Central Bank took two months to inform credit unions of data breach

Credit unions say there are now fresh concerns over requirement to hand over PPSNs

The Central Bank headquarters in Dublin. Photograph: iStock
The Central Bank headquarters in Dublin. Photograph: iStock

Credit union executives were not told by the Central Bank that their personal details had been wrongly handed over to a third party until more than two months after the mistake occurred, it has emerged.

The Central Bank, which regulates the sector, wrote to about 50 credit unions informing them that the names and home addresses of chairpersons and chief executives had been mistakenly disclosed to a third party. The breach has raised security concerns around those affected.

The letter, seen by The Irish Times, said the breach occurred on April 20th on foot of an information request by an individual, but was not reported to the Data Protection Commission until May 20th. The letter informing affected parties was dated June 24th.

The Central Bank told credit union officials that it requested the report containing the personal information “be deleted by the recipient”. It received confirmation this had occurred on May 19th, and the Data Protection Commission was informed the following day.

READ SOME MORE

The regulator is required by law to report data breaches “without undue delay”. In a statement, it said it “identified and contacted impacted data subjects as soon as possible, where it was possible to do so”.

It apologised to the parties affected and said it would “take all necessary steps to reduce the likelihood of this happening again”.

The breach occurred on foot of an information request from an unnamed individual in relation to the Central Bank’s “beneficial ownership register in respect of certain financial vehicles”.

PPSN concerns

The register holds the statutory records of the owners of corporate and legal entities, including credit unions. The Central Bank said recent legislation will soon require the collection and use of PPS numbers as a “validation mechanism” for those on the register.

The Irish League of Credit Unions (ILCU) on Tuesday expressed concern over the breach, which also involved dates of birth, and said there were fresh concerns over the requirement on local credit union executives – many of them volunteers – to hand over PPS numbers.

“The ILCU has written to the head of registers service at the Central Bank to convey the concern caused among volunteer officers and chief executives of the credit union sector, and in particular, in light of the fact that credit unions will soon be required to provide the PPSN of beneficial owners for the purposes of this register,” it said.

“The ILCU has requested a copy of the data protection impact assessment as it relates to the decision to process the PPSN of beneficial owners for the purposes of confirming their identity as it does not appear to be necessary or proportionate to process the PPSN of beneficial owners in the current circumstances.

“We have also sought a copy of the privacy notice with respect to the register and assurances with respect to the safeguards in place to protect the personal data on the register.”

The Central Bank said the collection of PPS numbers “will commence from the fourth quarter” of this year. It added that was “very conscious of the necessity to ensure the protection of all personal data under our control”.

Colin Gleeson

Colin Gleeson

Colin Gleeson is an Irish Times reporter