My voice is my password
HMRC has collected more than 5.1m recordings of taxpayers’ voices through its telephone services without consent.
HMRC launched the Voice ID scheme last year enabling customers calling the Tax Credits and Self Assessment helplines to enrol for voice identification in order to speed up security steps for customers calling HMRC.
When a customer calls HMRC for the first time, they are asked to repeat a vocal passphrase up to five times and then be passed back to an adviser to complete their call. The recorded passphrase is stored by HMRC and the customer can use their voice to confirm their identity when calling HMRC in the future.
As the Voice ID scheme does not allow callers to opt out of saying the phrase or to delete their recording, HMRC are breaching UK data protection laws. Following the recent implementation of the EU General Data Protection Regulation (GDPR), companies are prohibited to process biometric data for the purposes of uniquely identifying a person unless the individual in question gives their express consent or the processing of biometric data in those circumstances is either in the public interest or done in order to comply with a legal obligation.
Since the launch of the Voice ID scheme, HMRC has collected more than 5.1m ‘voiceprints’. The customers who have signed up to this scheme have not been informed which other government departments HMRC has shared the voice recordings with, or how their voice recordings are stored and used. Furthermore, they have not been given control over the voice recording, namely control of actually giving a voice recording, the choice to opt out or delete the recording.
The human rights group Big Brother Watch has registered a formal complaint with the Information Commissioner’s Office and has argued that HMRC must obtain the consent of their customers before enrolling them in the Voice ID scheme.