categories
cpd types

HMRC in Hot Water Over GDPR Breach

by Becky Reid

Some (though maybe not many) could start to feel sorry for the UK's Tax Authority, HMRC. First they lose two high-profile cases regarding IR35 and now they've been served an enforcement notice by the UK Information Commissioner's Office (ICO) for a breach of GDPR. The first enforcement action by the ICO in relation to biometric data too.

What's happened?

HMRC was using voice recognition as a form of caller verification on HMRC helplines but it transpires they did not get explicit enough request to gather and use this biometric data.

The implementation of GDPR back in May 2018 saw biometric data included for the first time and now the UK has seen its first head roll because of it.

Under GDPR, biometric data is classed as 'special category data' and so requires explicit consent for its collection and processing. The ICO has found that HMRC's automated recording warning callers about the verification measures fall short of the 'explicit' element.

The enforcement notice has forced HMRC (and any suppliers involved) to delete all data for which they do not have explicit consent (they hold over 7 million voice records) by 5 June 2019. Ouch.

A timely reminder on the anniversary of the introduction of GDPR, isn't it.

Read more about the detail of the case ».

    You need to sign in or register before you can add a contribution.