Home Credit inquiry Data Protection Commission concludes investigation into Bank of Ireland data breaches

Data Protection Commission concludes investigation into Bank of Ireland data breaches


On March 14, 2022, the Data Protection Commission (“CPD”) issued a decision regarding 22 personal data breach notifications that Bank of Ireland Group plc (“BOI”(“CRC”), a mandatory national credit reporting system operated by the Central Bank of Ireland. Violations included unauthorized disclosure of customer personal data to CCR and accidental modification of customer personal data on CCR.

The DPC imposed administrative fines totaling €463,000 and ordered the BOI to modify its technical and organizational measures in order to strengthen the security of its processing. The main highlights of the decision are:

Definition of Personal Data Breaches

The majority of data breach notifications were about inaccurate customer data uploaded to the CCR by the BOI, which gave an erroneous view of customers’ finances and credit history. On a preliminary basis, the DPC determined that 19 of the 22 reported breaches met the definition of “personal data breach” under Article 4(12) of the GDPR, which defines “personal data breach”. as “a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The DPC confirmed that the definition of “security measures” under Article 32(1) of the GDPR includes the ability to ensure the continued integrity of processing systems and services, in addition to the ability to restore the availability of personal data in the event of a technical incident. . The DPC has confirmed that a “security breach” is not limited to a technical incident or unauthorized disclosure of personal data and may include internal processing operations that result in accidental and unlawful alteration of personal data.

While this broad view of the definition of a personal data breach is arguably in line with market practice in Ireland, it is likely to give data controllers pause when considering their reporting obligations. In particular, controllers may have previously considered that an unauthorized disclosure caused by a system error did not constitute a personal data breach because it did not result from a breach of security in the more technical sense.

Notification requirements

In 17 cases, the BOI violated Section 33 by failing to report data breaches without undue delay or without sufficient detail. The DPC emphasized that organizations should have measures in place to detect breaches in a timely manner.

In 14 incidents, the BOI breached Article 34 by failing to notify data subjects of the data breach without undue delay in circumstances where it was likely to result in a high risk to the rights and freedoms of data subjects. The DPC noted that, in some cases, the delay in notification may have prevented affected individuals from taking mitigating actions to protect themselves.

The DPC pointed out that although a personal data breach triggers notification obligations under Articles 33 and 34 of the GDPR, the mere existence of a data breach is not conclusive that there has been violation of any of the provisions of the GDPR.

Technical and security measures

The DPC found that the BOI breached Article 32(1) by failing to implement technical and security measures to ensure a level of security appropriate to the risk presented by its actions of transferring customer data to the CCR. Specifically, the BOI did not have an error management procedure in place at the time of the incidents and it did not engage an appropriate level of subject matter experts when designing its technical and organizational measures. .

The decision of the DPC underlines the importance of ensuring both the security and the integrity of personal data. In the context of data transfers between organisations, this imposes an obligation on data controllers to prevent any alteration or corruption of personal data in a manner likely to present a risk to data subjects. The importance of robust technical and organizational measures, as a tool for preventing and repairing data breaches, was again underlined by the DPC.

In the context of credit information providers, it should be borne in mind that there will inevitably be times when an incorrect statement is made to the CCR. However, the DPC’s decision emphasizes that in the event of an incorrect report, it should be determined whether notification is required to the DPC or to the data subject.