HM Revenue & Customs (HMRC) has been given 28 days to delete voice records that were being held illegally.
The Information Commissioner’s Office (ICO) found that HMRC was holding the five million voice records in direct violation of data protection rules.
The investigation found that voice authentication to verify customer’s identity was used on HMRC helplines from January 2017 to October 2018.
Biometric data is subject to tighter rules under GDPR, where it has its own category information.
However, the ICO found that HMRC had not given taxpayers enough information about how their data would be processed, and gave them no opportunity to consent or opt out. This directly contravenes the General Data Protection Regulation (GDPR).
Subsequently, HMRC has been given 28 days to delete all records that fall into this category, after a preliminary enforcement notice was given on 4 April.
Steve Wood, Deputy Commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully.
“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its voice ID service.”
According to HMRC CEO Jon Thompson 1.5 million customers have used the service since October 2018. Changes have been made and their data is compliant with GDPR rules.
But approximately five million customers did not call or use the service after the changes were made, meaning that their data must now be deleted. This is believed to be the largest ever deletion of biometric IDs from a government database.