A Central Bank of Ireland investigation into its breach of data protection rules by holding personal credit histories for longer than allowed may have affected as many as 50 credit decisions.
The regulatory authority disclosed in August that it had held borrowers’ details on its Central Credit Register (CCR) for three months longer than a five-year limit on the retention of this information.
It blamed a “technical error” for not deleting information for May, June and July 2018 immediately after five years. Consequently, it was included in any credit reports issued to lenders and borrowers between June 1st and August 7th this year.
The Central Bank is responsible for the CCR, which stores personal and credit information on every person in the State who borrows more than €500.
The internal investigation has established that the records of 20,872 borrowers who had performance data pointing to repayment difficulties in May, June or July 2018 were accessed by either lenders or borrowers during the period of the data breach. The figure was higher than the 20,500 estimate given in August.
These affected borrowers were associated with 31,013 inquiries by lenders during the period, as borrowers may have made more than one credit application, the Central Bank said on Friday.
The excess data did not have any bearing on 30,963 of the credit inquires, the regulator said, after “extensive engagement with 270 lenders to determine whether, and if so how, the additional credit information influenced their credit decisions”.
However, it did influence nine credit decisions, mainly relating to personal loans or credit card products, it said.
Lenders have not yet been able to confirm whether a further 41 credit inquiries were affected by the excess data, the Central Bank added.
“A phased communication process is under way and the Central Bank has written to those identified as being at highest risk of being impacted by the error. All borrowers associated with applications where lenders have confirmed that the excess data influenced their credit decisions have been contacted,” the authority said.
“The Central Bank has engaged with the lenders to ensure that there is a contact point in place for impacted borrowers should they wish to discuss their previous application or reapply for credit. The lenders have also confirmed the excess information previously received will not impact on any new applications.”
The Data Protection Commission has also commenced an inquiry into the breach, and the Central Bank is starting a “broader external review of the data management and data protection controls in place with respect to the operation of the CCR”, it said.