HMRC to finally erase five million voice records it collected without permission

Graham Cluley
@gcluley

Back in June 2018 it was revealed that the UK’s tax authority, HMRC, had collected the voiceprints of 5.1 million taxpayers into a gigantic database.

The biometric voice data had been collected without explicit consent from people calling the HMRC’s telephone hotline for advice.

That breach of privacy rules means that HMRC has now been ordered to delete the data it collected, within the next five weeks.

Sign up to our newsletter
Security news, advice, and tips.

As we discussed at the time on the “Smashing Security” podcast, callers were asked to repeat the phrase “My voice is my password” before being able to access HMRC services.

Smashing Security #84: 'No! My voice is not my password'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/5555de09-8536-420a-8f8c-8451359bc08e.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

If it hadn’t been for privacy campaigners at Big Brother Watch making a stink about HMRC’s breach of privacy rules and complaining to the Information Commissioner’s Office (ICO), it’s unlikely the data would ever have been erased – giving the British government “one of the largest known state-held voice databases in the world.”

In October 2018, HMRC changed the way it sought permission to collect voice IDs. And if you have called the tax hotline since then any voiceprint collected will not be included amongst those now being deleted before the ICO’s deadline of 5 June.

In short, HMRC will now continue to collect biometric data of people calling it on the telephone – but only if callers choose to opt-in to the scheme.

As BBC News reports, Big Brother Watch views the outcome as a big success:

“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.