HMRC (Her Majesty's Revenue and Customs) has been issued with an enforcement notice for collecting, retaining and using customers' biometric data in breach of the data protection rules.
An Information Commissioner's Office (ICO) investigation was launched after it received a complaint about HMRC's use of voice authentication for caller verification on some of their helplines.
As you may be aware, the GDPR specifically lists biometric data as special category personal data. The characteristics of a voice constitute biometric data which means individuals should be given sufficient information about the processing of their biometric data and the opportunity to give or withhold their consent.
The enforcement notice gave HMRC a deadline to do the following:
- Delete all biometric data it holds under the Voice ID system for which it does not have explicit consent.
- Require its suppliers who operate, manage or are involved in the Voice ID system to delete all the biometric data that they process under the Voice ID system for which they do not have explicit consent.
This action demonstrates the importance of carefully considering how you process customers’ personal data to ensure you are compliant with the GDPR.