Some 5 million HMRC voice ID records are to be deleted after regulators ruled that a “significant” breach of data protection law had taken place over the use of the “my voice is my password” system.
The UK’s data watchdog, the ICO (Information Commissioner’s Office), has given the government until next month to remove data collected without proper content from millions of taxpayers. Although some people have since opted in for the system, the data for those collected and retained without proper consent is to be removed.
The issue has raised concerns over the government’s own ability to adhere to important data protection laws, with the ICO critical of HMRC’s behaviour.
About the HMRC voice ID data breach
The HMRC voice ID system that has been deemed to have breached important data protection laws arises from the use of their “my voice is my password system”.
After concerns were raised by privacy campaigners, the ICO found that a “significant breach of data protection law” had taken place. People had not been given an option to opt-out and essentially had no choice but to sign-up to the system, and explicit consent had not obtained.
The ICO were critical in this case, saying that:
“HMRC appears to have given little or no consideration to it with regard to its voice ID service”. This is incredibly worrying.
5 million HMRC records to be deleted
Following the finding of a breach, some 5 million HMRC voice ID records are to be deleted. This has been hailed as a win for privacy advocates, with Big Brother Watch saying:
“This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”
We fully agree, and no one should be above the law. But the worrying thing for us is the fact that HMRC is in this predicament in the first place. We represent a huge number of people who are claiming for council data breach compensation because of how often those kinds of breaches occur. Central and local government departments have been at the heart of many data breaches, and we would expect those kinds of organisations to be the pioneers of good data protection practices.
The HMRC voice ID issue may be one of many that will come to light as scrutiny over how data is used and processed continues to grow. With the “my voice is my password” system appearing to have been implemented with little regard for data protection rules, we have every reason to be concerned about how data that’s collected without proper consent is secured as well.
If it even is…