ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

HMRC’s worrying GDPR breach

  • LinkedIn (opens new window)
  • Twitter (opens new window)
Donald-Drysdale By Donald Drysdale for ICAS

11 June 2019

Main points

  • GDPR was introduced in May 2018 amid massive publicity.

  • HMRC have breached GDPR by holding taxpayers’ biometric voiceprints illegally.

  • Would a €20m fine from the ICO have any practical impact on HMRC?

As a chartered accountant, chartered tax adviser and chartered IT professional, Donald Drysdale wonders what further action may follow as HMRC get a rap on the knuckles from the ICO for breaching GDPR.

Initial concerns

Three months ago I wrote an article describing Voice ID. This is a new voice authentication technology which HMRC had adopted in January 2017, asking callers to some of its telephone helplines to record their voice as their password.

The aim of my article was to echo concerns, expressed by civil liberties campaign group Big Brother Watch, that HMRC were holding taxpayers’ biometric voiceprints illegally in contravention of the General Data Protection Regulation (GDPR).

Amid the cut and thrust of the adversarial world of tax compliance, such a suggestion might easily have been dismissed as mere posturing to embarrass the tax authority. However, subsequent events have shown that the concerns raised were fully justified.

What is GDPR?

GDPR lays down rules relating to the protection of natural persons with regard to the processing of their personal data, and rules relating to the free movement of personal data within the EU.

As enshrined in the Data Protection Act 2018, GDPR seeks to protect fundamental rights and freedoms of individuals, and in particular their right to the protection of personal data, while enabling the free movement of such data among member states.

GDPR recites principles relating to the processing of personal data, rights of the ‘data subjects’, and consequential obligations of supervisory authorities, data controllers and data processors.

It would be wrong to suggest that complying with GDPR is easy, but there was massive publicity before it took effect almost exactly a year ago, on 25 May 2018. It seems scarcely possible that any organisation would have remained ignorant of it – certainly not HMRC!

Enforcement notice

On 9 May 2019 the Information Commissioner’s Office (ICO) issued HMRC with an enforcement notice under the Data Protection Act 2018 s 149 in relation to contraventions of the data protection principles set out in Article 5 GDPR.

Helpfully, the ICO also published an article the following day, reminding organisations of the potential challenges when choosing and using any systems involving biometric data.

This explained that HMRC had neither given callers enough information, nor advised them that they didn’t have to sign up to Voice ID. There had been no clear option for callers who didn’t want to register. HMRC had not obtained adequate consent from callers, and accordingly, the ICO ordered the tax authority to delete any data it was holding without consent.

The ICO referred to the significant imbalance of power between HMRC and taxpayers, and criticised HMRC for giving “little or no consideration to the data protection principles [of GDPR] when rolling out the Voice ID service”.

Until HMRC eventually published a privacy notice in July 2018 and changed the automated recording in October, they had not told callers how they could opt out of the Voice ID system and had not explained to them that they would not suffer a detrimental impact if they declined to participate.

Because the case has raised significant data governance and accountability issues that require monitoring, the ICO is going to follow up the enforcement notice with an audit to assess HMRC’s compliance with good practice in the processing of personal data. Hopefully, this will also confirm that the illegally-gathered voiceprints have indeed been deleted.

Data protection impact assessment

In a related failure by HMRC, a ‘data protection impact assessment’ (DPIA) required by GDPR was not in place before the system was launched. This was necessary to consider appropriately the compliance risks associated with processing biometric data.

Data controllers are required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’ such as the (large scale) use of biometric data. A DPIA should ensure that ‘data protection by design and default’ is a key concept at the heart of GDPR compliance.

Under GDPR, biometric data is specifically identified as ‘special category data’ that requires greater protection. Any consent obtained to hold such data must be explicit consent, and the benefits from the technology cannot be used as an excuse to override the need to meet this legal obligation.

ICO penalties

The ICO has power to levy fines for breaches of data protection law. For small organisations, the potential penalties may seem draconian, but they have been widely criticised as likely to be ineffective when applied to large organisations.

Fines levied by the ICO before GDPR came into effect were limited to a maximum of £500,000. This was the paltry sum which Facebook was fined in 2018 for improperly sharing personal data on 87m customers with Cambridge Analytica. Earlier that year, Facebook was reportedly making £500,000 every five and a half minutes.

Under GDPR, the ICO can now fine organisations up to €20 million or, if they are classed as ‘undertakings’, up to the higher of €20 million and 4% of the undertaking’s total annual worldwide turnover.

ICO fines charged to date, listed here among other enforcement action, have fallen woefully below the permitted maxima, and are unlikely to prove a deterrent to large organisations at fault.

So, what punishment should the ICO mete out to HMRC? In 2017/18 HMRC collected over £600bn in revenues – including penalties of £1.7bn levied on taxpayers. Would such an organisation really feel the pinch if faced with a €20 million penalty? I think not.

The need for trust

Members of the public should be able to trust that their privacy is at the forefront of the decisions made about their personal data – whether at HMRC or any other public or private body.

Time and again – for example, with iXBRL for corporation tax, data-bridging techniques for Making Tax Digital, and Voice ID – HMRC have sought to become the most digitally advanced tax authority in the world by operating at the ‘bleeding edge’ of new technologies, with seeming disregard for unwelcome risks this might attract for both HMRC and taxpayers.

On introducing Voice ID, HMRC said it was “well-proven” and “cutting edge” – expressions which are not necessarily synonymous. Although simple recording of phone calls has become commonplace, I sympathise with taxpayers who may be reluctant to have their biometric voiceprints recorded until the security aspects have been more rigorously tried and tested.

HMRC should observe the law. While an ICO fine might not guarantee HMRC’s future compliance with GDPR, the attendant reputational impact might persuade them to adopt a less negligent attitude to safeguarding the interests of taxpayers. The ICO should, therefore, charge them a robust penalty.

Article supplied by Taxing Words Ltd

2-23-marsh 2-23-marsh
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: