The Central Bank, which has happily doled out more than €400 million of fines to financial institutions and individuals in the past 17 years for all manner of wrongdoing, has seen the tables turned on it, with confirmation on Friday that the Data Protection Commission (DPC) has started an inquiry into the regulator.
The investigation stems from the Central Bank-run Central Credit Register (CCR) holding on to information on borrowers for longer than it should have during the summer.
The CCR is a database that records whether borrowers are meeting repayment agreements on loans of more than €500.
However, the Central Bank revealed in late August that, due to a “technical error”, the CCR had not deleted information for May, June and July 2018 immediately after five years. Consequently, it was included in any credit reports issued to lenders and borrowers between June 1st and August 7th this year.
[ Red faces at Central Bank over data breachOpens in new window ]
The Central Bank said on Friday it had established that records of 20,872 borrowers who had performance data pointing to repayment difficulties in May, June or July 2018, which were the three additional months that should have been deleted, were accessed by either lenders or borrowers.
It found that the breach did influence nine credit decisions, mainly relating to personal loans or credit card products. As many as a further 41 cases may also have been affected, through the relevant lenders have not yet been able to confirm.
The Central Bank was at pains to point out it had written to borrowers deemed to have been at highest risk of being impacted by the breach – and it has managed to get lenders to confirm the excess information will not impact on any new applications. It has also commissioned a broader external review of data management and data protection controls in place around the CCR.
[ Brendan Burgess: Bank of Ireland’s technology failure was no excuse for theftOpens in new window ]
But news that the DPC has begun an inquiry will no doubt raise eyebrows across firms the Central Bank has fined in the past – even in cases of self-reporting issues.
While the DPC is allowed to fine a company up to €20 million or 4 per cent of annual global turnover for GDPR non-compliance, the maximum for public bodies or authorities is €1 million. It makes little sense to levy higher charges on public entities, given that the money – as with Central Bank fines – is handed over to the exchequer in the end anyway.
But make no mistake, the DPCs move is deeply embarrassing for the Central Bank.