ICO warns over biometric data consent

The Information Commissioner’s Office (ICO) has warned that organisations need to obtain explicit consent when using consumers’ biometric data.

In an official blog, the regulator’s deputy commissioner for policy Steve Wood responded to its investigation of HM Revenue and Customs’ Voice ID service, which led to the government having to delete the data of about five million customers, for whom consent was judged to be out of date.

Wood explained that under the General Data Protection Regulation (GDPR), one of the key points about using biometrics, such as voice data, is that it comes under a special category which requires extra protection. Subsequently, any consent has to be explicit and cannot be overridden by the benefits that any relevant technology can provide.

Another point, also largely determined by the GDPR, is that controllers are required to complete a data protection impact assessment (DPIA) when processing any data that can pose a high risk to a person's rights.

This must be followed up by acting upon any risks that are identified, while there also has to be compliance accountability, with appropriate technical and organisational measures in place.

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit,” Wood wrote.

“The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”

On 4 April, the ICO issued a preliminary enforcement notice compelling HMRC to delete all the data for which it did not have explicit consent, followed by an enforcement notice giving the department 28 days to complete the deletions.

However, Jonathan Thompson, HMRC’s permanent secretary, wrote a letter to its data protection officer Chris Franklin saying he was satisfied it should continue to use Voice ID. It will retain the data on 1.5 million customers from whom specific consent was obtained since it made changes in October of last year to comply with the GDPR.

    Share Story:

Recent Stories


Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Transforming document management into a strategic advantage for financial institutions
In this exclusive fireside chat, John Rockliffe, Pre-Sales Manager at d.velop, discusses the findings of Adapting to a Digital-Native World: Financial Services Document Management Beyond 2025 and explores how FSIs can turn document workflows into a competitive advantage.

Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.