Over 200 data breaches at Tusla in year-and-a-half

A detailed breakdown of the cases shows there were 71 breaches in the second half of 2018 and a further 130 incidents last year.

The breaches were broken down into four risk categories, ranging from no risk to high risk.

Altogether, 23 of the incidents were classed as high risk, a further 53 deemed medium risk, and 123 categorised as low risk. 

A further two were said to have had no risk attached.

The vast majority of the cases, a total of 163 out of 201, involved an “employee error or omission”.

However, one incident involving an “intentional act” by an employee was recorded as were seven external incidents involving “intentional” disclosures.

In one case, a contractor working for Tusla was also responsible for an intentional data breach, according to records released under FoI.

Of the 201 cases, 47 were down to an error involving sending data to the incorrect email address.

Another 51 cases involved postal address mistakes and 19 breaches were described as a “record shared in error”.

Four breaches involved “system misuse” and 13 cases were incidents where records were incompletely redacted and contained more private information than they should.

Of the 23 cases categorised as high risk, the majority involved employee error or omission but two were described as involving an “external intentional act”.

Geographic location was available only for the 2019 data and it showed the majority of breaches took place in Dublin.

A dozen were reported at Tusla headquarters last year while 15 were recorded in the Dublin North area.

The highest overall figure was the 16 breaches reported in the mid-west region while just one breach each was listed for Mayo, Kerry, and North Dublin.

Tusla has been levied with two fines by the Data Protection Commissioner already this year.

The latest case related to a breach involving unauthorised disclosure of information to an alleged abuser, which was subsequently posted to social media.

In the other case, Tusla was fined €75,000 for three separate breaches, one of which involved the accidental disclosure of contact and location data of a mother and child to an alleged abuser.

The two other breaches involved disclosure of data about children in foster care to a grandparent and an imprisoned father.

A spokeswoman for the agency said it handles 60,000 referrals to child protection and welfare services each year and is responsible for a further 6,000 children in care.

“The volume of data Tusla deals with on a daily basis, and the complexity and sensitivity of much of this data, means that on occasions when breaches regrettably do occur, that this may have a significant impact on the people involved,” said the spokeswoman.

“We are acutely aware of our responsibilities in relation to this very sensitive data and take all breaches extremely seriously.” 

She said all breaches were reported to the Data Protection Commissioner within 72 hours and every measure possible was taken to retrieve the information.

Tusla also said it had appointed a new data protection officer late last year, ran significant training programmes, is rolling out an awareness campaign, and is actively building expertise.