THE DATA PROTECTION Commission has opened its second inquiry into Tusla in less than two years after a string of breaches were uncovered at the child and family agency.
The data watchdog decided to launch the probe due to what it described as the “large number” and potential seriousness of the breaches revealed at the State body.
It is one of the commission’s first official investigations into a government department or agency since the introduction of the EU’s tough new General Data Protection Regulation (GDPR) in May.
TheJournal.ie understands that Tusla recorded dozens of data breaches between the new laws being implemented and the launch of the investigation in late December.
Many of the breaches reported by Tusla relate to the special category of personal data that includes details of identifiable individuals’ sexual history, health information and beliefs.
They come despite the agency producing an ‘action plan’ in April last year to fix a string of failings unearthed in a previous Data Protection Commission investigation.
The fresh inquiry will investigate whether Tusla has put in place proper organisational and technical controls to prevent the illegal disclosure of sensitive information.
The commission’s new powers under GDPR allow it to levy fines of up to €1 million against public bodies for data protection breaches.
The previous probe
Tusla was the subject of a previous probe from Ireland’s data watchdog in 2017 after false sex abuse allegations were added to the file of garda whistleblower Maurice McCabe.
The agency apologised to the former sergeant after a tribunal found it guilty of “considerable failings and stupidities” in its handling of his case.
A false claim that McCabe sexually abused a girl remained on his record for several years. This was later investigated at the Disclosures Tribunal as part of the judicial probe into a garda smear campaign against the whistleblower.
The Data Protection Commission found the child and family agency hadn’t properly planned for how to handle the volume of data involved in its casework when it was set up in 2014.
It uncovered evidence of “multiple and overlapping volumes of individual case files”, where no discernible ‘master file’ could be found and there was no formal trail to show who had accessed the documents.
Tusla has also been the target of separate allegations recently that it has failed to put in place an independent data protection officer – a key decision-maker who ensures the organisation is abiding by GDPR.
Lobby group Digital Rights Ireland claimed Tusla’s data protection officer was part of the office of the agency’s chief executive, a potential conflict of interest banned under the EU regulations.
Tusla had not responded to a request for comment at the time of publication.
To embed this post, copy the code below on your site
have your say