HMRC handed an enforcement notice following GDPR violation

Following a complaint from the privacy watchdog, Big Brother Watch, the Information Commissioner’s Officer (ICO) conducted an investigation into HMRC for failing to gain explicit consent from individuals about their biometric data. The ICO reported that there had been a “significant breach” of data protection laws.

After the investigation, the ICO concluded that HMRC did not have adequate consent from its customers and have ordered HMRC, via an enforcement notice, to delete any data it continues to hold without consent.

The commissioner highlighted the scale of the data collection and that “HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers.”

“It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.”

It was also discovered that a data protection impact assessment (DPIA) was not in place before the Voice ID system was launched.

The ICO have decided on not imposing a fine as it was judged that the infringement was not likely to cause any persons “damage or distress.”

If HMRC refuses to comply with the enforcement notice, the ICO have the ability to fine HMRC maximum GDPR penalty of £17 million or 4% of their global annual turnover.

Steve Wood, the Deputy Commissioner for Policy, said:

“This is the first enforcement action taken in relation to biometric data since the advent of GDPR when, for the first time, biometric data was specifically identified as special category data that requires greater protection.

“Our guidance on informed consent provides advice for organisations planning to use these kinds of systems and we are currently developing our guidance on biometric data.

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”