UK taxman has amassed voice profiles of 5.1 million taxpayers

Big Brother Watch questions legal basis for data retention

By Rebecca Hill


Campaign group Big Brother Watch has accused HMRC of creating ID cards by stealth after it was revealed the UK taxman has amassed a database of 5.1 million people's voiceprints.

The department introduced its Voice ID system in January 2017. This requires taxpayers calling HMRC to record a key phrase, which is used to create a digital signature that the system uses to unlock the right account when they phone back.

According to a Freedom of Information request, submitted by Big Brother Watch and published today, the department now has more than 5.1 million people's voiceprints on record.

However, the group argued that users haven't been given enough information on the scheme, how to opt in or out, or details on how their data would be deleted. The FoI revealed that no customers have opted out in the 30 days to 13 March, but the department refused to respond to set out exactly how the erasure process would work.

Director Silkie Carlo said that taxpayers have been "railroaded into a mass ID scheme" and that the government was "imposing biometric ID cards on the public by the back door".

The FoI response also raises questions about the lawfulness of the collection and storage of the data, and whether it is in line with the General Data Protection Regulation that came into force on 25 May.

Under the GDPR, a system that allows people to be identified by their voice would likely meet the definition of processing of biometric data. This places certain demands on the organisation beyond those made for other forms of personal data.

"Where [biometric processing] takes place on the basis of a person's consent, GDPR says that the person must give 'explicit consent'. 'Consent' also means a 'freely given, specific, informed and unambiguous' indication of the person's wishes, and it must be a 'clear, affirmative action'," said Jon Baines, a data protection advisor at law firm Mischon de Reya.

"It is difficult to square these requirements with what seems to have taken place here: callers were apparently given no option to opt out, let alone opt in."

He added that HMRC's FOI response "appears to concede this point", as it reads:

HMRC currently operates VoiceID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.

Baines added that it would be "difficult to see any other basis, other than explicit consent, which would allow HMRC to do this".

GDPR does allow individual member states to introduce their own laws to justify processing of biometric data without consent, he said, but "for this to happen there would rightly need to be the opportunity for parliamentary debate on the subject".

The Information Commissioner's Office confirmed to The Register that it had received a complaint about the Voice ID scheme and was making inquiries. If it finds there has been an infringement, Baines pointed out it can do more than just issue financial penalties; it can also require an organisation to take action.

"In this instance, it does appear that she [ICO commish Elizabeth Denham] could require HMRC to delete all 5.1 million profiles," he said.

HMRC said in a statement that all its customers' data, "including for VoiceID, is stored securely", but the department refused to answer an FoI request asking for further details on storage, or what legal territory it was stored in.

The department's canned statement added that the Voice ID system was "very popular with customers as it gives a quick and secure route into our systems".

'Expansion of the database state'

In addition to criticisms of the database itself, Big Brother Watch raised concerns about whether HMRC shares the voiceprints with other departments or public authorities.

There are multiple examples of different bodies handing over information that the public might not expect them to. The Home Office and NHS Digital were recently forced to stop sharing patient data for immigration enforcement, while the Department for Education was slammed for a similar scheme in 2016.

"These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives," said Carlo.

But HMRC also refused to divulge information on who else has access to Voice ID in its FoI response (PDF), saying it risked prejudicing the prevention or detection of crime.

Big Brother Watch also slammed Whitehall's decision to create another database of sensitive biometric material, describing it as another step towards the "database state". The FoI response from HMRC also shows that the department did not consult the biometrics commissioner on its Voice ID plans.

The government is already under pressure over its custody image database – which contains around 21 million shots of faces and identifying features – because the pictures are stored even if the subject is not charged.

This is despite a 2012 High Court judgment that said keeping images of presumed innocent people on file was unlawful. The Home Office has blamed outdated and clunky IT systems for the prolonged retention but hasn't committed to specifically address this issue.

The Home Office had promised that its much-delayed biometrics strategy – expected to address MPs and campaigners' concerns – would be published in June.

Although the department has repeatedly insisted to El Reg that this is still the plan, it gives it only until Friday to pull the proverbial rabbit out of the hat. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

As HMRC's quarterly deadline for online VAT filing looms, biz dogged by 'technical difficulties'

Has tax been made digital yet? Not quite, it would appear

UK taxman plans to, er, Crown Hosting boss. Who'll take £115k to be its champion in HMRC?

Seeks willing body to 'take services live' plus another senior type for networks role

Just keep slurping: HMRC adds two million taxpayers' voices to biometric database

But thousands opting out in 'backlash', says privacy group

HMRC accused of not understanding its own IR35 tax reforms ahead of private sector rollout

MPs also voice concerns about accuracy of status-check tool

HMRC contractor scores IR35 payout after yet another taxman blunder

CEST tool gets it wrong – for its own creators

Brekkie TV host Lorraine Kelly wins IR35 ruling against HMRC, adds fuel to freelance techies' ire over tax reforms

Pint-sized Scottish squawker wins tribunal appeal over £1.2m tax bill

Go on, feast your eyes on... HMRC's backend: 4,000 IT staff, its hookup with AWS and more

OpenInfra Days UK 2019 UK taxman's digital boss talks living with Amazon

HMRC: We 'rigorously tested' IR35 tax-check tool... but have almost nothing to show for it

'Normally you'd have reams of documentation... all they have is one page'

The lighter side of HMRC: We want your money, but we also want to make you laugh

Junior staffers, cold fingers get blamed for missed payments in taxman's annual attempt at humour

CEST la vie, IR35 workers: HMRC sets out stall for ignoring Mutuality of Obligation

Don't have a cow, but taxman test disappears MOO