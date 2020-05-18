The Irish Data Protection Commission issued its first fine for a breach under the General Data Protection Regulation (GDPR) against Tusla, the state’s child and family agency, which wrongly disclosed information about children to unauthorised people on three different occasions, the Irish Times reported. Tusla was reportedly fined €75,000 (~₹61,64,000) for:

disclosing the location of a mother and child to an alleged abuser, for disclosing contact, location and school details of foster parents and children to a grandparent resulting in the grandparent making contact with foster parent about the children, and for disclosing address the address of foster children to their imprisoned father who used it to correspond with the children.

According to the Irish DPC’s Annual Report for 2019, Tusla informed the DPC of the data breaches of its own volition, and the DPC launched an inquiry in October 2019, the report of which was issued to Tusla in 2019 itself. Tusla will not contest the fine and will accept the decision of the court, according to the Irish Times report. We have reached out to the DPC and Tusla for confirmation.

In addition, the DPC has been investigating 71 personal data disclosure breaches notified by the agency since November 2018 where the breaches included inappropriate system access, disclosure by email and post, and security of personal data. As a result, the regulator also conducted site-inspections of Tusla’s headquarters and regional offices, and is preparing the draft inquiry report. DPC also started an inquiry in December 2019 into an incident where sensitive personal data was disclosed to the alleged abuser and the data was subsequently posted on social media as well.

Under the GDPR, government bodies can be fined up to €1 million (~₹8.22 crore) for violation of rules while companies can be fined up to €20 million (~₹164.3 crore) or 4% of their previous year’s turnover.