Question of the month – What can go wrong where manual systems are used to change data?

Not often a high billing topic in the list of ICO enforcements, but one which has been the subject of a recent reprimand, is data accuracy.

The Bank of Ireland (BOI) was handed a reprimand by the ICO late last year in relation to supplying inaccurate information (including arrears information) to credit reference agencies. This affected over 3000 individuals. An investigation found that the information “had the potential to lead to unfair refusal or granting of credit to data subjects.”

The inaccurate information related to instances where a debt had been sold by BOI to a debt collector. As this happened in only a few cases, the BOI used a manual process, requiring staff to type in an appropriate reference to indicate the loan had been sold. If this was not done, the loan appeared to still be owned BOI and to have an outstanding balance. In the majority of cases, the debt company also reported the outstanding balance, leading to an appearance of a double default.

BOI had no risk management measures in place in relation to this specific risk and no assurance reviews/audits were undertaken in relation to it.

Prior to the reprimand, BOI had taken several steps to mitigate the damage resulting from the accuracy infringements and the ICO recommended some further actions including:

  • That BOI should continue to support the data subjects (BOI had already been doing this, along with correcting their accounts); and
  • That they should also ensure the learning was shared across the organisation – not just within the department where the issue occurred.

BOI is reviewing the end-to-end debt sale process to identify any weaknesses and to ensure any further issues are identified and mitigated, it has also suspended its debt sales until the review of the process has taken place and new processes have been put in place. The ICO made the point that any such processes should be tested and reviewed to ensure they work effectively.

This raises interesting issues generally, and for large organisations, this is a useful reminder that even processes relating to amending data which don’t affect a large percentage of their customers/clients/members, can still result in large numbers of individuals being affected, in this case, in a significant, adverse way.

The reprimand can be found here.



Don't just take our word for it