We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

File photo Shutterstock/TippaPatt
Data Breaches

Tusla 'accidentally disclosed' contact and location information of mother and child victim to alleged abuser

This and other data breaches are outlined in the Data Protection Commission’s annual report.

THERE WERE 75 data breaches at the Tusla, the Child and Family Agency, from 2018 to late 2019, according to the Data Protection Commission (DPC).

The DPC’s 2019 annual report details three inquiries being carried out by the DPC into Tusla.

One inquiry relates to three data breach notifications received by the DPC from Tusla between February and May 2019 relating to unauthorised disclosure of personal data.

In one breach, Tusla accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser.

In another incident, Tusla accidentally disclosed contact, location and school details of foster parents and children to a grandparent. As a result, that grandparent made contact with the foster parent about the children.

In the third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used it to correspond with his children. This inquiry commenced in October 2019 and a draft inquiry report has been issued to Tusla.

An inquiry that commenced in December 2019 relates to a breach notification received from Tusla last November regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an individual against whom an allegation of abuse had been made. The disclosed data was subsequently posted on social media.

An inquiry that commenced in November 2018 relates to 71 personal data disclosure breaches. The subject matter of the breaches included inappropriate system access, disclosure by email and post and security of personal data.

The DPC conducted site inspections at Tusla headquarters and at regional offices in Dublin Central, Naas, Swords, Waterford, Galway and Cork. In the course of the inspections, a number of other data protection issues came to light which fell outside the original scope of the inquiry.

However, as these issues have relevance with regard to the protection of personal data, they will be highlighted in the Draft Inquiry Report which the DPC is currently preparing.

When asked for comment about the breaches at Tusla, a spokesperson told the organisation is “acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis”.

“We continue to work proactively with the office of the Data Protection Commissioner to continuously improve our systems and practices to reflect data protection legislation, and the data protection rights of the children and families we work with.

“Behind what is in today’s report are very detailed investigation reports which we are significantly engaged with the Commissioner on and in fact we are due to give further detailed responses to the Commissioner next week.

“We will await the final findings of these investigations before commenting on the specific details. However, we want to assure the public that we are not waiting for the investigation reports to formally conclude before making improvements,” they said.

Catholic Church

Data breaches at several other organisations and companies are also being investigated by the DPC including Facebook, Twitter, the HSE, An Garda Síochána and the Catholic Church.

The DPC received a number of complaints from individuals who were members of the Catholic Church and many of whom no longer wished to remain as members. In the absence of a way to defect formally from the Catholic Church, the individuals expressed dissatisfaction with the ongoing processing of their personal data by the Catholic Church, in particular the retention of their personal data on sacramental registers.

As a consequence, each individual had requested the erasure of their church records, including those contained in baptism, confirmation and marriage registers. In all instances the request for erasure had been refused by the relevant parish offices.

Having considered the issue at a preliminary level, the DPC has opened an own-volition inquiry pursuant to section 110(1) of the Data Protection Act 2018. This inquiry is directed to the Archdiocese of Dublin and will examine whether there is a lawful basis for the processing of the personal data of individuals who no longer want to have their personal data so processed.

Overall, there has been a significant increase in the volume of complaints received by the DPC. The organisation said it received 7,215 complaints in 2019, an increase of 75% on the figure for 2018.

The vast majority of these complaints – 6,904 – were dealt with under General Data Protection Regulation (GDPR), and 311 complaints were dealt with under the Data Protection Acts 1988 and 2003.

The annual report outlines the work of the DPC for the first full calendar year since the introduction of GDPR.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel