Michelle Mulherin (Mayo, Fine Gael)
Link to this: Individually | In context

There have been a number of cases in which personal financial details were leaked to the media by nationalised banking institutions within the control of the Minister for Finance. It is disgraceful and outrageous that private and confidential banking details of individuals have been put in the public domain via our newspapers. It is clear from reading these articles that they go beyond the basic security or mortgage information available to the public by means of a search of the Land Registry, the Registry of Deeds or the Companies Registration Office. The articles refer to business and personal information that individual customers give to banks when looking for loans or refinancing. This sensitive information does not appear on any public register and the only time it usually comes to light is during the course of litigation or other court proceedings, in which case, where business information is sensitive, aspects of hearings can be held in camera.

This is a new and worrying development among nationalised banks. It is not something that has happened, as far are I am aware, in private banks, other than by accidental or implicit divulgence of sensitive information. It is an implied term of the contract between customers and banks that banks will keep their clients' information confidential. This confidentiality is not only confined to account transactions but extends to all banking information held on behalf of customers. The bank's duty of confidentiality to its customers is fundamental to the relationship between the two parties. A breach of this duty can give rise to legal actions but, unfortunately, significant damage can have been done by the time cases come to court.

I raise this issue because a number of business people in my constituency and, I am sure, those of many other Deputies have expressed concern about it. I am referring to regular business people rather than big developers. They are going through a tough time and are concerned about casual talk regarding their businesses and their relationships with their banks. These rumours are undermining their efforts to put their businesses back on track. Concerns have been expressed that details of settlement and refinancing arrangements which customers negotiate with banks could appear in local newspapers. I ask the Minister for Finance to take a stand on this issue to ensure this new culture does not take over within our State-controlled banks. This is a difficult time for many businesses. Individuals provide sensitive business information in the course of their dealings with banks. We should not allow the publication of this information in our newspapers to become a casual or acceptable practice. There should be serious consequences for those who run the State banks if this practice is not brought under control. If it happened in the private banks, someone would be sacked.

Brian Hayes (Dublin South West, Fine Gael)
Link to this: Individually | In context

I have been informed by the Minister for Finance that he has not received any complaints about the leaking of personal banking information by nationalised banks to the media. Without knowledge of the specific issue to which the Deputy referred I can only comment on this issue in the most general of terms. Primary responsibility for the safeguarding of customer information rests with the financial institutions themselves. As a shareholder the Government has no role in investigating data breaches in the State-owned financial institutions, although it obviously has an interest in ensuring that the State-owned banks follow best practice in order to protect their customers and the reputation of the institutions.

The Data Protection Commissioner is responsible for ensuring that people's rights are respected and those who hold personal information meet their responsibilities in this regard. The Data Protection Acts make it clear that organisations that hold personal data on individuals owe them a duty of care. This protection also extends to State-owned institutions. In regard to data protection breaches, I understand that the policies in place between the banks and the Data Protection Commissioner are such that breaches are notified immediately to the commissioner upon discovery. These breaches are then investigated internally and appropriate remedial actions are taken. Outside of this process, any individual is entitled under the Data Protection Acts to make a written complaint to the Data Protection Commissioner, who will then deal directly with the relevant organisation. The commissioner will make a full and thorough investigation of all the facts before making a decision. If the complaint is found to be in breach of the electronic communications regulation the commissioner may decide to prosecute the organisation concerned. The commissioner has significant powers to ensure that all organisations act in accordance with data protection laws.

The data protection rules are very specific and are binding on every data controller. A failure to observe these rules is a breach of the Act. It is the responsibility of all institutions to ensure their data on individuals is safe and secure. If any individual suffers damage to his or her reputation, financial loss or mental distress, the data controller of an organisation may be subject to civil sanctions and the individual may be entitled to claim compensation through the courts. I strongly urge any individual who may suffer as a result of the leaking of personal banking information to explore these avenues of resolution.

The protection of customers' data is taken seriously by all of the State-owned financial institutions. Each bank is fully aware of its obligations to safeguard the security of customer data and they employ a wide range of measures to protect the confidentiality and integrity of that information. All banks have strict security protocols for information technology and physical access in order to protect information. They employ dedicated information security personnel, who commonly report to an information technology security council. They also have an information security policy. Bank network repositories and systems have robust password protection and access control, which restricts access to relevant personnel only.

All bank premises are protected by swipe card access control systems and certain areas allow access to designated personnel only. Banks generally also employ what is termed a clean desk policy, requiring all personnel to keep their desks clear of any sensitive or confidential data that should be stored securely. Banks also have mandatory annual training courses for all personnel on the requirements of the Data Protection Acts and their responsibilities under them. The courses also cover ethics and include the banks' code of conduct. I understand all personnel are required to review and electronically accept key policies, such as the code of conduct and information security policy. These policies also inform personnel of the potential consequences of policy breaches. As a shareholder, the Government will continue to work with the institutions to ensure that they take all necessary actions to safeguard the personal banking information of their customers.

Michelle Mulherin (Mayo, Fine Gael)
Link to this: Individually | In context

I am familiar with the procedures and the possibility of complaints being made to the Data Protection Commissioner. I am also aware of certain complaints that have been made to the Data Protection Commissioner. Still, it should not be beyond the capability of the many officials that the Minister, Deputy Noonan, has at his disposal to read the newspapers of recent months to see the type of information that is being put out into the public domain. Clearly this information could only come from the banks or someone within the banks. It is outrageous and wilful; there is no question of a mistake or of it being accidental. The Minister of State should consider it in this light because I am not familiar with similar incidents in the private banks and it does not match the manner in which they conduct their business. There has been a sea change and a change of culture in the State banks and the Minister should take control of the situation. This goes beyond the Data Protection Commissioner.

Brian Hayes (Dublin South West, Fine Gael)
Link to this: Individually | In context

I note the helpful comments of my colleague on this issue. The House has established in law an independent regulator, whose sole function is to protect data collected by all institutions in the State, whether they are State-owned or privately owned and whether they are banks or otherwise. The independent regulator has a clear line of responsibility to deal with complaints made in the first instance. The commissioner makes an annual report setting out his recommendations to the Government. The commissioner would highlight the issues if he believed there were glitches in the legislation or new cultural practices, to which Deputy Mulherin adverted, in the State-owned banks or anywhere else.

It behoves people who have been wronged in the way Deputy Mulherin has suggested to make a complaint to the regulator in the first instance. In this case the regulator is the Data Protection Commissioner and it is his job to investigate the matter thoroughly. If he believed this was part of some new systemic culture within the State-owned banking sector I presume he would report it. I encourage Deputy Mulherin in concert with the people who have been wronged in this way to make a complaint in the first instance to the Data Protection Commissioner. He reports to the Government every year and I am confident he would report any new systemic problem if he believed it had been unearthed as a result of his investigations.