The lender sent incorrect outstanding balances to credit reference agencies and the ICO said the incorrect data could have led to people being “unfairly refused” for mortgages, credit cards, loans or given more credit than they could afford.
This occurred between 2018 and 2020 and was reported to the ICO in March 2021. The Bank of Ireland UK was found to be in breach of data protection law by failing to ensure customers’ personal data was accurate.
This related to accounts which had been sold to debt collectors and because this was infrequent, the Bank of Ireland UK staff operated a manual process to enter a reference which indicated a loan had been sold. Failure to do so meant the loan looked like it was owned by the Bank of Ireland with an outstanding balance. In some cases, the purchaser of the debt also displayed the outstanding balance, meaning it was recorded twice and looked as though the customer had a double default.
The lender tried to fix this in 2019 but was unable to explain why processes were not brought in to stop future errors.
Since 2019, there had been 115 more inaccurate cases.
The ICO said it was hard to determine the impact of the errors, but said it was “reasonable to assume” they had a negative effect.
The lender has notified affected subjects where necessary and corrected the accounts. It is also reviewing its debt sale process and has suspended this until appropriate measures are in place.
Bank of Ireland UK introduces additional checks
A spokesperson for Bank of Ireland UK, said: “Bank of Ireland UK acknowledges the reprimand from the Information Commissioner’s Office. We take very seriously our regulatory and compliance obligations, and our duty to customers and regret that we fell short in this instance.
“The bank has rectified the technical issue which caused the errors and introduced additional checks to improve data management and oversight.
“Once we identified and reported the issue, we engaged fully and proactively with the commissioner throughout the investigation.”
The ICO said it recognised that the Bank of Ireland had already made progress to improve its compliance with GDPR.
Natasha Longson, head of investigations at the ICO, said: “Mistakes made by financial institutions can have far-reaching consequences on people’s everyday lives. Some of the customers affected could have been refused mortgages, loans or credit cards, as well as being unable to get mobile phone contracts, insurance policies or sign up with utility companies. The mistake made by Bank of Ireland UK could have potentially caused misery for thousands of people.
“We do however recognise the steps the bank has taken to correct their error, supporting affected customers and reviewing its data-management processes. Therefore, we believe a reprimand is the best, fairest outcome, and that lessons have been learnt to avoid mistakes like these in the future.”
