User Menu

Tusla becomes first organisation fined for GDPR rule breach

Agency fined €75,000 over three cases where data about children was wrongly disclosed

In one instance, the contact and location data of a mother and child victim was disclosed to an alleged abuser. Photograph: Alan Betson/The Irish Times

The child and family agency, Tusla, has become the first organisation in the State fined for a breach of the General Data Protection Regulation (GDPR).

The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorised parties.

In one instance, the contact and location data of a mother and child victim was disclosed to an alleged abuser.

In two other cases, data about children in foster care was improperly disclosed to blood relatives, including in one instance to an imprisoned father.

The lodgment of a case in the Circuit Court by the Data Protection Commission (DPC) last week confirms the fine.

State bodies can be fined up to €1 million for breaches of the data rules, and multinationals can be fined up to €20 million, or four per cent of their previous year’s turnover.

A spokeswoman for Tusla confirmed that it did not intend to contest the matters and will accept and respect the final order of the court.

“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis,” she said.

“Such information is generated in several hundred thousand interactions every year.”

There are two other continuing inquiries into data breaches involving the agency.

“We have fully engaged with the DPC in their three investigations which are largely based on breaches identified by Tusla and reported to the DPC in a timely fashion,” the spokeswoman said.

“The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.”

She said the agency did not propose to speculate on the likely outcome of the two continuing investigations.

“However, we want to assure the public, as we did in February when these investigations were referred to in the DPC annual report 2019, that we are not waiting for the investigation reports to formally conclude before making improvements which are ongoing in an extensive programme.”