HMRC deletes some files because of a breach of the GDPR rules

HM Revenue and Customs, has been found by the Information Commissioner’s Office (ICO) to have breached data protection rules set out in the EU General Data Protection Regulation by failing to give users an option to opt out of voice identification software.

HMRC has published a letter sent by Jon Thompson, HMRC Chief Executive and Permanent Secretary, to the HMRC Data Protection Officer to clarify the situation:

“I have written to the ICO today to inform them of the actions the department has agreed, as follows.

  1. I have confirmed that HMRC will only retain Voice ID enrolments where we hold explicit consent. As you know, this is currently around 1.5 million customers, who have used the service since we introduced changes in October 2018 to comply with GDPR requirements.
  2. I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline. These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent.
  3. I have reaffirmed HMRC's commitment to being a responsible data controller and to complying with all data protection laws.

I am satisfied that HMRC should continue to use Voice ID. It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster. HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes.

In the interests of being transparent about the decisions we have made, I am arranging for this note to be made public and have advised the ICO accordingly.”