DUBLIN, Ireland–Credit union executives in this country were not informed by Ireland’s regulator that their personal data had been wrongly turned over to a third party until more than two months after it occurred.
The Central Bank, which regulates Ireland’s credit unions, has written to approximately 50 credit unions informing them that the names and home addresses of chairpersons and chief executives had been mistakenly disclosed to a third party. The breach has raised security concerns around those affected, reported the Irish Times.
The Irish Times, which said it has seen the Central Bank letter, reported the breach occurred on April 20th following an information request by an individual, but was not reported to Ireland’s Data Protection Commission until May 20th. The letter informing the CU leaders of the breach was dated June 24th.
According to the Times, the Central Bank told credit union officials it requested the report containing the personal information “be deleted by the recipient,” and that it had received confirmation this had occurred on May 19. The Data Protection Commission was informed the following day.
Law Requires No ‘Delay’
The regulator is required by law to report data breaches “without undue delay,” according to the Times.
In a statement, the Central Bank said it “identified and contacted impacted data subjects as soon as possible, where it was possible to do so.”
According to the Irish Times, the regulator has apologized to the parties affected and said it would “take all necessary steps to reduce the likelihood of this happening again”.
The identity of the individual who received the information has not been revealed, with the Central Bank saying the matter is related to the “beneficial ownership register in respect of certain financial vehicles”.
The register holds the statutory records of the owners of corporate and legal entities, including credit unions, the Times reported, adding the Central Bank said recent legislation will soon require the collection and use of PPS numbers as a “validation mechanism” for those on the register.
Irish League Responds
The Irish League of Credit Unions (ILCU) has expressed concern over the breach, which also involved dates of birth, and said there were fresh concerns over the requirement on local credit union executives – many of them volunteers – to hand over PPS numbers.
“The ILCU has written to the head of registers service at the Central Bank to convey the concern caused among volunteer officers and chief executives of the credit union sector, and in particular, in light of the fact that credit unions will soon be required to provide the PPSN of beneficial owners for the purposes of this register,” the ILCU stated, according to the Times.
“The ILCU has requested a copy of the data protection impact assessment as it relates to the decision to process the PPSN of beneficial owners for the purposes of confirming their identity as it does not appear to be necessary or proportionate to process the PPSN of beneficial owners in the current circumstances.”