The bank submitted incorrect information to the Central Credit Register (CCR), which is managed by the Central Bank of Ireland.
Bank of Ireland has been fined €463,000 by the Data Protection Commissioner for messing up customers’ account details that could have affected their credit ratings. The fine was also based on the bank not telling customers about the issue on time, while Commissioner Helen Dixon has ordered the bank to fix its sub-par data processing systems.
The data breaches involved, which occurred between 2018 and 2019, relate to cases where the bank submitted incorrect information to the Central Credit Register (CCR), which is managed by the Central Bank of Ireland.
The CCR helps a lender to decide if it should approve an application for a loan or not, as well as giving the Central Bank better insights into patterns of lending in the broader economy.
The overall €463,000 fine was broken up into chunks, attributable to each data mistake that Bank Of Ireland made.
The biggest chunk — €250,000 — was imposed for the bank having poor data processing systems in place.
“I have given regard to the fact that the lack of technical and organisational measures in place manifestly contributed to the personal data breaches that occurred,” said Commissioner Helen Dixon.
The next biggest chunk — €125,000 — was partially for the length of time it took the bank to tell 47,000 customers about one of the its main errors, where the details of some loans and mortgages weren’t correctly reported to the CCR. This included “the false impression given of some borrowers that they were in financial distress”.
“I have been influenced by the length of the delay it took BOI to issue a communication to data subjects after it became aware of the personal data breach,” said Ms Dixon. “I have also had regard to the large number of data subjects which were affected by this infringement (approximately 47,000) and the number of complaints BOI received from customers.”
It’s not the first time that the Irish DPC has imposed a fine for credit-related issues. Last years, it fined the Irish Credit Bureau €90,000 for messing up the credit score details of 15,000 people, possibly affecting their financial reputations.
Bank Of Ireland also came in for harsh criticism by the data regulator on its data processing systems, identified as a key reason the bank messed up its customers’ information.
“I order Bank Of Ireland to bring its processing operations into compliance with Article 32 of the GDPR in the terms set out in the table below through implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risks,” she said.
“It is my view that these orders are appropriate, necessary and proportionate in view of ensuring compliance with Article 32 of the GDPR. In this regard, I acknowledge BOI’s on-going remedial actions and strategic transformation, as outlined in submissions throughout the inquiry. However, it is my view that this order is necessary and proportionate in light of the importance of ensuring that full effect is given to BOI’s obligation to implement appropriate technical and organisational measures, having particular regard to the high quantity, highly sensitive personal data of data subjects processed by BOI.”
A spokesperson for Bank Of Ireland said that it will implement the changes “as quickly as possible”.
“Between November 2018 and June 2019 Bank of Ireland notified the Data Protection Commission of a number of personal data breaches relating to errors in information it submitted to the Central Credit Register,” said the spokesperson. “The fine and corrective actions imposed today by the Data Protection Commission arise from these breaches and the Bank’s delay in communicating with impacted customers.
“Bank of Ireland fully acknowledges, and sincerely apologises for, these breaches. The Bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way. The Bank has notified all impacted customers. It has rectified the inaccurate information reported to the CCR in all but 20 cases which will be corrected shortly. It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.
“The Data Protection Commission has mandated further measures and work has already begun to put these in place. The Bank has engaged fully and proactively with the Commission during its inquiry and will continue to do so as it implements these additional measures as quickly as possible.”