The Irish League of Credit Unions (ILCU) is asking the central bank to assure it can protect personal data of people who have to register with it following disclosure of information to a third party.
The name, date of birth and first four lines of the home address of around 50 credit union chairpersons and chief executives were accidently included in a reply to an individual requesting information, for business reasons, on credit unions beneficial ownership.
The recipient was only entitled to restricted access to material in the bank’s register of statutory records of the owners of corporate and legal entities, including credit unions.
The bank has apologised to the affected office holders and says it will take all necessary steps to reduce the likelihood of the error happening again, the country’s media reported.
Credit unions are mutual saving and lending societies owned by their members, with the chairpersons and chief executives listed as beneficial owners in the bank’s register.
“The ILCU has written to the head of registers service at the central bank to convey the concern caused among volunteer officers and chief executives of the credit union sector,” the league said.
“We have also sought a copy of the privacy notice with respect to the register and assurances with respect to the safeguards in place to protect the personal data on the register.”
The data breach, which came to light this week, occurred on 20 April. The bank reported it to the Data Protection Commission a month later and a letter sent to the affected parties was dated 24 June.
The bank said: “[We] identified and contacted impacted data subjects as soon as possible, where it was possible to do so.”
It added the recipient told the bank they had not shared the privileged information and had deleted the data.
Under recent legislation the bank has to now record extra information: the personal public service numbers (PPSN) of those on the register as a validation mechanism. The bank intends to introduce that requirement before year-end.
That is causing more concern for the credit unions. “The ILCU has requested a copy of the data protection impact assessment as it relates to the decision to process the PPSN of beneficial owners for the purposes of confirming their identity as it does not appear to be necessary or proportionate to process the PPSN of beneficial owners in the current circumstances,” it said.
The bank contended: “[We are] very conscious of the necessity to ensure the protection of all personal data under our control.”
PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes.