The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.
The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.
The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.