1. News
June 26, 2018updated 27 Jun 2018 11:26am

Did HMRC breach GDPR and can it be fined?

By Robert Scammell

UK tax authority Her Majesty’s Revenue and Customs (HMRC) has stored and analysed the voices of millions of taxpayers without consent, according to privacy campaigners Big Brother Watch. The privacy group has accused HMRC of creating “biometric ID cards by the backdoor”. But did HMRC breach GDPR and can it be fined?

GDPR — known formally as the General Data Protection Regulation — came into effect on 25 May. The updated privacy laws mean an organisation can be fined up to 4% of its annual global revenue if it is deemed to have improperly handled customer data.

These new laws are in place to give individuals greater control of their personal data. They also incentivise organisations to ensure data is protected and managed correctly.

Did HMRC breach GDPR?

Taxpayers phoning HMRC are required to repeat the phrase “My voice is my password” on an automated line to access services. Big Brother Watch’s investigation revealed that more than 5.1 million taxpayers’ biometric voiceprints were taken without consent.

Under GDPR, consent is a key principle that requires a positive opt-in. Individuals must take proactive action to give approval for their data being acquired, whether it is an address, phone number or voice recording.

Organisations cannot assume consent and this is what Big Brother Watch alleges HMRC has done in recording and storing taxpayers’ voices.

“These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives,” said Silkie Carlo, director of Big Brother Watch.

HMRC says that the data is held securely.

However, head of legal services at ThinkMarble and data protection lawyer Robert Wassall is not convinced that HMRC is in breach of GDPR.

“One of the exceptions to the general rule that you need explicit consent is public interest,” he told Verdict.

“I think that there’s a legal argument to say that the information has been obtained on a public interest basis. If so, then that would be a valid exception and therefore they wouldn’t need consent.”

An Information Commissioner’s Office (ICO) spokesperson told Verdict: “We have received a complaint about HMRC’s voice ID scheme and will be making enquiries.”

Government bodies can also be fined

The ICO has fined public bodies under previous data protection rules. On 13 June 2018, Gloucestershire Police was fined £80,000 by the ICO after sending a bulk email that identified victims of non-recent child abuse. The breach occurred in December 2016.

However, there is an argument that imposing fines on public bodies is ineffective. That’s because public bodies pay GDPR fines to the Treasury, which in turn provide their funds. Wassall described this as a “bit of a money merry-go-round.”

The alternative, though, would be to not impose any financial penalties on public bodies that commit data protection offences. Wassall described this as a “get out of jail free card in effect”.

Looking at the ICO’s historical reports, there are many cases against public bodies. These range from local councils, to the police and NHS trusts.

In 2012, Brighton and Sussex University Hospital Trust was fined what was at the time a record amount of £325,000 after hard drives containing sensitive patient data were sold on eBay.

Regulators previously monitored public bodies more closely than private organisations under the earlier legislation. Wassall believes that this will change under GDPR, with much closer scrutiny on private companies. This already seems to be the case, with Dixons Carphone recently becoming the subject of an investigation after a massive data breach.

“I think it’s adopting a culture of data protection and understanding that it’s other people’s information to be looked after, not treated as some sort of piece of property,” said Wassall.