The data protection watchdog in the U.K. has found that Her Majesty’s Revenue and Customs (HMRC) collected millions of biometric voice data from citizens without their consent, according to a report.
The HMRC was sent a notice to delete the voice records on May 9, and it has 28 days from that date to do so. The affected records are those that did not collect specific consent to record biometric data to identify a person.
The voice ID system was put into place in January of 2017. Callers would contact a helpline and record a phrase in their voice to use as a password. The system was criticized for not informing citizens that they didn’t have to agree to participate.
HMRC will have to delete around five million voice records, and can only keep the ones for which it received permission. The move was triggered by a complaint from privacy advocacy group Big Brother, which ran a campaign questioning HMRC’s methods.
The Information Commissioner’s Office (ICO) conducted the investigation after receiving the complaint, and found that the tax office collected the data illegally.
“Innovative digital services help make our lives easier, but it must not be at the expense of people’s fundamental right to privacy,” said Deputy Commissioner Steve Wood. “(Organizations) must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
Wood noted that his organization will conduct a larger audit of HMRC’s practices to determine whether they are in line with data protection rules.
“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights [are] addressed alongside any organizational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data,” Woods wrote, saying that biometric data should be used “in a fair, transparent and accountable way.”