THE CHILD AND family agency Tusla has suffered over 200 data breaches in the space of just over a year and a half including 23 that were classified as “high” risk.
The cases included the loss of an unencrypted device, unauthorised access to personal data, files getting lost or stolen, and deliberate disclosures of sensitive information.
A detailed breakdown of the cases show there were 71 breaches in the second half of 2018 and a further 130 incidents last year.
The breaches were broken down into four risk categories, ranging from no risk at all up to high.
Altogether, 23 of the incidents were classed as “high” risk, a further 53 deemed medium risk, and 123 categorised as low risk. A further two were said to have had no risk attached.
The vast majority of the cases – a total of 163 out of 201 – involved an “employee error or omission”.
However, one incident involving an “intentional act” by an employee was recorded as were seven external incidents involving “intentional” disclosures.
In one case, a contractor working for Tusla was also responsible for an intentional data breach according to records released under the Freedom of Information Act.
Of the just over two hundred cases, forty seven were down to an error involving sending data to the incorrect email.
Another fifty two cases involved postal address mistakes and nineteen breaches were described as a “record shared in error”.
Four breaches involved “system misuse” and thirteen cases were incidents where records were incompletely redacted and contained more private information than they should.
Of the 23 cases categorised as “high risk”, the majority involved employee error or omission but two were described as involving an “external intentional act”.
Geographic location was only available for the 2019 data and it showed the majority of breaches took place in Dublin.
Twelve were reported at Tusla headquarters last year while 15 were recorded in the Dublin North area.
The highest overall figure was the sixteen breaches reported in the country’s Mid-West region while just one breach was listed for each of Mayo, Kerry, and North Dublin.
Tusla has been levied with two fines by the Data Protection Commissioner already this year.
The latest case related to a breach involving unauthorised disclosure of information to an alleged abuser, which was subsequently posted to social media.
In the other case, Tusla was fined €75,000 for three separate breaches, one of which involved the accidental disclosure of contact and location data of a mother and child to an alleged abuser.
The two other cases involved disclosure of data about children in foster care to a grandparent and an imprisoned father.
A spokeswoman for the agency said they handle 60,000 referrals to child protection and welfare services each year and are responsible for a further 6,000 children in care.
“The volume of data Tusla deals with on a daily basis, and the complexity and sensitivity of much of this data, means that on occasions when breaches regrettably do occur, that this may have a significant impact on the people involved,” she said.
“We are acutely aware of our responsibilities in relation to this very sensitive data, and take all breaches extremely seriously.”
She said all breaches were reported to the Data Protection Commissioner within 72 hours and every measure possible was taken to retrieve the information.
Tusla also said they had appointed a new data protection officer late last year, ran significant training programmes, were rolling out an awareness campaign, and actively building expertise.
To embed this post, copy the code below on your site
have your say