The State’s financial regulator has admitted breaching data protection rules by holding personal credit histories for longer than allowed, possibly hitting 20,500 people seeking loans from banks or other lenders, it emerged on Monday.
The Central Bank of Ireland, which regulates financial services, said it held borrowers’ details on a credit register for three months longer than a five-year limit on the retention of this information.
“This error constitutes a data breach under data protection legislation,” the Central Bank said in a statement. “A key focus of our ongoing investigation is to establish whether any borrowers were impacted by this incident.”
The regulator conceded that the error could have influenced loan applications by up to 20,500 people, but said it could not at this point determine accurately the extent to which it “adversely affected” anyone seeking credit.
No unauthorised third parties had access to the information, nor was any borrower’s data compromised as a consequence, the Central Bank stressed.
The Central Bank is responsible for the Irish Central Credit Register, which stores personal and credit information on every person in the State who borrows more than €500.
Lenders update the data every month, including information on borrowers who miss repayments on mortgages, credit cards, loans, overdrafts or other debts.
Credit institutions can access the register to vet individual loan applications, while borrowers themselves are entitled to any personal information held on them.
The register can only keep the data for a maximum of five years, after which it is automatically deleted.
However, the Central Bank said that information for May, June and July 2018 had not been deleted following a technical error.
Consequently, it was included in any credit reports issued to lenders and borrowers between June 1st and August 7th this year.
“While this information was accurate, the additional three months of information should not have been made available, and constitutes a data breach under data protection legislation,” the bank confirmed.
The bank did not say how many people were on the register at the time. It acknowledged that 20,500 borrowers who had difficulties making repayments during those months in 2018 were the subject of credit enquiries while the unauthorised information was available.
If they were seeking new credit, and lenders obtained records showing that they had problems making repayments, that could have affected the companies’ decisions, the bank noted.
Its officials are trying to establish with credit institutions if the unauthorised information affected their lending decisions in any way.
The bank noted that this would allow it establish if the error had any impact on consumers who attempted to borrow money between June 1st and August 7th.
“Once we have a clearer view of the nature and extent of impacts on borrowers, the Central Bank will seek to communicate directly with those most likely to have been affected,” it said. “It is important to note that the information held on the Central Credit Register is one of many factors that lenders use to determine whether a loan is approved or not.”
It added that the fact that a lender makes a credit inquiry does not mean that the business will use the information in their final decision. The breach has been disclosed to the Data Protection Commission.
So far the bank’s investigation has found that borrowers and lenders made a total of 476,000 enquiries during the period from June to this month when the information that should have been deleted remained on the register.
The regulator apologised for the error, saying that it acted immediately to fix the problem and that the register was now functioning normally.
An inquiry from a member of the public brought the breach to the Central Bank’s attention, it said.