Tusla disclosed location of child victim to alleged abuser – report
Privacy expert says cases highlighted by Data Protection Commissioner ‘shocking’
Tusla accidentally disclosed contact, location and school details of foster parents. Photograph: Alan Betson
Data protection experts have criticised Tusla, the child and family agency, over personal information breaches outlined in a report by a State watchdog.
Among the breaches detailed in the Data Protection Commissioner’s (DPC) annual report, published on Thursday, was that the agency accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser.
The data breach occurred last year and was one of three breach notifications received by the commission between February and May of last year.
Daragh O’Brien, a managing director of privacy firm Castlebridge, said the issues highlighted by the watchdog “are indicative of a historically lax attitude to data protection and data management in Tusla”.
He said the specific cases referenced by the DPC were “shocking”.
In another breach at Tusla, the agency accidentally disclosed contact, location and school details of foster parents and children to a grandparent. As a result, that grandparent made contact with the foster parent about the children.
In the third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used it to correspond with the children.
Tusla was the subject of another 71 personal data disclosure breaches notified by the agency leading to an inquiry by the commission in November 2018.
The subject matter of the breaches included inappropriate system access, disclosure by email and post and security of personal data.
TJ McIntyre, the chair of advocacy group Digital Rights Ireland, said the issues in the report suggest “that there are systematic issues in the organisation which need to be addressed urgently”.
He pointed out that the role of a data protection officer within the organisation had been vacant at times in recent years, and filled on an interim basis by others, such as the director of corporate services.
Data Protection Commissioner Helen Dixon has said that while some of the risks posed by data breaches in Tusla have been mitigated “clearly there is still a lot to be done.” She said human error had been behind some of the breaches along with a “failure to think” and poor redaction of material.
The formation of Tusla from three agencies, co-location and issues with the IT system and training had led to some of the problems, she told RTÉ’s Today withSeán O’Rourke programme. Sanctions are necessary, she said.
Investigators had told Ms Dixon that in the files involved in the breaches were letters from individuals affected by the disclosures which made for “harrowing reading”.
Under legislation introduced in 2018, a range of corrective measures were introduced, she said, including a fine of up to €1 million. “I think there has to be something like that, it concentrates the mind,” Ms Dixon said.
Significant changes are being implemented by Tusla, said Ms Dixon, such as the appointment of a data protection officer.
Tusla is the subject of three of the 18 domestic statutory inquiries being conducted by the commission. The regulator is conducting another 23 statutory inquiries into technology multinationals.
Data protection investigators conducted site inspections at Tusla head office and at regional offices in Dublin, Naas, Swords, Waterford, Galway and Cork.
“In the course of the inspections, a number of other data protection issues came to light which fell outside the original scope of the [DPC]inquiry,” the report says.
The Data Protection Commission said that these issues are relevant to the protection of personal so they will be highlighted in its draft inquiry report that it is preparing.
The commission said that Tusla continued to engage with it throughout 2018 and last year. Tusla has made a number of organisational and technical changes, and was advancing “a significant work programme that will see an IT system wholly managed and controlled by Tusla”, the commission said.
In a statement, Tusla said it had recently recruited a new data protection officer and is “rapidly progressing the development of its data protection unit”.
“Tusla recognises that given the nature of its work, its history as a public service organisation, and advances in GDPR legislation, that we have been challenged in this aspect of our work,” a spokeswoman said.
“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis. We continue to work proactively with the office of the Data Protection Commissioner to continuously improve our systems and practices to reflect data protection legislation, and the data protection rights of the children and families we work with.”
Overall, the data watchdog received 6,609 valid data breach notifications in 2019 – the first full year that the EU’s new data protection law, the General Data Protection Regulation, was in effect. This is an increase of 42 per cent on the previous year.
The commission handled 7,215 complaints last year. It received 2,864 complaints between May 25th, 2018, when GDPR came into effect, and the end of that year.
In another breach notification received by the DPC that led to a statutory inquiry, the Irish Credit Bureau inadvertently allowed incorrect updates to be applied to the loan account records of customers at financial institutions. This affected the credit ratings of 15,238 individuals.
Some 118 individuals had requested their credit report directly from the Irish Credit Bureau while the data was incorrect. The Data Protection Commission’s inquiry started in July 2019.