The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.

The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.

The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.

Finding

The DPC found that the inaccuracy was sufficient to give rise to an infringement by the ICB of Article 25(1) (Data Protection by Design and by Default) of the GDPR. It held that the ICB had failed to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner, and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Moreover, the DPC found that the ICB had infringed Article 5(2) (Accountability) and Article 24(1) (Responsibilities of Controller) of the GDPR, by failing to demonstrate compliance with its obligation, pursuant to Article 25(1) of the GDPR, to undertake appropriate testing of proposed changes to its database.

The DPC highlighted that the appropriate technical and organisational measures that the ICB ought to have implemented included:

  • a technical measure to prevent payment profile updates to closed accounts; and
  • a comprehensive documented change management process that made express provision for, amongst other things, the testing of coding changes and a formal approval procedure for proposed coding changes.

The DPC highlighted that Articles 5(2) and 24(1) GDPR are crucial to the oversight and enforcement actions of supervisory authorities, and noted in this regard that the ICB’s failure to document the testing of coding changes had prevented the DPC from analysing the adequacy of that testing.

However, the DPC outlined that the ICB had not infringed Article 26(1) (Arrangements between Joint Controllers) of the GDPR in circumstances where the ICB members were not joint controllers in respect of the ICB’s database.

Corrective powers exercised

The DPC’s decision:

  • imposed an administrative fine on the ICB in the amount of €90,000 in respect of the infringements; and
  • issued a reprimand in respect of the infringements.

The reason for that decision and the method for calculating that fine were set out in detail. It is useful to consider the DPC’s logic for its findings, as it demonstrates the DPC’s approach in relation to failure by an organisation to implement appropriate data protection by design controls and to maintain systems testing records.

Factors considered by the DPC in exercising its corrective powers

  • The DPC considered the level of impact to the 15,000 people whose data had been altered, as well as the 1062 people whose data had been disclosed and decisions made on the basis of it.
  • The DPC did not accept that there was minimal impact to the data subjects. It also found that there was a potential for high cumulative impacts and economic disadvantage arising from the error.
  • The DPC also considered the duration of the incident which was just over two months, but as it straddled the GDPR implementation period, the DPC could only apply GDPR principles for half of the period.
  • The DPC also found that the ICB was negligent in its approach to data protection by design and the development and implementation of internal controls and governance over software changes.
  • Mitigating factors which the DPC took into account were:
    • the speed with which the ICB fixed the issue once it was identified;
    • the ICB’s action in asking lenders to contact affected data subjects; and
    • the fact that the ICB had no previous infringements under GDPR.

The ICB’s fine of €90,000 was reduced from €220,000 on consideration of the mitigating factors. Taking account of all the circumstances, the figure of €90,000 amounting to 0.9% of the cap available and 2% of the ICB’s turnover, was deemed appropriate.

Having regard to the measures implemented by the ICB since the personal data breach and during the inquiry, the DPC held that it was not necessary for the decision to order the ICB to take specific action to bring its processing operations into compliance with the GDPR.

Lessons

This was ultimately a data quality and data governance issue that impacted approximately 1,000 data subjects in Ireland. The root cause of the issue was a failure by the ICB to have appropriate data governance controls in place in respect of the development, testing, and deployment of software changes to ensure the integrity of personal data. The failure to maintain appropriate records of systems design, changes and testing will not be a defence against a finding by the DPC such as this.

The DPC’s decision in response to the ICB’s data breach reinforces the importance of taking measures to ensure accuracy of information held in databases, including carrying out appropriate testing of coding changes and of documenting any testing undertaken to demonstrate accountability. Prompt corrective action should be taken in response to any incidents occurring as a result of an organisation’s failure to comply with its data protection by design and by default obligations.