Following a recent review by the Information Commissioners Office (ICO) HMRC have been found to have breached the General Data Protection Regulations (GDPR) by the use of voice authentication (Voice ID) for customer verification on some of their helplines.

In connection with the Voice ID system, the ICO found that HMRC had not given taxpayers the chance to give or withhold their consent for their data to be held, nor were they given sufficient details about how their data would be processed. This was in violation of GDPR which was introduced in May 2018 and which includes the power for the ICO to levy hefty fines. HMRC was issued with a preliminary enforcement notice in early April 2019 and a final notice on 9 May 2019.

The government has confirmed that HMRC will only retain Voice ID enrolments where they hold explicit consent from taxpayers (estimated to be £1.5m taxpayers). They intend to delete all records where no such consent is held by the ICO deadline of 5 June 2019. HMRC estimates that around 5 million taxpayers need to have their record deleted.

Sir Jonathan Thompson, the HMRC Chief Executive, drawing attention to HMRC’s published privacy notice which now makes it clear that HMRC will not use voice identification data for any other purposes, has said that he is satisfied that HMRC should continue to use Voice ID as it is popular, is a more secure way of protecting customer data, and enables HMRC to get callers through to an adviser faster.

Links to our guides:

GDPR: General Data Protection Regulation

External links:

ICO Final enforcement notice

HMRC Privacy Notice