Mother and baby homes data at risk of being compromised, warns Tusla

Highly sensitive archive of commission of investigation held using ‘legacy’ technology

Child and family agency Tusla warned there was a chance that the archive of the Mother and Baby Homes Commission of Investigation could end up damaged, lost, or be compromised in a data leak.

In discussions with the Data Protection Commission (DPC), the child and family agency said there was a “high risk” of problems arising with the transfer of the database to it for safekeeping.

It said the highly sensitive records were held using “legacy” technology, which heightened the risk of accidental or unlawful destruction, loss of records, alteration of files, or unauthorised disclosure. Records released under the Freedom of Information Act reveal there were fears that data relating to criminal acts perpetrated on survivors could also be compromised.

Preservation plan

A copy of an informal data protection assessment by the DPC said: “If a breach were to occur, as Tusla noted, the effects on the individuals concerned would be detrimental.” The assessment said a digital preservation plan – to ensure the long-term security of the database – should be put in place as a matter of priority.

READ MORE

The internal records say there were nearly 850,000 pages of records comprising 100,000 different documents and referring to 130,000 people. Concerns were also raised about inaccuracies with such a large volume of records and the possibility of recording or transcription errors before Tusla took control of the archive.

Tusla had warned of potential “distress” for survivors and their families if information proved to be incorrect, saying this represented a “high risk”.

Asked about the records, a Tusla spokesman said it voluntarily consulted with the DPC regarding the assessment. “The DPC made recommendations regarding certain risks that [were] identified. This is a normal part of the process.”

The DPC said it had raised a number of matters in response to which Tusla had revised its policies and procedures to align with the requirements of the European Union’s General Data Protection Regulation.