The Information Commissioner’s Office (ICO) has issued Bank of Ireland UK with a reprimand for mistakes made on more than 3,000 customers’ credit profiles.
Bank of Ireland UK sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders decide whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.
The investigation found that, due to the complex nature and different factors contributing to credit scoring, it would be impossible to determine the actual damage caused to each customer. However, the ICO concluded it was reasonable to assume that the inaccurate data sent by Bank of Ireland UK to credit reference agencies would have had a negative impact on the customers affected.
Reported to the ICO in March 2021, Bank of Ireland UK was found to be in breach of data protection law by failing to ensure personal data was accurate, article 5(1)(d) of GDPR.
“Mistakes made by financial institutions can have far-reaching consequences on people’s everyday lives. Some of the customers affected could have been refused mortgages, loans or credit cards, as well as being unable to get mobile phone contracts, insurance policies or sign up with utility companies. The mistake made by Bank of Ireland UK could have potentially caused misery for thousands of people.
“We do however recognise the steps the bank has taken to correct their error, supporting affected customers and reviewing its data-management processes. Therefore, we believe a reprimand is the best, fairest outcome, and that lessons have been learnt to avoid mistakes like these in the future.”
- Natasha Longson, ICO Head of Investigations
Steps recommended in the reprimand to ensure Bank of Ireland UK’s compliance with data protection include continuing to support affected customers, ensuring that robust processes are in place, and are reviewed regularly, and that learnings are shared across the organisation to prevent a repeat of the issue.
The full reprimand can be read here.
Notes to editors
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.