TUSLA HAS REPORTED new breaches of potentially sensitive client information at a rate of nearly two per week early this year following the launch of an official probe into its practices.
The breaches included two incidents classified as “high risk” by the child protection agency – including one unauthorised disclosure in the Dublin/north-east region that Tusla said was the result of an intentional act by an outside party.
The cause of the second unauthorised disclosure in the most serious category of breach was still listed as “unknown”, according to incident summaries obtained by TheJournal.ie.
In total, Tusla was notified of 23 fresh data breaches during a nearly three-month period from the beginning of January. Of these, nine were classified as “medium risk”, including one in which an encrypted device was stolen.
Around three-fifths of the incidents were the result of employee mistakes or omissions, while nearly two-thirds occurred in either the Dublin/north-east or Dublin/mid-Leinster regions.
Speaking on condition of anonymity, one person who had recent dealings with Tusla told TheJournal.ie they had complained to the local office after finding the names of unrelated parties attached to documents sent by the child protection agency.
“From that moment I lost complete confidence in them. If they send a letter to me with (unconnected) names, what information have they sent about me to someone else?” they said.
Second investigation
Tusla declined to provide further details of the most serious incidents when contacted for comment. The agency said via a spokeswoman that it did not comment on individual breaches “in line with best practice”.
“Tusla’s assessment, notification and remediation breach procedures are aligned with the (Data Protection Commission) requirements and our commitment to continuous data governance improvement,” the spokeswoman said.
TheJournal.ie previously revealed that the Data Protection Commission (DPC) had opened its second inquiry into data security at the child and family agency after a “large number” of potentially serious breaches were reported between May and late December last year.
Under General Data Protection Regulation provisions, the DPC can order public bodies to pay fines of up to €1 million over data breaches.
The data security watchdog conducted an earlier inquiry into Tusla’s handling of sensitive information after false sexual abuse allegations were added to the file of garda whistleblower Maurice McCabe. The agency later apologised over its failings in the case.
The DPC subsequently presented 59 findings to Tusla, identifying among other “issues of concern” the continuing close links between the child protection agency and the HSE when it came to office space, services and IT systems.
Know more about this story? Email the author via peter@thejournal.ie or send a message using the secure Threema app, ID: ESUCBYMK.
To embed this post, copy the code below on your site
have your say