HMRC issued enforcement notice by ICO for use of biometric data
When is consent sufficient for collecting, processing and using biometric data?
The background
HMRC uses voice authentication, a form of biometric data, for caller verification on some of its helplines. Biometric data is special category data under the GDPR and, therefore, requires a higher level of consent for its collection, use and processing.
However, HMRC failed to obtain adequate consent from individuals as required. This is because individuals were not given the opportunity to give or withhold consent. This also meant that HMRC did not have individuals’ explicit consent, which is required as a result of the fact that the information was special category data. Furthermore, HMRC had not provided adequate information to the individuals, meaning that any consent they did give was not sufficient.
The decision
In reaching its decision, the ICO took into account the imbalance of power between HMRC and the individuals affected, especially the individuals who might rely on HMRC in relation to benefit claims. Also relevant to the ICO’s finding was the sheer number of people affected by this data issue.
To become compliant with data protection regulation, HMRC was required to delete (and oblige its suppliers to delete) all biometric data held under the Voice ID system for which explicit consent had not been obtained.
Why is this important?
Since the GDPR’s introduction, this is the first enforcement action which confirms that biometric data is special category data.
Any practical tips?
Beware all systems offering biometric data processing – or rather tread with care, and carry out a Data Protection Impact Assessment for sure. The latter should flush out potential issues and ways to practically address them.
See also the “key takeaway” section in the HMRC decision, as this lists example methods of compliance. The blog by the Deputy Commissioner for Policy at the ICO, “Using biometric data in a fair, transparent and accountable manner”, is also useful.