The Times have reported that Tusla recently accepted a €40,000 fine from the Data Protection Commission (DPC). The fine is in respect of a breach that involved TULSA mailing a letter detailing allegations of abuse to a third party who then posted the correspondence on social media.
According to the Regulatory Activity Report published by the DPC on 23 June 2020, the DPC has three separate inquiries on-going in relation to data breaches involving TUSLA. It is not immediately clear whether the latest fine of €40,000 is in addition to the earlier fine of €75,000 issued by the DPC against TULSA in respect of a different breach. This will become clearer when the DPC publish the inquiry reports. Inquiry 1 – Failure to appropriately redact materials
According to the Regulatory Activity Report published by the DPC on 23 June 2020, in April 2020, the Commissioner issued a decision in respect of an own-volition inquiry regarding three personal data breaches notified to the DPC by Tusla. These breaches occurred when Tusla failed to appropriately redact documents when sharing them with third parties. The inquiry commenced on 24 October 2019 and examined whether or not Tusla had discharged its obligations in connection with the breaches in order to determine whether or not any provision(s) of the GDPR and/or the Data Protection Act 2018 Act had been contravened by Tusla. In its decision, the DPC found that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate measures with regard to the redaction of documents. The decision also considered one of the notified personal data breaches with regard to the duty to notify the DPC without undue delay pursuant to Article 33(1) of the GDPR. Tulsa notified the DPC of this breach 5 days after becoming aware of it. The decision found that this constituted an undue delay in the circumstances and found that Tusla had infringed Article 33(1). The decision reprimanded Tusla, ordered it to bring its processing into compliance with Article 32(1) of the GDPR and imposed an administrative fine of €75,000. It is understood that an application to confirm the administrative fine is currently pending before the Circuit Court. Inquiry 2 – Disclosure of the identity of a complainant to a third party
Again, according to the Regulatory Activity Report published by the DPC In May 2020, the Commissioner issued a decision regarding another own-volition inquiry concerning Tusla. This inquiry concerned one personal data breach that Tusla notified to the DPC on 4 November 2019. The inquiry commenced on 11 December 2019 and examined whether or not Tusla had discharged its obligations in connection with the subject matter of the breach to determine whether or not any provision(s) of the GDPR and/or the 2018 Act had been contravened by Tusla. The breach concerned the disclosure, to a third party, of the identity of data subjects who had made allegations of abuse and the details of the allegations made. The letter disclosing the details was later shared on social media by the recipient of the letter. In its decision, the DPC found that Tusla infringed Article 32(1) of the GDPR by failing to implement organisational measures appropriate to the risk. The decision also considered the breach with regard to the duty to notify the DPC without undue delay pursuant to Article 33(1) of the GDPR. This breach was notified to the DPC over 29 weeks after Tusla became aware of it. The decision found that Tusla infringed Article 33(1) by failing to notify the DPC of the breach without undue delay. The decision reprimanded Tusla, ordered it to bring it's processing into compliance with Article 32(1) of the GDPR and imposed an administrative fine which the Times has reported amounts to €40,000. Tusla has 28 days from receipt of the decision to decide whether it wishes to appeal the decision. However, according to the Times, the fine has been accepted by TUSLA.
According to the Regulatory Activity Report, the third decision involving TUSLA is currently at decision making stage.
While the TUSLA fines may initially appear large, the DPC can impose administrative fines of up to €1 million on Irish State/public bodies (that do not act as undertakings within the meaning of the Competition Act 2002 i.e. that are not in competition with private sector bodies). The fines are therefore on the lower spectrum of what could potentially have been awarded. However, the fines are nonetheless a stark reminder to al public bodies to ensure that appropriate security measures are taken when processing personal data. We will bring you further details in relation to these inquiries when made available by the DPC so keep in touch!