New research from privacy watchdog Big Brother Watch has revealed that more than five million UK tax payers have had their biometric voice information captured by using the HMRC Voice ID phone service.
Users were not given an option to opt out of the data capture, but despite Freedom of Information requests, the department refuses to disclose which other government departments have access to the data, how the data is stored, whether a voice ID can be deleted or in which territory the data is located.
More worryingly, the legally mandated privacy impact assessment has also been withheld.
The Information Commissioner’s Office (ICO) is now investigating.
‘My Voice is My Password’
According to Big Brother Watch, millions of callers to the HMRC’s automated phone service have been required to repeat the phrase, “My voice is my password,” before being allowed to access services.
The automated service instructs callers, “I’ll need you to say exactly those words.” Callers who say “no” are repeatedly told by the automated line, “It’s important you repeat exactly the same phrase. Please say ‘My voice is my password’.” Only by saying no three times will the system move on, promising to capture your voice data on your next call.
The system is being used to supposedly simplify the identification process for callers to HMRC. The Voice ID technology converts the sound and rhythm of each person’s voice into a ‘unique identifying numerical pattern’, which will identify individual users in a similar fashion to a fingerprint.
However, Big Brother Watch says taxpayers are being “railroaded into a mass ID scheme” as there is no choice to opt in or out of the data capture, in a move which experts say breaches UK data protection laws.
According to Big Brother Watch:
The EU General Data Protection Regulation (GDPR), incorporated in UK law through the Data Protection Act 2018, prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless the there is a lawful basis under Article 6.
However, because voiceprints are such sensitive data – and voice IDs are not necessary for dealing with tax issues – HMRC must also request the explicit consent of each taxpayer to enrol them in the scheme, as required by Article 9 of GDPR.
However, HMRC has in fact railroaded taxpayers into this unprecedented ID scheme.
On our analysis, that means HMRC must now delete this giant biometric database.
A spokesperson for HMRC said:
“Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest government and industry standards for security.”
Despite this statement, doubts about the security of the system remain after a BBC journalist managed to fool the system in 2017, using his twin brother to mimic his voice.
Silkie Carlo, director of Big Brother Watch, said:
“Taxpayers are being railroaded into a mass ID scheme that is incredibly disturbing. The tax man is building Big Brother Britain by imposing biometric ID cards on the public by the back door.
“The rapid growth of the British database state is alarming. These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives. HMRC should delete the five million voiceprints they’ve taken in this shady scheme, observe the law and show greater respect to the public.”
Pat Walshe, data protection law expert and director of Privacy Matters, said:
“HMRC’s voiceprint scheme appears to be almost surreptitious, failing to meet basic data protection principles.
“The non-transparent manner harvesting of people’s data and significant questions of lawfulness are troubling.
“Given the significant number of citizens involved, and the potential for broader use of biometric voiceprints by government agencies, the ICO could issue a notice requiring the temporary suspensions of the scheme.”
Given the far greater penalties for non-consensual data collection and improper storage under GDPR, the consequences for HMRC could be severe.