DPC: 75 separate data breaches by Tusla
Tusla is the subject of an inquiry by the Data Protection Commission after the contact and location details of a mother and child victim were “accidentally” disclosed to their alleged abuser.
Another breach saw Tusla disclose “sensitive, personal” information to an individual against whom an allegation of abuse had been made with that information subsequently posted on social media.
These issues are just two of 75 separate data breaches by Tusla, the child and family agency, dating from 2018 to late 2019 detailed in the annual report of the DPC published today.
The agency itself self-reported 72 of the breaches to the DPC, which subsequently initiated three separate inquiries into the agency, which was formed as a separate entity from the remnants of the HSE’s child and family section in January 2014.
In the case of the alleged abuser receiving the details of the mother and child, it is understood the accused man simply asked the agency for them and received them in return.
Two other breaches have been investigated by the commission as part of the same inquiry. One saw Tusla disclose the contact, location, and school details of foster parents and children to a grandparent, who subsequently made contact with the foster parents, while the other saw the foster details of children disclosed to their imprisoned father, who used those details to correspond with them.
The inquiry commenced in October 2019 on foot of the three incidents which date from between February and May of last year, with a draft inquiry report having already issued to Tusla.
A second inquiry concerns 71 separate personal data disclosures including inappropriate system access, disclosures by email and post, and the security of personal data, which led to on-site inspections at Tusla offices in Dublin, Kildare, Waterford, Galway, and Cork. During the course of those, a number of separate data protection issues came to light.
The third and final inquiry into matters at the agency relates to a self-reported breach dating from November 2019 which saw Tusla disclose information of a “sensitive, personal” nature to an individual against whom an allegation of abuse had been made.
That information was subsequently posted on social media. The DPC’s inquiry into that incident began in December of last year.
Should the DPC find that Tusla has indeed breached data protection laws court sanctions and fines would likely follow.
Those fines could be significant in size given the incidents in question took place in the aftermath of the EU’s General Data Protection Regulation (GDPR) coming into effect on May 25 2018.
All told, 70 separate public and private post-GDPR inquiries are currently in operation under the DPC’s aegis, with conclusions on the first two of those due soon.
Of those probes, 49 relate to domestic statutory inquiries. An Garda Síochána and 31 local authorities comprise 32 of the investigations on the back of surveillance of citizens for law enforcement purposes through the use of CCTV, body-worn cameras, drones, and number plate recognition systems.
The Catholic Church is currently being investigated, meanwhile, due to its refusal to erase the Church records of people who no longer wish to remain as members from the sacramental registers.
A separate case study detailed in the report describes the treatment of a patient who presented at an early pregnancy unit of a hospital in 2019. The woman was recognised by a hospital porter known to her, who in turn disclosed the details of her circumstances via Facebook Messenger using a series of expletives and the phrase “bun in the oven”.
