Security

UK taxman has amassed voice profiles of 5.1 million taxpayers

Big Brother Watch questions legal basis for data retention


Campaign group Big Brother Watch has accused HMRC of creating ID cards by stealth after it was revealed the UK taxman has amassed a database of 5.1 million people's voiceprints.

The department introduced its Voice ID system in January 2017. This requires taxpayers calling HMRC to record a key phrase, which is used to create a digital signature that the system uses to unlock the right account when they phone back.

According to a Freedom of Information request, submitted by Big Brother Watch and published today, the department now has more than 5.1 million people's voiceprints on record.

However, the group argued that users haven't been given enough information on the scheme, how to opt in or out, or details on how their data would be deleted. The FoI revealed that no customers have opted out in the 30 days to 13 March, but the department refused to respond to set out exactly how the erasure process would work.

Director Silkie Carlo said that taxpayers have been "railroaded into a mass ID scheme" and that the government was "imposing biometric ID cards on the public by the back door".

The FoI response also raises questions about the lawfulness of the collection and storage of the data, and whether it is in line with the General Data Protection Regulation that came into force on 25 May.

Under the GDPR, a system that allows people to be identified by their voice would likely meet the definition of processing of biometric data. This places certain demands on the organisation beyond those made for other forms of personal data.

"Where [biometric processing] takes place on the basis of a person's consent, GDPR says that the person must give 'explicit consent'. 'Consent' also means a 'freely given, specific, informed and unambiguous' indication of the person's wishes, and it must be a 'clear, affirmative action'," said Jon Baines, a data protection advisor at law firm Mischon de Reya.

"It is difficult to square these requirements with what seems to have taken place here: callers were apparently given no option to opt out, let alone opt in."

He added that HMRC's FOI response "appears to concede this point", as it reads:

HMRC currently operates VoiceID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.

Baines added that it would be "difficult to see any other basis, other than explicit consent, which would allow HMRC to do this".

GDPR does allow individual member states to introduce their own laws to justify processing of biometric data without consent, he said, but "for this to happen there would rightly need to be the opportunity for parliamentary debate on the subject".

The Information Commissioner's Office confirmed to The Register that it had received a complaint about the Voice ID scheme and was making inquiries. If it finds there has been an infringement, Baines pointed out it can do more than just issue financial penalties; it can also require an organisation to take action.

"In this instance, it does appear that she [ICO commish Elizabeth Denham] could require HMRC to delete all 5.1 million profiles," he said.

HMRC said in a statement that all its customers' data, "including for VoiceID, is stored securely", but the department refused to answer an FoI request asking for further details on storage, or what legal territory it was stored in.

The department's canned statement added that the Voice ID system was "very popular with customers as it gives a quick and secure route into our systems".

'Expansion of the database state'

In addition to criticisms of the database itself, Big Brother Watch raised concerns about whether HMRC shares the voiceprints with other departments or public authorities.

There are multiple examples of different bodies handing over information that the public might not expect them to. The Home Office and NHS Digital were recently forced to stop sharing patient data for immigration enforcement, while the Department for Education was slammed for a similar scheme in 2016.

"These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives," said Carlo.

But HMRC also refused to divulge information on who else has access to Voice ID in its FoI response (PDF), saying it risked prejudicing the prevention or detection of crime.

Big Brother Watch also slammed Whitehall's decision to create another database of sensitive biometric material, describing it as another step towards the "database state". The FoI response from HMRC also shows that the department did not consult the biometrics commissioner on its Voice ID plans.

The government is already under pressure over its custody image database – which contains around 21 million shots of faces and identifying features – because the pictures are stored even if the subject is not charged.

This is despite a 2012 High Court judgment that said keeping images of presumed innocent people on file was unlawful. The Home Office has blamed outdated and clunky IT systems for the prolonged retention but hasn't committed to specifically address this issue.

The Home Office had promised that its much-delayed biometrics strategy – expected to address MPs and campaigners' concerns – would be published in June.

Although the department has repeatedly insisted to El Reg that this is still the plan, it gives it only until Friday to pull the proverbial rabbit out of the hat. ®

Send us news
60 Comments

Fujitsu's 30-year-old UK customs system just keeps hanging on

After declaring the end of CHIEF at least five times in as many years, HMRC hopes this June 2024 date will stick

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

UK tax agency's digital services not good enough to take strain off phone lines

Watchdog says taxpayer assistance is getting worse

HMRC launches £500M procurement for new ERP, though project's already a 'red' risk

Rivals will need to dislodge incumbent SAP in competition for 5-year deal across three departments

Taxing times: UK missed out on £1.75B because of digitization delays

Public Accounts Committee slams progress and questions plans

Kyndryl bags short-lived HMRC mainframe contract

Tax collector's DALAS waits in wings to tackle humongous legacy estate

UK government awards chunk of mega-billions tech framework

Deal for tax collector’s legacy application services goes to troupe of suppliers including Accenture, Capgemini and IBM

Digital revolution at HMRC left 99,000 UK taxpayers on hold over five-day fiasco

Technology resilience gets red rating in tax collector's annual report

UK government faces calls to end IR35 double tax anomaly

Meanwhile, Conservative stalwart calls to repeal law

Multi-tasking blunder leaves UK tax digitization plans 3 years late, 5 times over budget

Public spending watchdog says scale of task was massively underestimated

Tech giants looking for ways to wriggle out of UK digital tax, watchdog warns

Delays to OECD plan means interim fix could be found wanting

IR35 costs UK Research and Innovation £36M – the same it spent funding tech projects

Quango tax blunder follows similar payments from Defra and MoJ