Ireland’s Central Bank is being assessed by the Data Protection Commission (DPC) for holding onto the personal info of thousands of borrowers for longer than legally allowed. Credit histories of at least 20,000 people being accessible to lenders when they should have been deleted.
The DPC has launched a full-blown investigation into the Central Bank’s slip-up. Word around town is that this breach might result in one of the heftiest fines ever slapped on a public body for data contravention. To put it in perspective, under Irish laws, the DPC can issue a fine of up to €1 million on a public sector institution for data breaches. That’s a pretty penny!
This whole debacle started when the Central Bank retained borrowers’ details on the Central Credit Register (CCR) for three months longer than the legal limit. Instead of being deleted after five years, details from May, June, and July 2018 were not removed in time and were included in credit reports issued between June 1 and August 7 this year. This affected at least 50 credit decisions, meaning these individuals or companies may have been rejected for loans due to this error.
This isn’t just a case of someone hacking into the Central Bank’s system. This breach sheds light on issues of “basic, fundamental data quality control” and governance at the bank. The bank has expressed regret and apologized for the error, promising measures to prevent such an occurrence in the future. However, with an investigation underway and a hefty fine looming, this could be a costly lesson for the Central Bank.