wordpress blog stats
Connect with us

Hi, what are you looking for?

Ireland fines country’s child and family agency €75,000 for data breach

EU, European Union, GDPR

The Irish Data Protection Commission issued its first fine for a breach under the General Data Protection Regulation (GDPR) against Tusla, the state’s child and family agency, which wrongly disclosed information about children to unauthorised people on three different occasions. The Irish Times first reported this. Tusla was fined €75,000 (~₹61,64,000) for:

  1. disclosing the location of a mother and child to an alleged abuser,
  2. for disclosing contact, location and school details of foster parents and children to a grandparent resulting in the grandparent making contact with foster parent about the children, and
  3. for disclosing address the address of foster children to their imprisoned father who used it to correspond with the children.

The Irish Data Protection Commission confirmed the €75,000 fine to MediaNama and sent the following statement:

“On Friday [May 15] the DPC lodged papers with the Circuit Court in order to apply to confirm the first fine of the DPC under the GDPR in accordance with Section 143 of the Data Protection Act 2018. This fine follows the completion of an investigation that the DPC commenced in October 2019 in respect of three data breach notifications that it had received from Tusla, Child and Family Agency.” — Irish Data Protection Commission

According to the Irish DPC’s Annual Report for 2019, Tusla informed the DPC of the data breaches of its own volition, and the DPC launched an inquiry in October 2019, the report of which was issued to Tusla in 2019 itself. Tusla will not contest the fine and will accept the decision of the court, the agency confirmed to MediaNama.

In addition, the DPC has been investigating 71 personal data disclosure breaches notified by the agency since November 2018 where the breaches included inappropriate system access, disclosure by email and post, and security of personal data. As a result, the regulator also conducted site-inspections of Tusla’s headquarters and regional offices, and is preparing the draft inquiry report. DPC also started an inquiry in December 2019 into an incident where sensitive personal data was disclosed to the alleged abuser and the data was subsequently posted on social media as well.

Tusla confirmed all these developments and sent the following statement to MediaNama by email:

“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis. Such information is generated in several hundred thousand interactions every year. We have fully engaged with the DPC in their three investigations which are largely based on breaches identified by Tusla and reported to the DPC in a timely fashion. The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.

“Tusla acknowledges the court papers lodged by the DPC to give effect to the Commissioner’s decision to fine the Child and Family Agency €75,000.00 in what is referred to as the ‘three breach investigation’. We can confirm we do not intend to contest the matters and will accept and respect the final order of the Court.   

Advertisement. Scroll to continue reading.

“We are very conscious that two further investigations ‘one breach’ and ‘seventy two breach’ are due for decision by the DPC and we do not propose to speculate on what the outcome of those will be.  However, we want to assure the public as we did in February when these investigations were referred to in the DPC annual report 2019, that we are not waiting for the investigation reports to formally conclude before making improvements which are ongoing in an extensive programme.” [emphasis ours]

Under the GDPR, government bodies can be fined up to €1 million (~₹8.22 crore) for violation of rules while companies can be fined up to €20 million (~₹164.3 crore) or 4% of their previous year’s turnover.

Update (May 19, 2020 2:30 pm): Statement from Tusla

Update (May 19, 2020 9:42 am): Story updated with statement from the Irish DPC. Originally published on May 18, 2020 at 5:23 pm.

Advertisement. Scroll to continue reading.
Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.


Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.


Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.


The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.


For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ