Data Protection Commissioner
Data Protection Commissioner

CASE STUDY 4/00

Financial institutions – Irish Credit Bureau – credit referencing – incompatible disclosure – "close matches"

An individual made an access request to the Irish Credit Bureau (ICB), the main credit referencing body in Ireland, to see his credit record. On receiving the information, he noticed that a number of financial institutions, with which he had never had any dealings, had viewed his credit record. The individual was concerned that his private financial affairs had been disclosed in contravention of the Data Protection Act.

In the course of our investigations into this matter, my Office established that the financial institutions involved had made a credit check relating to another individual who shared a similar (but not identical) name and similar (not identical) address. The ICB returned information relating to the complainant, on the basis that his details were a "close match" to those supplied by the financial institutions. The ICB defended this practice, arguing that, in the absence of a unique personal identifier or precise postal codes, and in the light of Gaelic name variations, determining identity with precision was not an exact science in the Irish context.

While noting the general point made by the ICB, I did not see that were was any justification for the supply of data relating to the complainant in this particular case. Certainly, the financial institutions which had been given the complainant's details were able to discern that information had been "over-supplied", and could identify and dispose of the information relating to the complainant. The real issue in this case was a procedural one, as to whether sufficient effort had been made by the ICB to ensure that financial institutions were supplied with personal data relating only to those people who had applied to them for credit. The facts in this case indicated to me that there was room for, and a necessity for, improvement in this regard.

The incidents in this case occurred a number of years ago, and since then the ICB has endeavoured to upgrade its procedures. However, it is clear to me that the general practice of providing "close matches", and leaving it up to financial institutions to identify and discard excessive information, runs the inevitable risk of disclosing people's confidential financial details to institutions which have no business in seeing these details. Accordingly, any such practice will fall foul of data protection law. My views on the correct standards of data protection that should apply in the credit referencing sector are set out in some detail in Part 3 of my Annual Report for 2000.