More than 2,000 personal data breaches by Tusla since 2019 included vulnerable people’s information sent to the wrong person, children’s care files mislaid in public places and phone messages with personal information left on wrong numbers, records released by the agency show.
Details of the 2,184 personal data breaches at the agency, obtained by The Irish Times under Freedom of Information legislation, show almost a quarter (515) were “high risk” meaning a high likelihood of serious harm as a result.
Breaches have given rise to child-protection concerns, including alleged abusers gaining information on where women and children fleeing alleged abuse are being accommodated.
A high risk incident in June 2023 saw an unqualified individual personate a social care worker and access a residential care unit. They spent the night there with access to vulnerable children, their files, medication and files on staff.
READ MORE
The incident, discovered the following day, was categorised as an “access control deficit”, reported to the Data Protection Commission (DPC) and affected children and staff were informed.
Other breaches include child protection notes “dropped outside a residential house” in Dublin in April 2022; a Tusla staff member bringing their own child to work and having them present during a consultation “with a young person ... in the care of Tusla,” in July 2022, and, in March this year correspondence meant for a person subject to abuse allegations being sent to another person, also subject to abuse allegations “of same name in the same townland” in the southeast.
Tusla, which last year responded to over 96,000 child protection and welfare referrals and is responsible for almost 5,800 children in care, is a mandated data controller under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Since 2020, personal data breach incidents have cost Tusla over €500,000 – made up of fines by the Data Protection Commission (€200,000), personal damages awards (€134,500) and related legal costs (€177,164).
In 2020 following three DPC investigations the agency was ordered to “bring its processing operations into compliance.. by implementing appropriate organisational measures to ensure a level of security appropriate to the risk”.
Breaches have increased since – from 362 in 2020 to 362 again in 2021, and up to 481 in 2023.
The proportion of “high risk” breaches has increased from nine per cent overall in 2019, to 25 per cent in 2020 to a high of 32 per cent in 2021, not falling below 20 per cent.
The most common breaches are “misaddressed email” – there were 706 between 2019 and 2024; “information overshare” (383); “misplaced/lost/exposed record or device (348), and “misaddressed letter/post” (305).
The service area with the most breaches since 2022 was child protection and welfare in Dublin North East which had 203; Residential care services nationally (168) and child protection and welfare in Dublin Mid-Leinster.
The volume of breaches raised “serious questions about how Tusla is carrying out its obligations under the GDPR and what policies and protocols are in place,” said Olga Cronin, senior policy officer with the Irish Council for Civil Liberties.
“Tusla processes very sensitive data about vulnerable people, including children ... We’re not just talking about people’s rights to privacy and data protection but also, in some cases, their safety.”
A spokesman for Tusla said the agency was “fully aware of our responsibilities regarding the handling of sensitive data, and we take all breaches very seriously.”
“In compliance with our statutory obligation, once a breach is assessed as presenting a risk to an individual it is reported to the DPC within the required timeline. We will continue to work with the DPC with full transparency on the matter, as appropriate.”
He said high risk breaches had decreased by 63 per cent in the last year.
