Campaign group Big Brother Watch has accused HMRC of creating ID cards by stealth after it was revealed the UK taxman has amassed a database of 5.1 million people's voiceprints.

The department introduced its Voice ID system in January 2017. This requires taxpayers calling HMRC to record a key phrase, which is used to create a digital signature that the system uses to unlock the right account when they phone back.

According to a Freedom of Information request, submitted by Big Brother Watch and published today, the department now has more than 5.1 million people's voiceprints on record.

However, the group argued that users haven't been given enough information on the scheme, how to opt in or out, or details on how their data would be deleted. The FoI revealed that no customers have opted out in the 30 days to 13 March, but the department refused to respond to set out exactly how the erasure process would work.

Director Silkie Carlo said that taxpayers have been "railroaded into a mass ID scheme" and that the government was "imposing biometric ID cards on the public by the back door".

The FoI response also raises questions about the lawfulness of the collection and storage of the data, and whether it is in line with the General Data Protection Regulation that came into force on 25 May.

Under the GDPR, a system that allows people to be identified by their voice would likely meet the definition of processing of biometric data. This places certain demands on the organisation beyond those made for other forms of personal data.

"Where [biometric processing] takes place on the basis of a person's consent, GDPR says that the person must give 'explicit consent'. 'Consent' also means a 'freely given, specific, informed and unambiguous' indication of the person's wishes, and it must be a 'clear, affirmative action'," said Jon Baines, a data protection advisor at law firm Mischon de Reya.

"It is difficult to square these requirements with what seems to have taken place here: callers were apparently given no option to opt out, let alone opt in."

He added that HMRC's FOI response "appears to concede this point", as it reads:

HMRC currently operates VoiceID on the basis of the implied consent of the customer, but is developing a new process which will be operated on the basis of the explicit consent of the customer.

Baines added that it would be "difficult to see any other basis, other than explicit consent, which would allow HMRC to do this".

GDPR does allow individual member states to introduce their own laws to justify processing of biometric data without consent, he said, but "for this to happen there would rightly need to be the opportunity for parliamentary debate on the subject".

The Information Commissioner's Office confirmed to The Register that it had received a complaint about the Voice ID scheme and was making inquiries. If it finds there has been an infringement, Baines pointed out it can do more than just issue financial penalties; it can also require an organisation to take action.

"In this instance, it does appear that she [ICO commish Elizabeth Denham] could require HMRC to delete all 5.1 million profiles," he said.

HMRC said in a statement that all its customers' data, "including for VoiceID, is stored securely", but the department refused to answer an FoI request asking for further details on storage, or what legal territory it was stored in.

The department's canned statement added that the Voice ID system was "very popular with customers as it gives a quick and secure route into our systems".

'Expansion of the database state'

In addition to criticisms of the database itself, Big Brother Watch raised concerns about whether HMRC shares the voiceprints with other departments or public authorities.

There are multiple examples of different bodies handing over information that the public might not expect them to. The Home Office and NHS Digital were recently forced to stop sharing patient data for immigration enforcement, while the Department for Education was slammed for a similar scheme in 2016.

"These voice IDs could allow ordinary citizens to be identified by government agencies across other areas of their private lives," said Carlo.

But HMRC also refused to divulge information on who else has access to Voice ID in its FoI response (PDF), saying it risked prejudicing the prevention or detection of crime.

Big Brother Watch also slammed Whitehall's decision to create another database of sensitive biometric material, describing it as another step towards the "database state". The FoI response from HMRC also shows that the department did not consult the biometrics commissioner on its Voice ID plans.

The government is already under pressure over its custody image database – which contains around 21 million shots of faces and identifying features – because the pictures are stored even if the subject is not charged.

This is despite a 2012 High Court judgment that said keeping images of presumed innocent people on file was unlawful. The Home Office has blamed outdated and clunky IT systems for the prolonged retention but hasn't committed to specifically address this issue.

The Home Office had promised that its much-delayed biometrics strategy – expected to address MPs and campaigners' concerns – would be published in June.

Although the department has repeatedly insisted to El Reg that this is still the plan, it gives it only until Friday to pull the proverbial rabbit out of the hat. ®