No one sanctioned for Tusla data breach
Nobody has been sanctioned in Tusla for serious data breaches being investigated by the Data Protection Commissioner, it has emerged.
Last year, the child and family agency detected and reported 137 data breaches to the commissioner, Helen Dixon, and that resulted in her office opening up three separate investigations.
Tusla chief executive Bernard Gloster said that while no Tusla worker had been held accountable for the breaches, an investigation was under way into how one occurred.
In one breach, Tusla accidentally disclosed the contact and location data of a mother and child victim to an alleged abuser.
The Irish Examiner reported that, in that case, the accused man simply asked the agency for the details and received them.
Mr Gloster said there was no indication that anyone either acted “maliciously or malevolently” in any way.
“They are much more in the territory of human error,” he said on RTÉ Radio.
However, staff who were found to have handled information in a “deliberate or negligent manner” could expect that “the highest levels of accountability”.
Mr Gloster said he wanted to make it clear that even one breach was one too many for the organisation, given the sensitive information that it deals with.
Asked if people’s safety was put at risk by the breaches, Mr Gloster said it certainly put the mother and child at an increased risk.
“There is no point in saying anything different,” he said.
Mr Gloster said the majority of the 137 breaches came into a “lower-risk” category. Nevertheless, where people were the subject of a data breach, they were notified about it and told of the efforts made to correct it.
Tusla’s child protection and welfare service receive 60,000 referrals a year. Such a high volume of work added to the pressures that staff experienced, said Mr Gloster.
The work was very intensive and complex and that did add to “the risk of error”.
All referrals are now processed by Tusla’s national childcare information system (NICCS) and Mr Gloster said it had reduced the risk of generating paper.
Tusla was also “very attentive” to the risk of sharing offices with HSE staff and had introduced several changes to secure information in those facilities.
Mr Gloster said they were about to carry out an audit of the NICCS system to identify any potential security risks.
He said the system that had 450,000 child protection and welfare cases logged onto it was continuously being upgraded.
His “significant concern” was about the volume of paper records that Tusla continued to hold.
He said almost half of the 200 breaches that Tusla notified to the commission last year and over the second half 2018 were due to postal and email errors.
“It might appear shocking to the public but it is often as simple as the wrong letter going in the wrong envelope,” said Mr Gloster.
