This morning the Data Protection Commission published a decision in respect of infringements of GDPR by Bank of Ireland that highlights the importance of effective Data Quality controls and culture in organisations of all sizes. In this decision, the DPC levied an administrative fine on Bank of Ireland for infringements of Articles 32 and 34 of GDPR. The total fine levied was €463,000. However, the decision (in my opinion) took a scenic route to the right conclusion. That was possibly influenced by the fact that the initial investigation was triggered by breach notifications. But it sheds light on the role of data quality management in effective data protection compliance!

Background

The decision centred on a series of 22 personal data security breaches that were notified by Bank of Ireland to the Data Protection Commission between 2018 and 2019. Many of these incidents involve the linking of incorrect parties to loan details that were subsequently submitted to the CCR (Central Credit Register), or reporting the incorrect details of loan agreements to the CCR due to “technical coding errors”.

In her decision, the Commissioner gives consideration as to whether the reported incidents fell within the scope of a “personal data breach” as defined under Article 4(12) of GDPR.

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

In doing so, the Commission places heavy emphasis on the concepts of alteration of data and the authority or lack of authority to disclose data. As the issues came to light from breach notifications filed by the Bank, this focus is understandable. The DPC highlights the need when sharing data or disclosing it that it be done in a manner which ensures the integrity of the data, so cases where data that should not have been shared is shared or where loan restructuring events are misreported, the integrity of the data for the secondary reporting purposes is undermined. It is also interesting that the DPC has taken the view that data quality controls fall within the scope of Article 32(1)(b)’s concept of “integrity” of data and, as such, an absence of effective organisational and technical controls for data quality is as relevant a consideration under Article 32 as an absence of password protection and role based access to systems.

However, in many of the issues that the DPC looks at through the lens of Article 5(1)(f) (Security) could equally have been actioned as breaches of Article 5(1)(d) (Accuracy), because the root cause of the security issue as a failure of the bank to implement appropriate technical and organisational measures to ensure the quality of data. I’d also suggest that the question of “authorisation” of processing could also have been considered in the context of the lawful basis for processing under Article 6 of GDPR and Article 5(1)(a). Bluntly: if data disclosed to the CCR was outside the scope of data that should have been disclosed under the Credit Reporting Act 2013, then there is no legal basis for that processing and we find ourselves facing an more direct route to the same overall conclusion.

The Data Quality Dimension

Scanning down through the 20 incidents that the DPC has determined meet the threshold of being a personal data breach under Article 4(12), it’s clear that the vast majority of them resulted in an unauthorised disclosure of personal data or the alteration of personal data due to the absence or the abject failure of controls to protect the quality of data. Failure of basic data quality checks resulted in data being processed in ways which impacted on negatively on data subjects.

  • Data extract processes were incorrectly specified so that data that should not have been included was included. For example:
    • people resident outside Ireland,
    • loans that were cleared before 2017 when reporting obligations commenced,
    • borrowers who were no longer linked to a loan account being relinked,
    • Persons who had exited an Insolvency Arrangement
    • failure to properly identify primary card holders on business credit card accounts, resulting in business cards being linked to personal credit profiles.
  • Loan restructuring events being reported incorrectly
    • Recording details in accurately giving rise to an impression of financial distress
  • Loan agreement information being recorded incorrectly in CCR due to a “technical coding error”
    • DPC considered this to be an alteration of personal data, and I can see the argument here… data that was recorded one way originally was subsequently changed when it was “coded” or input into the Bank’s loan systems.

These all represent classic data quality problems arising from failures to implement basic business rules and to ensure appropriate controls over the quality of data as it was transcribed, transferred, and transformed within the bank. The issue of personal data breaches only arises where the data is disclosed to the CCR. In those cases, the data is considered by the DPC to have been “altered” (changed from the original form or incorrect linkages or inferences created) as a result of ineffective or non-existent organisational or technical controls. The Commission also considers data disclosed that was outside the scope of the Credit Reporting Act 2013 to have been disclosed without any authorisation.

The Data Quality Implications

We now have a decision from the DPC that tells us that data quality errors will amount to a personal data breach if they result in an impact on the integrity of data as a result of personal data being altered. The alteration can include the linking of data erroneously or the creation of incorrect inferences within data. But it can also, very simply, relate to the integrity of data as it moves through an organisation’s processes. The DPC has also determined that the disclosure of data that is inaccurate or which is outside the scope of a statutory basis that might apply to processing means that it is disclosed without authorisation.

If we take this decision alongside the long standing findings of UCC/IMI that less than 3% of Irish businesses have data quality that is fit for purpose, it’s clear that many organisations may be running an unmitigated data protection risk that can result in significant fines.

Therefore, organisations need to take two key lessons away from this decision:

  • Data Quality issues need to be addressed in a systemic and systematic manner so that data that is disclosed to 3rd parties can be a trusted and reliable source of information about or relating to people.
  • Effective data quality controls need to be an important part of your data protection and data security toolbox in organisations of any size so that you can demonstrate compliance with both the Accuracy and the Confidentiality and Integrity principles under GDPR.

Speaking personally, I would be suggesting that Bank of Ireland’s fines are a canary in the coal mine for organisations, particularly those in financial services, who may be disclosing data to third parties without robust data quality controls. I have recently completed an expert witness report for a High Court case involving disclosure of inaccurate information by a lender to the CCR. I expect this to be one of many such cases.

How can Castlebridge Help?

We’ve been delivering data quality training to organisations of all sizes for over a decade. I’ve personally been working with organisations on data quality management challenges for over two decades. So there’s a lot we can do to help.

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.