The Data Protection Commission Concludes Inquiry into Bank of Ireland Data Breaches
On 14 March 2022, the Data Protection Commission (“DPC”) handed down a decision in respect of 22 personal data breach notifications that Bank of Ireland Group plc (“BOI”) made to the DPC between 9 November 2018 and 27 June 2019. The notifications related to the corruption of information in BOI’s data feed to the Central Credit Register (“CCR”), a national mandatory credit reporting system operated by the Central Bank of Ireland. The breaches included unauthorised disclosure of customer personal data to the CCR and accidental alteration of customer personal data on the CCR.
The DPC imposed administrative fines totalling €463,000 and ordered BOI to make changes to its technical and organisational measures in order to enhance the security of its processing. The key highlights of the decision are as follows:
Definition of Personal Data Breaches
The majority of the data breach notifications concerned inaccurate customer data uploaded to the CCR by BOI which gave an erroneous view of customers’ finances and credit history. As a preliminary issue, the DPC determined that 19 of the 22 reported breaches met the definition of “personal data breach” under Article 4(12) of the GDPR, which defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The DPC confirmed that the definition of “security measures” under Article 32(1) GDPR included the ability to ensure the ongoing integrity of processing systems and services in addition to the ability to restore the availability of personal data in the event of a technical incident. The DPC confirmed that a “breach of security” is not limited to a technical incident or unauthorised disclosure of personal data and can include internal processing operations that result in the accidental and unlawful alteration of personal data.
Although this broad view of the definition of a personal data breach is arguably consistent with market practices in Ireland, it is likely to give pause for thought to controllers when considering their reporting obligations. In particular, controllers may previously have taken a view that an unauthorised disclosure caused by a systems error did not constitute a personal data breach as it did not arise from a breach of security in a more technical sense.
Notification Requirements
In 17 cases, BOI breached Article 33 by failing to report the data breaches without undue delay or without sufficient detail. The DPC emphasised that organisations should have measures in place in order to detect breaches in a timely manner.
In 14 incidents, BOI breached Article 34 by failing to notify data subjects of the data breach without undue delay in circumstances where it was likely to result in a high risk to the data subjects’ rights and freedoms. The DPC noted that in some instances the delay in notification may have prevented data subjects from taking mitigating steps in order to protect themselves.
The DPC highlighted that although a personal data breach triggers notification obligations under Articles 33 and 34 of the GDPR, the mere existence of a data breach is not conclusive that there has been an infringement of any provisions of GDPR.
Technical and Security Measures
The DPC found that BOI had breached Article 32(1) by failing to implement technical and security measures to ensure a level of security appropriate to the risk presented by its actions in transferring customer data to the CCR. Specifically, BOI did not have an error management procedure in place at the time of the incidents and it failed to involve a suitable level of subject matter experts at the design stage of its technical and organisational measures.
Comment
The DPC’s decision highlights the importance of ensuring both the security and the integrity of personal data. In the context of data transfers between organisations, this imposes a duty on controllers to prevent any alteration to, or corruption of, personal data in a manner that may pose a risk to data subjects. The importance of robust technical and organisational measures, as a tool for both preventing and remedying data breaches, was once again emphasised by the DPC.
In the context of Credit Information Providers, it is worth bearing in mind that there will inevitably be times when an incorrect report is made to the CCR. However, the DPC’s decision highlights that where an incorrect report arises, consideration should be given as to whether a notification is required to the DPC or the relevant data subject.
Also contributed by Laura Lambe
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below