The Information Commissioner’s Office (ICO) issued a preliminary enforcement notice to Her Majesty’s Revenue and Customs (HMRC). The ICO’s notice compels HMRC to delete personal data which was wrongfully collected.


A complaint was made to the ICO last year about HMRC relying on implied consent for the historic collection of personal data from individuals. From January 2017, voice data was collected from individuals who used an HMRC helpline. The complainant, Big Brother Watch, has published details of their complaint online. According to the complainant, HMRC helpline users were prompted to provide their voice data with no option for them to decline. HMRC confirmed that affected users would have had to contact an advisor on the helpline to request the deletion of their data.

Voice data is considered biometric data, a special category of personal data under the GDPR. Consent of the individual is one of the key bases relied on for the processing of biometric data. In this instance, HMRC failed to allow individuals to give or withhold their consent to processing. Giving consent to processing must be a clear affirmative act and cannot be inferred. HMRC also failed to provide sufficient information about how the data would be processed.


HMRC adapted how it collects consent from individuals using its helpline in October 2018. There are around 1.5 million users of the HMRC helpline who have since provided their consent to processing. However, there remain around 5 million users whose voice data HMRC has but without the required consent. In response, HMRC published a letter addressed to its data protection officer. The letter sets out HMRC’s commitment to comply with data protection laws. The letter also explains that HMRC will delete biometric data where no explicit data subject consent is held. HMRC expects to complete the deletion process before the deadline of 5 June 2019 set by the ICO.


This incident demonstrates that companies must embed a culture of privacy by design across their activities. The introduction of voice checks by HMRC was predicated on providing an improved level of protection for data subjects. However, HMRC failed to understand that data subjects must be given a real chance to consent to such processing. This action by the ICO illustrates the regulatory appetite for pursuing investigations concerning data collected before the GDPR data protection regime was in place. We have written on a number of recent ICO regulatory actions and expect further developments in this area.