Biometrics legislation catches out HMRC
Do you use technology systems that use and capture handy biometric data?
Many companies do so because technology makes capturing data easier than ever. Biometrics help organisations better manage their contact with customers, especially when it comes to identification and authentication of those clients and customers.
Organisations in all sectors are also utilising the technology in ever more innovative, and sometimes intrusive ways, for example, many companies now use fingerprints to protect ICT systems, secure buildings and integrate biometrics into their clocking-in systems to monitor attendance.
Are you asking for consent?
A few years ago HMRC adopted a voice authentication biometric which asked callers to record their voice in place of a password.
This Voice ID service, introduced in 2017, collected seven million voice records, and whilst very effective in terms of security, failed to obtain adequate explicit consent from its customers. HRMC failed to inform their customers that they could in fact decline to participate in the Voice ID system, resulting in a clear technical breach of the GDPR, namely creating a significant imbalance of power between HMRC and their customers.
Once brought to the Information Commission Office’s (ICO) attention, an enforcement notice was issued, ordering HMRC to delete any biometric data held without consent. Further investigation discovered that a data protection impact assessment (DPIA) was not performed before the new verification system was launched.
What is the role of DPIA?
The DPIA is simply a risk assessment focusing on the privacy implications of any new process or system. Had one been performed it would have considered the technical elements that HMRC would need to have in place to ensure compliance with the GDPR/DPA. This includes obtaining adequate consents, ensuring adherence to all data protection Principles and Notions, as well as notification to the data subject of their rights.
The importance of biometric data compliance
The GDPR classified biometric data which can identify a specific individual as ‘special’ category data, commonly referred to as sensitive category data, and as such is information that requires greater protection.
According to the ICO, every organisation has a responsibility to make sure that data protection obligations are fulfilled, and customers’ privacy rights are addressed alongside any organisational benefit.
Remember that it’s not enough to simply understand your responsibility, you must also be able to actively demonstrate your compliance by putting appropriate technical and organisational measures in place.
The public must be able to trust that their privacy is at the forefront of all decisions made about their personal data. If you’re in any doubt about your compliance, contact our GDPR specialists and we’ll be happy to advise you – 01673 885533.First GDPR fine issued for illegal facial recognition activity