Organisations must ensure they gain explicit consent if they want to gather and use biometric data or face the wrath of the Information Commissioner’s Office. Steve Wood, deputy commissioner for policy at the ICO, issued the warning following the regulator’s investigation into HM Revenue & Customs’ Voice ID service. Last week, the ICO forced HMRC to delete the data of about 5 million consumers after ruling that their information had been gathered unlawfully.
In a blog post, Wood says that under GDPR, one of the key points about using biometrics such as voice data is that it comes under a special category that requires extra protection. Subsequently, any consent has to be explicit and this cannot be overridden by the benefits that any relevant technology can provide.
He added: "The case raises significant data governance and accountability issues that require monitoring. We therefore plan to follow up the enforcement notice with an audit that will assess HMRC’s compliance with good practice in the processing of personal data."
Another issue, determined by the GDPR, is that controllers are required to complete a data protection impact assessment (DPIA) when processing any data, including biometric, that can pose a high risk to a person’s rights. This has to be followed up by acting on any risks that are identified.
In addition, there has to be accountability that involves demonstrating compliance with the GDPR, with appropriate technical and organisational measures in place.
Wood concluded: “With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfiled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”