Carousel_Arrow Chat icon_cookie IHT_trust_wills IR35 Combined Shape 2 Group 10 Login Mobile Menu Share Share Email SubMenuMobile Group 9 VAT View_Gallery View_List capital_allow Triangle 2 Copy Close construction cyberpro employment_tax_shares emplyer_solutions entrepreneurs_corps fee_protect Group 7 grant_fund Group i_Clock i_Consult i_Done i_Eligibility_Tick i_Enter i_Filter i_HMRC i_Negative i_Play i_Plus i_Reset i_Support_Legal i_Support_TaxDesk i_Support_VAT i_Tick noun_marketing_1872083 noun_online_2126759 i_download i_meet Group Copy 24 Group 18 noun_electrical_1240755 copy noun_Technology_2125422 noun_Science_2031115 i_tick_bullet_block international_tax patent_box private_client property_sdlt r_and_d reliefs_incentives Search specialist_tax status tax_indemnity valuation
Markel Insurance

19 Jun 2019

HMRC issued with enforcement notice

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. HMRC has fallen foul of GDPR and has received an enforcement notice as a result.

HMRC (Her Majesty's Revenue and Customs) has been issued with an enforcement notice for collecting, retaining and using customers' biometric data in breach of the data protection rules.
An Information Commissioner's Office (ICO) investigation was launched after it received a complaint about HMRC's use of voice authentication for caller verification on some of their helplines.
As you may be aware, the GDPR specifically lists biometric data as special category personal data. The characteristics of a voice constitute biometric data which means individuals should be given sufficient information about the processing of their biometric data and the opportunity to give or withhold their consent. 
The enforcement notice gave HMRC a deadline to do the following:
  • Delete all biometric data it holds under the Voice ID system for which it does not have explicit consent.
  • Require its suppliers who operate, manage or are involved in the Voice ID system to delete all the biometric data that they process under the Voice ID system for which they do not have explicit consent.
This action demonstrates the importance of carefully considering how you process customers’ personal data to ensure you are compliant with the GDPR.
Tagged Legal Expenses Insurance

This feature was written in collaboration with the solicitors at Markel Law. Find out more about Markel Law and how they can assist your business.
Next article in series

19 Jun 2019

The exemption from disclosure for confidential employment references

Under data protection legislation, individuals are entitled to a copy of personal data held about them. Individuals may obtain this by making a "subject access request". However, there are some limited exemptions to disclosure in respect of certain types of personal data held .