On 9 May 2019, the Information Commissioner’s Office (ICO) issued an enforcement notice against HMRC for processing biometric data in breach of the first data protection principal under the GDPR. This is the first enforcement action by the ICO in respect of biometric data.
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”. Biometric data is increasingly used for security purposes such as the use of fingerprint and facial scanning to unlock mobile devices.
The action against HMRC was triggered by a complaint from Big Brother Watch alleging that HMRC's use of voice authentication technology for caller verification on HMRC helplines was not undertaken in a fair, lawful and transparent manner as required by the first data protection principle. Because biometric data is classed as special category data under the GDPR, any organisation must have identified both a lawful ground for processing such data under Article 6 GDPR and an additional condition for processing under Article 9 GDPR to satisfy the first data protection principle.
In the current case, HMRC sought to use consent as its Article 6 legal ground and explicit consent under Article 9. However, the ICO's investigation found that the automated recording warning callers about HMRC’s caller verification measures failed to obtain adequate consent. HMRC had given insufficient information to customers regarding processing of biometric data and did not offer customers the opportunity to give or withhold their consent. As a result, the consent did not meet the GDPR standard of being freely given, specific, informed and unambiguous.
In deciding to take enforcement action, the ICO had regard to the large number of individuals affected by HMRC's processing (over 7 million voice records were held) as well as the significant imbalance of power between HMRC and customers, particularly those relying on HMRC for benefit purposes. It also noted that HMRC had failed to put a data protection impact assessment in place before it introduced the technology.
Under the terms of the enforcement notice, HMRC is now required to take the following steps by 5 June 2019:
- delete all biometric data held under the caller verification system for which it does not have explicit consent; and
- procure that any suppliers involved in the operation or management of the caller verification system also delete all biometric data that they are processing and for which they do not have explicit consent.
This action serves as a timely reminder to organisations that they must:
- identify appropriate lawful grounds and, if necessary, additional conditions under Article 6 and Article 9 of the GDPR
- ensure that their consent collection mechanisms meet the high standard set out in the GDPR
- undertake data protection impact assessments where required (the ICO has produced a useful screening checklist).
Any organisations processing biometric data may wish to review the blog, Using biometric data in a fair, transparent and accountable manner, published by Steve Wood, Deputy Commissioner for policy at the ICO which discusses the enforcement notice against HMRC and sets out some helpful guidance.