The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Financial institution - inaccurate credit rating - rectification - notification of third parties to whom incorrect data had been released

The complainants in this case were refused a loan from two financial institutions. They made an access request under the Data Protection Act to a credit bureau to see their credit records. The records indicated that they had in the past taken out three loans with a third financial institution ("Institution A"). While the two most recent loans were shown as having been paid off, the first loan (which had been taken out about six years previously) still appeared to be outstanding as it did not have a reference code to show that it had been paid. In fact, all three loans had been repaid on time.

The complainants took the matter up with Institution A, which had lodged the details with the credit bureau. On reviewing the details, the institution confirmed that the code, showing the first loan to have been completed, had been omitted from the record, and the institution said it had now returned the correct information to the credit bureau. Institution A also said that, notwithstanding the error, the individuals' credit record showed a satisfactory credit approval rating.

The individuals complained to my Office about the inaccuracy of their credit record. I asked Institution A for its views on the matter, in light of the requirement at section 2(1)(b) of the Data Protection Act that the personal data kept by a data controller "shall be accurate and, where necessary, kept up to date". Institution A said that, "due to an administrative error", a return had not been sent by the institution to the credit bureau when the loan had been settled. The institution also claimed that the omission would not have prejudiced the complainants in any way: any other financial institution considering the credit record would know that the first loan must have been paid, because Institution A would not otherwise have given a second and third loan to the same individuals. Finally, the institution said that the human error involved in the case could not be repeated, as the manual method of making returns to the credit bureau had since been replaced with an automated system.

Arising from my Office's investigation of the case, I issued a formal decision in which I concluded that Institution A had failed to keep personal data in respect of the complainants up to date, as required by the Act, and accordingly I upheld the complaint. I rejected the argument that other financial institutions could have inferred that the original loan must have been repaid, as I noted that the second and third loans had been issued before the term of the first loan had expired. While taking account of Institution A's prompt action to correct the inaccurate record as soon as the error was brought to its attention, I explained that the Data Protection Act places a clear and active obligation on data controllers to ensure that data is kept accurate and up to date. In the circumstances, I recommended that the institution should contact all parties who had accessed the inaccurate credit record, notifying them of the correct position. Institution A subsequently complied with this recommendation.

I would emphasise to all data controllers their obligation to ensure the accuracy of their computer records. This is especially important where, as in the case of credit records, inaccuracies can have a significant bearing on people's livelihood. In this regard, data controllers should be aware of section 7 of the Data Protection Act, which provides that individuals may take a civil action against a data controller, where the individual has suffered damage as a result of the data controller's failure to comply with the requirements of the Act.