Tusla, Ireland’s child and family agency, has been fined €75,000 for three breaches of the GDPR (General Data Protection Regulation).
It was found to have disclosed the personal information of children to unauthorised parties on three occasions.
In one instance, the contact and location data of a mother and child was disclosed to an alleged abuser. The other cases related to personal data about children in foster care being disclosed to blood relatives.
Tusla takes responsibility
A spokesperson for Tusla said the organisation didn’t intend to contest the fine and will accept and respect the DPC’s (Data Protection Commission) decision.
“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis,” she said.
“Such information is generated in several hundred thousand interactions every year.”
he agency reported 72 incidents between 2018 and 2019, which led to the three separate inquiries.
“We have fully engaged with the DPC in their three investigations which are largely based on breaches identified by Tusla and reported to the DPC in a timely fashion,” the spokeswoman continued.
“The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.”
Avoid GDPR mistakes with IT Governance
The action taken by the DPC once again demonstrates the importance of GDPR compliance – and just as importantly, what to do when a breach occurs.
Had Tusla not reported its violations in a timely manner, it would have almost certainly been looking at a much bigger fine.
Those looking for advice on how to protect their organisation should consider our Certified GDPR Foundation Live Online Training Course.
This one-day course is the perfect introduction to the GDPR and the requirements you need to meet.
Delivered by an experienced data protection practitioner, the course is suitable for directors or managers who want to understand how the Regulation affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.
It’s available in a variety of forms, including online and self-paced, meaning you can take the training from the comfort of your own home.