Skip to content
#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
File photo
File photo
Image: Shutterstock/TippaPatt

Tusla 'accidentally disclosed' contact and location information of mother and child victim to alleged abuser

This and other data breaches are outlined in the Data Protection Commission’s annual report.
Feb 20th 2020, 8:24 AM 29,320 32

THERE WERE 75 data breaches at the Tusla, the Child and Family Agency, from 2018 to late 2019, according to the Data Protection Commission (DPC).

The DPC’s 2019 annual report details three inquiries being carried out by the DPC into Tusla.

One inquiry relates to three data breach notifications received by the DPC from Tusla between February and May 2019 relating to unauthorised disclosure of personal data.

In one breach, Tusla accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser.

In another incident, Tusla accidentally disclosed contact, location and school details of foster parents and children to a grandparent. As a result, that grandparent made contact with the foster parent about the children.

In the third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used it to correspond with his children. This inquiry commenced in October 2019 and a draft inquiry report has been issued to Tusla.

An inquiry that commenced in December 2019 relates to a breach notification received from Tusla last November regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an individual against whom an allegation of abuse had been made. The disclosed data was subsequently posted on social media.

An inquiry that commenced in November 2018 relates to 71 personal data disclosure breaches. The subject matter of the breaches included inappropriate system access, disclosure by email and post and security of personal data.

The DPC conducted site inspections at Tusla headquarters and at regional offices in Dublin Central, Naas, Swords, Waterford, Galway and Cork. In the course of the inspections, a number of other data protection issues came to light which fell outside the original scope of the inquiry.

However, as these issues have relevance with regard to the protection of personal data, they will be highlighted in the Draft Inquiry Report which the DPC is currently preparing.

When asked for comment about the breaches at Tusla, a spokesperson told TheJournal.ie the organisation is “acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis”.

“We continue to work proactively with the office of the Data Protection Commissioner to continuously improve our systems and practices to reflect data protection legislation, and the data protection rights of the children and families we work with.

“Behind what is in today’s report are very detailed investigation reports which we are significantly engaged with the Commissioner on and in fact we are due to give further detailed responses to the Commissioner next week.

“We will await the final findings of these investigations before commenting on the specific details. However, we want to assure the public that we are not waiting for the investigation reports to formally conclude before making improvements,” they said.

Catholic Church

Data breaches at several other organisations and companies are also being investigated by the DPC including Facebook, Twitter, the HSE, An Garda Síochána and the Catholic Church.

The DPC received a number of complaints from individuals who were members of the Catholic Church and many of whom no longer wished to remain as members. In the absence of a way to defect formally from the Catholic Church, the individuals expressed dissatisfaction with the ongoing processing of their personal data by the Catholic Church, in particular the retention of their personal data on sacramental registers.

As a consequence, each individual had requested the erasure of their church records, including those contained in baptism, confirmation and marriage registers. In all instances the request for erasure had been refused by the relevant parish offices.

Having considered the issue at a preliminary level, the DPC has opened an own-volition inquiry pursuant to section 110(1) of the Data Protection Act 2018. This inquiry is directed to the Archdiocese of Dublin and will examine whether there is a lawful basis for the processing of the personal data of individuals who no longer want to have their personal data so processed.

Overall, there has been a significant increase in the volume of complaints received by the DPC. The organisation said it received 7,215 complaints in 2019, an increase of 75% on the figure for 2018.

The vast majority of these complaints – 6,904 – were dealt with under General Data Protection Regulation (GDPR), and 311 complaints were dealt with under the Data Protection Acts 1988 and 2003.

The annual report outlines the work of the DPC for the first full calendar year since the introduction of GDPR.

Send a tip to the author

Órla Ryan

COMMENTS (32)

This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a comment

     
    cancel reply
    Back to top