The U.K.’s data protection watchdog has issued the government department responsible for collecting taxes with a final enforcement notice, after an investigation found HMRC had collected biometric data from millions of citizens without obtaining proper consent.

HMRC has 28 days from the May 9 notice to delete any Voice ID records where it did not obtain explicit consent to record and create a unique biometric voiceprint linked to the individual’s identity.

The Voice ID system was introduced in January 2017, with HMRC instructing callers to a helpline to record a phrase to use their voiceprint as a password. The system soon attracted criticism for failing to make it clear that people did not have to agree to their biometric data being recorded by the tax office.

In total, some 7 million U.K. citizens have had voiceprints recorded via the system. HMRC will now have to delete the majority of these records (~5 million voiceprints) — only retaining biometric data where it has fully informed consent to do so.

The Information Commissioner’s Office (ICO) investigation into Voice ID was triggered by a complaint by privacy advocacy group Big Brother Watch — which said more than 160,000 people opted out of the system after its campaign highlighted questions over how the data was being collected.

Announcing the conclusion of its probe last week, the ICO said it had found the tax office unlawfully processed people’s biometric data.

“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public,” said deputy commissioner, Steve Wood, in a statement.

Blogging about its final enforcement notice, the regulator said today that it intends to carry out an audit to assess HMRC’s wider compliance with data protection rules.

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data,” writes Woods, offering guidance for using biometric data “in a fair, transparent and accountable way.”

Under Europe’s General Data Protection Regulation (GDPR), biometric data that’s used for identifying a person is classed as so-called “special category” data — meaning if a data controller is relying on consent as their legal basis for collecting this information the data subject must provide explicit consent.

In the case of HMRC, the ICO found it had failed to give customers sufficient information about how their biometric data would be processed, and failed to give them the chance to give or withhold consent.

It also collected voiceprints prior to publishing a Voice ID-specific privacy notice on its website. The ICO found it had not carried out an adequate data protection impact assessment prior to launching the system.

In October 2018 HMRC tweaked the automated options it offered to callers to provide clearer information about the system and their options.

That amended Voice ID system remains in operation. And in a letter to the ICO last week HMRC’s chief executive, Jon Thompson, defended it — claiming it is “popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster.”

As a result of the regulator’s investigation, HMRC retrospectively contacted around a fifth of the 7 million Brits whose data it had gathered to ask for consent. Of those it said more than 995,000 provided consent for the use of their biometric data and more than 260,000 withheld it.