The voice records of five million people are being deleted by HM Revenue and Customs, which has been found to have given customers insufficient information about how their data would be processed.
The Information Commissioner’s Office (ICO) said voice data collected unlawfully by HMRC should be deleted.
An ICO investigation into HMRC’s Voice ID service was prompted by a complaint from Big Brother Watch about the department’s conduct.
Since 2017, customers have been able to use voice authentication on some of HMRC’s helplines, which means they can by-pass some other security checks.
They repeat the phrase: “My voice is my password” to register.
Services that use Voice ID are Child Benefit, Tax Credits, Help to Save, Self-Assessment, Taxes and National Insurance.
But the ICO found that HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.
This is a breach of the General Data Protection Regulation (GDPR).
Under the new rules that came into force last year, biometric data is considered special category information and is subject to stricter conditions.
The ICO has issued a preliminary enforcement notice to HMRC, stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
It said it will issue its final enforcement notice next week giving HMRC 28 days from that date to complete deletion of relevant records.
HMRC anticipates it will complete work to delete records well before the ICO’s June 5 deadline.
It will now only retain Voice ID enrolments where it holds explicit consent.
This is currently around 1.5 million customers, who have used the service since the tax authority introduced changes in October 2018 to comply with GDPR requirements.
The five million customers whose records are being deleted enrolled in the Voice ID service before October 2018 and have not called HMRC or used the service since to reconfirm their consent.
People whose records are being deleted can apply again to use the service if they wish to.
Steve Wood, deputy commissioner at the ICO, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully.
“Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy.
“Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
An HMRC spokesman said: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018.
“Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”