, an organisation is required to have a lawful processing ground under the GDPR for dealing with special category personal data, but the grounds for processing special category data have higher thresholds to meet.  For example, for HMRC to be able to rely on the data subject's consent to process biometric data, the data subject must give explicit consent.  The ICO stated that consent of the data subject was the only potentially relevant condition for HMRC to rely on, and as there was no clear method of opting out and customers were not informed that they did not have to sign up, explicit consent had not been obtained by HMRC in these circumstances.

            As HMRC did not have a lawful basis for processing biometric data, it was in breach of the GDPR which requires data to be processed lawfully, fairly and in a transparent manner.

            HMRC attempted to contact the individuals whose data it had collected, but only received responses from approximately 1.25 million of those affected. About 20% of those who responded withheld their consent for HMRC to continue processing their data.  HMRC deleted some records of those data subjects who withheld consent, but continued to be in breach of the GDPR not only by retaining the records of some data subjects who had expressly withheld consent, but also by retaining the records of the data subjects who had not responded at all.

            The ICO found that as the requirement to have a lawful processing ground was "a matter of central importance to data protection law," the breach of these GDPR obligations by HMRC was significant enough to warrant enforcement action to ensure HMRC complies with them.  The ICO therefore required HMRC to take the following steps within 28 days:

            1. delete all biometric data in relation to the Voice ID system for the data subjects who had not given explicit consent; and
            2. require any suppliers who operate, manage or are involved in the Voice ID system to delete any biometric data for which it does not hold explicit consent.

            Failure to comply with the enforcement notice would potentially lead to a fine of up to €20,000,000 or 4% of HMRC's worldwide turnover (whichever is higher).

            This enforcement action serves as a reminder of the importance of having a lawful basis for processing personal data, and in particular of the stricter requirements for processing special category personal data. (For further information and guidance on identifying the correct processing ground, please click here)


            How we can help

            We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits). 

            Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.

            Find out more here

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies


            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.