HMRC accused of breaching EU data protection laws

Case study

The HM Revenue has been asked to delete voice samples taken from more than 5 million taxpayers. It is claimed that the HM Revenue breached the EU data protection law by obtaining them.

We are going to look at the facts and share our findings.

The recent revelation

A privacy campaign group have discovered that the HMRC have been asking their callers to its telephone service to repeat the phrase ‘My voice is my password’. This is apparently being done without the customer’s consent. The privacy campaign group said that the customers had been ‘railroaded into a mass ID scheme’.

Who exposed the data breach?

A privacy campaign group called Big Brother Watch reported that users were not given a choice to opt out of the voice password procedure. They have made a complaint to the Information Commissioner’s Office (ICO).

What is the HMRC voice ID scheme?

Her Majesty’s Revenue and Customs (HM Revenue and Customs or HMRC) is a non-ministerial department of the UK Government responsible for the collection of taxes, the payment of some forms of state support and the administration of other regulatory regimes.

In January 2017 the HMRC launched voice ID, they said it was “a cutting-edge technology that would make it easier for people to manage their tax and tax credits.”

When a customer calls HMRC for the first time, they are asked to repeat a vocal passphrase up to five times and then be passed back to an adviser to complete their call. The recorded passphrase is stored by HMRC and the customer can use their voice to confirm their identity when calling HMRC in the future.

Why does this qualify for a data breach?

As the Voice ID scheme does not allow callers to opt out of saying the phrase or to delete their recording, HMRC is breaching UK data protection laws.

Following the recent implementation of the EU General Data Protection Regulation (GDPR), companies are prohibited to process biometric data for the purposes of uniquely identifying a person unless the individual in question gives their express consent or the processing of biometric data in those circumstances is either in the public interest or done in order to comply with a legal obligation.

The customers who have signed up to this scheme have not been informed which other government departments HMRC have shared the voice recordings with, or how their voice recordings are being stored and used.

In addition to that, they have not been given control over the voice recording, there isn’t the choice to opt out or delete the recording.

Who is saying what?

An HMRC spokesperson said: “Our Voice ID system is very popular with customers as it gives a quick and secure route into our systems. The Voice ID data storage meets the highest government and industry standards for security.”

A Big Brother Watch spokesperson said: “It’s such a remarkable ID database nationally but there’s no privacy impact assessment that we can see and they haven’t engaged with the ICO about it.”

Pat Walshe, a data protection law expert and director of Privacy Matters, accused HMRC of “failing to meet basic data protection principles”.

The ICO said, “We have received a complaint about HMRC’s voice ID scheme and will be making inquiries.”



An article in The Guardian in 2016 reported that personal data security was breached nearly 9,000 times by the government in a year, the National Audit Office (NAO) had found. The watchdog revealed the 17 largest departments recorded 8,995 data breaches in 2014-15 – but that only 14 were reported to the Information Commissioner (ICO).

HM Revenue and Customs recorded the most breaches with 6,041, only three of which were reported to the ICO. Almost all of those not reported were “minor” breaches that “potentially had an impact on customers but were not managed centrally by the department”.

Along with the Ministry of Justice, with 2,801 breaches, three of which were reported to the ICO, HMRC made up the majority revealed in the report.

With this latest revelation, the HMRC needs to demonstrate a legitimate interest in collecting the voice ID data. We will keep you up to date with any progress with this case.

With any business data, security is of the utmost importance.  Leaks of your companies trade secrets will have a massive impact on your company.

Knowing where your data is and how it could be exposed, is a big part of what preparing for the General Data Protection Regulation helps you understand.  It is about data governance and risk assessment.

This is why understanding where your weakest links are or your next data breach is vital.  Whether it be one of your employees or one of your service providers.

Our be.infoready training, helps you understand the practical implementation of the GDPR. It’s not just regulation for the sake of it.

Big data has big implications.  But the scale of the problem matters not.  You still need to understand your risks, know your data, who and what has access to it.

be.Infoready! Train, Prepare, Assess.


Adrian Mc Garry


Read our latest article on the risks of big data.

Big data – that’s a lot of information

Read our case study on Level One Robotics.

Big data exposure – Level One Robotics



Also recently published