The Data Protection Commission (DPC) has issued its first fine under the GDPR. Tusla, the child and family state agency, has been fined €75,000 for three data breaches. It has been reported that the DPC has filed papers in the Circuit Court, in order for the court to confirm the fine. The purpose of this confirmation mechanism, which is required by the Data Protection Act (DPA) 2018, is to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice.
The DPA 2018 enables the DPC to impose administrative fines of up to €1 million on Irish State/public bodies, that do not act as undertakings within the meaning of the Competition Act 2002 (i.e. that are not in competition with private sector bodies). Public sector bodies that act as undertakings, and private sector bodies may be fined up to €20 million or 4% of annual worldwide group turnover.
The fine reportedly concerns the inquiry the DPC commenced into Tusla last October 2019. The DPC’s Annual Report for 2019 notes that that inquiry was launched by the DPC, of its own volition, in response to three data breach notifications it received from Tusla relating to unauthorised disclosure of personal data. In one breach, Tusla accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser. In the second breach, Tusla accidentally disclosed contact, location and school details of foster parents and children to a grandparent. As a result, that grandparent made contact with the foster parent about the children. In the third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used it to correspond with his children.
Tusla is also subject to two further DPC inquiries. An inquiry launched in November 2018, related to 71 personal data breaches notified by Tusla to the DPC. Those breaches concerned inappropriate system access, disclosure by email and post, and security of personal data. Another DPC inquiry, commenced in December 2019, relates to a breach notification received from Tusla regarding unauthorised disclosure of sensitive personal data to an individual against whom an allegation of abuse had been made.
The fine serves as a warning to other public and private sector bodies that the DPC will exercise its enforcement powers where necessary to ensure compliance with data protection laws. The DPA 2018 requires the DPC to publish particulars of any administrative fine which it imposes, and we await publication of the fine in due course.