PARLIAMENTARY WRITTEN QUESTION
Revenue and Customs: ICT (13 February 2019)

To ask the Chancellor of the Exchequer, how many citizens have registered a voice recognition password to access HMRC services; and what legal provisions apply to the collation of that voice recognition data by HMRC.

Asked by:
Darren Jones (Labour)

7,227,106 customers have registered a voice recognition password to access HMRC services.

HMRC currently relies on the legal basis of consent to collect and process voice data from individuals under Article 6(1)(a) of the GDPR. The legal basis for most processing of personal data in HMRC is Article 6(1)(e) and section 8 DPA 2018, namely “public task”. However, HMRC does not rely on the “public task” legal basis for Voice ID at present as HMRC allows the customer to decide whether they want to use Voice ID for convenience and it is only one of 3 methods HMRC uses to verify the identity of customers on the phone.

As biometric data is special category data, one of the additional conditions in Article 9 of GDPR also needs to be met in order for HMRC to process this data. Given consent is the legal basis for processing, HMRC relies on the Article 9 (2)(a) condition of explicit consent for the processing. HMRC allows the customer to choose to opt in to use the service for convenience and verification by other means remains possible.

HMRC obtains explicit consent from customers and clearly informs them about how they can withdraw their consent.

Answered by:
Mel Stride (Conservative)
18 February 2019