Catherine Murphy (Kildare North, Social Democrats)
Link to this: Individually | In context | Oireachtas source

108. To ask the Minister for Finance how the central credit register is compliant with data protection here in the context of financial companies and or institutions sending personal data to the Central Bank; and if he will make a statement on the matter. [49961/17]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

As the Deputy is aware, the Credit Reporting Act 2013 provides for the establishment of the Central Credit Register (CCR) by the Central Bank of Ireland. The Act (and the Regulations made under that Act) provide the legal basis for the collection and processing of specified personal and credit information for the purposes of the CCR. The Central Bank has advised that, in the context of its work in developing the CCR, it completed a Privacy Impact Assessment and consulted with the Office of the Data Protection Commissioner in advance of publishing these Regulations as provided for in the Act.

Lenders are required to send personal and credit data directly to the Central Credit Register database and the Central Bank of Ireland is the data controller for the Central Credit Register.

The Central Bank has also advised that it has appointed CRIF, a global provider of secure information processing services, to operate the Register on its’ behalf. CRIF operates in accordance to the ISO 27001 standard and it is audited on a regular basis. This certification is an indication that the Information Security Management System put in place in CRIF, is in line with the requirements of this international standard. In terms of information security, the Central Bank has performed a review of CRIF operations against the Bank’s Third Party Information Security Framework. 

It should be noted that the lender is responsible for personal data in their possession, and while it is in their possession, they are a data controller under the Data Protection Acts. It is a matter for each lender to satisfy themselves that they are compliant with data protection obligations. In that regard it should also be noted that section 19 of the Credit Reporting Act provides that nothing in that Act limits the operation of the Data Protection Acts.