The Information Commissioner’s Office (ICO) has issued a reprimand to the Bank of Ireland in relation to infringements of Article 5(1)(d) and Article 5(2) of the UK GDPR.
Article 5(1)(d) of the UK GDPR is known as the accuracy principle. The accuracy principle confirms that personal data shall be kept accurate and up to date and that reasonable steps should be taken to erase or rectify any inaccurate data without delay.
Article 5(2) of the UK GDPR is known as the accountability principle. The accountability principle requires a data processor/controller to take responsibility for what they do with personal data and how they comply with the principles. Measures and records should be in place to demonstrate compliance.
Background
As part of its financial obligations, the Bank of Ireland is required to routinely report to credit reference agencies. They have a system in place that calculates and reports any balance owed and any default notices.
The Bank of Ireland became aware that it had sent inaccurate data to a credit reference agency. After conducting a full internal investigation, the Bank of Ireland discovered that it had sent inaccurate data in relation to 3,284 data subjects. The data subjects had defaulted on their loan account which had resulted in their accounts being sold to debt collectors.
The Bank of Ireland did not have an automated system for when accounts were sold. Staff members were required to manually type the appropriate system reference indicating that the loan had been sold. If this was not done, the loan would show as being owned by the Bank of Ireland with an outstanding balance and reported to the credit reference agencies as such. In most cases, the purchaser of the debt also reported the debt to credit reference agencies meaning the debt was being recorded on the data subject’s credit profile twice.
The ICO’s findings
The ICO found that the Bank of Ireland failed to take reasonable steps to ensure that accurate personal data was recorded with the credit reference agencies. It further found that whilst the Bank of Ireland did have risk management measures in place in relation to debt sales, it failed to identify the importance of the sold debt flag.
The ICO did however acknowledge the remedial steps taken by the Bank of Ireland after discovering the breach. They had informed and supported affected data subjects, corrected all affected data, reviewed the whole debt sale process to identify weaknesses and suspended its debt sales until the review had been concluded.
Notwithstanding the remedial steps taken, the ICO still decided to exercise its power under Article 58(2)(b) of the UK GDPR and issued the Bank of Ireland with a reprimand. Within the reprimand, the ICO recommended some further action to be taken.
The ICO recommended that the Bank of Ireland take the following further steps:
- Continue to provide support to mitigate any potential detriment to the affected data subjects;
- To assess any new processes and continue to monitor these over a period of time to ensure that they continue preventing another incident in the future; and
- Share the learning from this experience across the organisation.
Comment
The above reprimand is a reminder that it is always important to ensure that the data you are processing is accurate. If you become aware that the data you are processing is no longer accurate, you need to ensure that it is rectified without delay.
How can we help
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us