Digital group’s concern over data at Tusla

By Conall Ó Fátharta
Irish Examiner Reporter

Digital Rights Ireland has said it is concerned over the independence of child and family agency Tusla’s data protection officer.

The group has said the data protection officer for Tusla is part of the office of the chief executive and has also been described by Tusla as also holding the director of corporate services role.

In a statement posted to its website, Digital Rights Ireland said GDPR legislation repeatedly emphasises that the data protection officer for an organisation cannot be the person liable for data protection compliance and that this duty remains with the data controller.

Article 38 (6) of the legislation specifically prohibits a data protection officer being assigned any task or duties that result in a “conflict of interests” with their data protection officer role.

Digital Rights Ireland also pointed to a paper on the role of the data protection officer by the Article 29 Working Party of the EU’s Data Protection Authorities.

This explained that the person assigned the role “cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”.

The paper sets out a non-exhaustive list of roles they foresee would be incompatible with the position of data protection officer .

“As a rule of thumb, conflicting positions within the organisation may include senior management positions [such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of human resources, or head of IT departments] but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing,” said the paper.

Digital Rights Ireland said the “independence of an organisation’s data protection officer is a critical part of the role” and said Article 38.3 of the GDPR legislation specifically grants job protections on the data protection officer to ensure that they can operate independently. The group has written to Tusla seeking details of:

    The job description for the data protection officer role;

    The steps taken to advertise or recruit for the data protection officer role, including details of any internal or external competition;

    The criteria for the appointment of the data protection officer;

    The qualifications of the data protection officer;

    Any guidance or training given to the data protection officer;

    The reporting arrangements for the data protection officer to “directly report to the highest management level”;

    The steps taken to ensure that the data protection officer is independent and does not have any conflict of interest;

    The staff/resources/budget given to the data protection officer.

Digital Rights Ireland has also written in similar terms to a number of government departments and agencies which are data controllers for significant databases of personal data.

The public sector’s blanket requirement to appoint a data protection officer is a reflection of the profound depth and sensitivity of the data stored by the state.

"Few public bodies hold more sensitive personal data than Tusla,” said a statement from Digital Rights Ireland.

A comment from Tusla was not forthcoming at the time of going to press.

Most Read in Ireland