Tusla fined again for data breach

Data Protection Commissioner Helen Dixon. The commission’s decision to fine Tusla comes just days after the agency became the first organisation in the State to be fined for a breach of the General Data Protection Regulation.Picture: DPC/PA
By Evelyn Ring
Irish Examiner Reporter

Tusla is to be fined for disclosing sensitive personal data that was later posted on social media, the Data Protection Commission (DPC) has decided.

The DPC began an inquiry last November after it was notified by Tusla about the unauthorised disclosure of sensitive personal data.

The disclosure was made to an individual against whom an allegation of abuse had been made and the data was subsequently posted on social media.

The commission decided to apply corrective measures for the breach, as well as a fine under the General Data Protection Regulation (GDPR).

Tusla has 28 days to appeal the commission’s decision.

Earlier, a spokesperson for Tusla said any decision issued by the DPC includes an opportunity for the recipient to reflect on the decision.

“As the decision has only just been received we are not in a position to comment further until we have reflected on all of the matters,” she said.

Earlier this month, Tusla became the first organisation in the State to be fined for a breach of the GDPR.

That decision followed an investigation into three cases where information about children was wrongly disclosed to unauthorised parties.

In one instance, the contact and location details of a mother and child victim were disclosed to an alleged abuser.

In two other cases, data about children in foster care was improperly disclosed to a grandparent and an imprisoned father.

Papers lodged by the DPC in the Circuit Court last week confirm the fine of €75,000 for what is referred to as the “three breach investigation”.

Tusla does not intend to contest the matters and will accept and respect the final order of the court.

The child and family agency has pointed out that the three investigations were largely based on breaches it identified and reported to the DPC in a timely fashion.

“The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those,” the spokeswoman said.

Tusla said improvements were already being made before the investigation reports were completed.

Meanwhile, the DPC has submitted a draft decision following an inquiry it has completed into Twitter International Company, which is based in Dublin. It concerns the notification and documentation of a personal data breach.

The draft decision, which has been submitted to other concerned EU supervisory authorities, is one of a number of significant developments in DPC inquiries into “big tech” companies this week.

The commission is also examining whether WhatsApp Ireland is in compliance with the GDPR in relation to transparency, including what information is shared with Facebook.

It has also completed the investigation phase of a complaint-based inquiry on Facebook Ireland’s obligations to establish a lawful basis for personal data processing but has yet to make a decision.

Most Read in Ireland