On 17th May 2020, Tusla became the first organisation in Ireland to be fined for a data breach under the GDPR, and shortly after on the 30th June 2020, it was the recipient of the second fine.
The Irish Data Protection Commission (DPC) fined Tusla €75,000 following its investigation into three data breacheswhere information concerning children was disclosed to unauthorised parties.
In one instance, which happened in February/March 2019, the contact and location data of a mother and child was disclosed to an alleged abuser. The other cases related to personal data about children in foster care being disclosed to blood relatives.
The second fine was €40,000 which occurred when a letter containing details on allegations of abuse was sent to the wrong recipient and the information was then published on social media by that recipient. The breach occurred 29 weeks before Tusla reported it to the DPC. In addition to the inadvertent release of the letter, the delay in reporting it fell afoul of GDPR rules.
Inquiries made by the DPC found that Tusla had infringed the GDPR in a number of ways by:
- disclosing the identify of a data subject to third parties (the breach itself)
- failing to notify the DPC of the breach without undue delay (infringing Article 33(1) of the GDPR)
- failing to implement organisational measures appropriate to the risk (as required under Article 32(1) of the GDPR), and
- failing to appropriately redact materials in contravention of Article 32(1) of the GDPR
Section 142 of the Data Protection Act 2018 (DPA 2018) permits the data controller or processor who is subject to an administrative fine to appeal to the court against the decision. TUSLA has indicated that it accepts its responsibilities and it does not intend to appeal the DPC’s decision
Tusla’s fines should serve as a warning to businesses of the importance of compliance with data protection rules and the reputational harm that can result from non-compliance. The DPC has shown that it is willing to exercise its enforcement powers and fine organisations for not following the data protection rules. This is just the beginning…………