HMRC to finally erase five million voice records it collected without permission

HMRC to finally erase five million voice records it collected without permission

Back in June 2018 it was revealed that the UK’s tax authority, HMRC, had collected the voiceprints of 5.1 million taxpayers into a gigantic database.

The biometric voice data had been collected without explicit consent from people calling the HMRC’s telephone hotline for advice.

That breach of privacy rules means that HMRC has now been ordered to delete the data it collected, within the next five weeks.

Sign up to our free newsletter.
Security news, advice, and tips.

As we discussed at the time on the “Smashing Security” podcast, callers were asked to repeat the phrase “My voice is my password” before being able to access HMRC services.

Smashing Security #084: 'No! My voice is not my password'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

If it hadn’t been for privacy campaigners at Big Brother Watch making a stink about HMRC’s breach of privacy rules and complaining to the Information Commissioner’s Office (ICO), it’s unlikely the data would ever have been erased – giving the British government “one of the largest known state-held voice databases in the world.”

In October 2018, HMRC changed the way it sought permission to collect voice IDs. And if you have called the tax hotline since then any voiceprint collected will not be included amongst those now being deleted before the ICO’s deadline of 5 June.

In short, HMRC will now continue to collect biometric data of people calling it on the telephone – but only if callers choose to opt-in to the scheme.

As BBC News reports, Big Brother Watch views the outcome as a big success:

“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.