The Irish Data Protection Commission issued its first fine for a breach under the General Data Protection Regulation (GDPR) against Tusla, the state’s child and family agency, which wrongly disclosed information about children to unauthorised people on three different occasions. The Irish Times first reported this. Tusla was fined €75,000 (~₹61,64,000) for:

  1. disclosing the location of a mother and child to an alleged abuser,
  2. for disclosing contact, location and school details of foster parents and children to a grandparent resulting in the grandparent making contact with foster parent about the children, and
  3. for disclosing address the address of foster children to their imprisoned father who used it to correspond with the children.

The Irish Data Protection Commission confirmed the €75,000 fine to MediaNama and sent the following statement:

“On Friday [May 15] the DPC lodged papers with the Circuit Court in order to apply to confirm the first fine of the DPC under the GDPR in accordance with Section 143 of the Data Protection Act 2018. This fine follows the completion of an investigation that the DPC commenced in October 2019 in respect of three data breach notifications that it had received from Tusla, Child and Family Agency.” — Irish Data Protection Commission

According to the Irish DPC’s Annual Report for 2019, Tusla informed the DPC of the data breaches of its own volition, and the DPC launched an inquiry in October 2019, the report of which was issued to Tusla in 2019 itself. Tusla will not contest the fine and will accept the decision of the court, the agency confirmed to MediaNama.

In addition, the DPC has been investigating 71 personal data disclosure breaches notified by the agency since November 2018 where the breaches included inappropriate system access, disclosure by email and post, and security of personal data. As a result, the regulator also conducted site-inspections of Tusla’s headquarters and regional offices, and is preparing the draft inquiry report. DPC also started an inquiry in December 2019 into an incident where sensitive personal data was disclosed to the alleged abuser and the data was subsequently posted on social media as well.

Tusla confirmed all these developments and sent the following statement to MediaNama by email:

“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis. Such information is generated in several hundred thousand interactions every year. We have fully engaged with the DPC in their three investigations which are largely based on breaches identified by Tusla and reported to the DPC in a timely fashion. The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.

“Tusla acknowledges the court papers lodged by the DPC to give effect to the Commissioner’s decision to fine the Child and Family Agency €75,000.00 in what is referred to as the ‘three breach investigation’. We can confirm we do not intend to contest the matters and will accept and respect the final order of the Court.   

“We are very conscious that two further investigations ‘one breach’ and ‘seventy two breach’ are due for decision by the DPC and we do not propose to speculate on what the outcome of those will be.  However, we want to assure the public as we did in February when these investigations were referred to in the DPC annual report 2019, that we are not waiting for the investigation reports to formally conclude before making improvements which are ongoing in an extensive programme.” [emphasis ours]

Under the GDPR, government bodies can be fined up to €1 million (~₹8.22 crore) for violation of rules while companies can be fined up to €20 million (~₹164.3 crore) or 4% of their previous year’s turnover.

Update (May 19, 2020 2:30 pm): Statement from Tusla

Update (May 19, 2020 9:42 am): Story updated with statement from the Irish DPC. Originally published on May 18, 2020 at 5:23 pm.