Data Protection Commissioner Helen Dixon has said that while some of the risks posed by data breaches in Tusla have been mitigated “clearly there is still a lot to be done”.
Tusla was responsible for 137 breach notifications in 2019 and there are three investigations being conducted by the Data Commission, Ms Dixon told RTÉ radio’s Morning Ireland.
Human error had been behind some of the breaches along with a “failure to think” and poor redaction.
The formation of Tusla from three agencies, co-location and issues with the IT system and training had led to some of the problems, she said.
Sanctions are necessary, she said. Investigators into the breaches had told her that in the files were letters from individuals affected by the disclosures which were “harrowing reading”.
Under new legislation introduced in 2018 a range of corrective measures were introduced, she said, including a fine of up to €1m.
“I think there has to be something like that, it concentrates the mind.”
Significant changes are being implemented by Tusla, said Ms Dixon, such as the appointment of a Data Protection Officer.
Ms Dixon defended her office from complaints by the German Data Commisioner who had been agitating for a ‘GDPR one stop shop’, but was now saying it was far too early to change.
“I don’t think we’re overwhelmed,” she said, but she did acknowledge that there is a need to grow the number of staff incrementally.
It had been disappointing not to see an increase in the most recent Budget, but she had received sufficient funding to take on more than 30 new staff.
“We do utilise outside help, in legal and technical terms and I have the power to authorise extra staff.
"I have sought his assistance (German Data Commissioner), but he has not been able to do so.”