1. After having received an instruction on paper or on another durable medium from
a. a credit information subject to whom the identity theft notice relates, or b. an authorised representative of such a credit information subject
that asserts that the credit information subject to whom the instruction relates has, or may have been, subject to identity theft, the Central Bank shall place an identity theft notice on the credit file of a credit information subject for a period of up to [90] days, as soon as is practicable and not later than [48] hours after the CBI receives the instruction.
2. During the period in which the identity theft notice is placed on the credit file of a credit information subject, the CBI shall notify that credit information subject or an authorised representative if any of following events occur
a. any enquiries to obtain the credit file of the credit information subject, where the person purporting to be the credit information subject was unable to satisfy the conditions in subhead [7], or
b. any transmission of credit information by a credit information provider to the CCR regarding a credit application or credit agreement, where such credit agreement allows for the extension of credit facilities, or
c. any request by a registered credit information user to obtain credit information relating to the credit information subject,
such notification to be made as soon as is practicable [and not later than [48] hours after any of the events listed in this subhead.]
3. The CBI shall not transmit credit information to a registered credit information user seeking the credit information for the purpose of granting credit or
extending credit facilities, without the written consent of the credit information subject to whom the identity theft notice relates, or an authorised
representative.
4. Any credit information that the CBI transmits to a registered credit information user shall include an identity theft notice where such exists.
5. The CBI shall remove an identity theft notice on the credit file of a credit information subject after [90] days or, if sooner, following receipt of an instruction on paper or on another durable medium from
a. a credit information subject to whom the identity theft notice relates, or b. an authorised representative of the credit information subject
that confirms that the reason which gave rise to the identity theft notification no longer remains valid [and/or] has been resolved to the satisfaction of the credit information subject to whom the identity theft notice related.
6. The CBI shall extend the duration of an identity theft notice on the credit file of a credit information subject for up to a maximum of a further [90] days where it has received a request, on paper or on another durable medium, from the credit information subject to whom the identity theft notice relates, or an authorised representative of the credit information subject, subject to receipt of a copy of a report filed with An Garda Siochana or other overseas equivalent concerning the identity theft which gave rise to the identity theft notice. 7. The CBI shall take reasonable measures to verify that any credit information
subject requesting
a. the inclusion, extension or removal of an identity theft notice on a credit file, or
b. access to any credit information which is subject to an identity theft notice
is the credit information subject to whom the identity theft relates or an authorised representative.
8. The existence of an identity theft notice on a credit file shall not preclude the CBI from using the information on that file in the performance of its statutory functions, and the exercise of its statutory powers, or from the inclusion of such information in aggregate information provided by the CBI to another person.
Explanatory Note
Subhead 1 provides protections to those that may be, or have been, subject to identity theft and to creditors that may be exposed in the absence of such a notification. It is considered that, for most cases, a period of [90] days is sufficient time in which to put in place adequate safeguards and that an identity theft notice will therefore no longer be required beyond this period.
Subheads 2 provides some further measure of protection to the person to whom the identity theft relates as they will be notified of activity on their credit file and will
therefore be provided with an opportunity to follow-up on activity which they consider to be suspicious.
Subhead 3 protects the borrower from exposure to credits taken out in their name by others.
Subhead 4 provides some measure of protection to, principally, credit providers that credit information being sought may not be reliable.
Subhead 5 provides an appropriate mechanism for removing an identity theft notice from a credit file where a situation has been resolved such that an identity theft notification is no longer appropriate.
Subhead 6 provides for an extension for the period in which the identity theft notice remains on a credit file to allow for situations where the person concerned may not have had adequate opportunities to secure their identity during the initial period in which the identity theft notice was placed.
Subhead 7 ensures that the CCR operator will be obliged to conduct reasonable verification checks to ensure that the person making the request is either the person to whom the identity theft report relates or an authorised representative of the person. Subhead 8 ensure that the existence of an identity theft notice will not prevent the CBI from using data as provide for in the Act