Fears mother and baby home archive could be hacked, damaged or lost 

It said the highly sensitive records were held using “legacy” technology, which heightened the risk of accidental or unlawful destruction, loss of records, alteration of files, or unauthorised disclosure.

Records released under Freedom of Information reveal there were fears that information relating to criminal acts perpetrated on survivors could also be compromised.

A copy of an informal data protection assessment by the DPC said: “If a breach were to occur, as Tusla noted, the effects on the individuals concerned would be detrimental.” 

The assessment said a digital preservation plan – to ensure the long-term security of the database – should be put in place as a matter of priority.

Allegations of criminality against individuals

Tusla was also asked to carry out an analysis of the archive to see if it contained allegations of criminality against individuals.

The informal assessment said: “With respect to the nature of the data processed, Tulsa have not identified that any of the personal data relating to a data subject may relate to an accusation of a criminal activity perpetrated by that individual.

“It is recommended that Tusla examine this possibility, identify whether any risks are associated with such personal data, and examine whether any measures or actions are required to mitigate the risk.” 

The internal records detail that there were nearly 850,000 pages of records comprising 100,000 different documents and referring to 130,000 people.

Concerns were also raised about inaccuracies with such a large volume of records and the possibility of recording or transcription errors before Tusla took control of the archive.

Tusla had warned of potential “distress” for survivors and their families if information proved to be incorrect, saying this represented a “high risk”.

Tusla's approach queried

In later correspondence over how requests for personal records would be handled, the Data Protection Commission queried Tusla’s approach.

The DPC also cautioned Tusla about its approach to requests where a survivor might seek personal information that would disclose who their natural mother was.

It said birth certificates – including the “requester’s birth mother name” – were already openly available at the Register of Live Births, although sometimes people might not have enough information to track down their own details.

An advisory note to Tusla said: “To automatically consider that a data subject exercising their right of access will adversely affect the rights of others without any other analysis appears contrary to the requirement to apply any limitation on an EU right in a strict manner.” 

The DPC also raised questions over one suggested approach by Tusla, which involved contacting the natural mother when a survivor came looking for information about their birth.

Their letter said: “The DPC questions Tusla’s position that because the GDPR does not discretely authorise the contacting of the third party, the collection of such personal data from the third party may infringe the GDPR’s provisions concerning lawfulness.” 

Asked about the records, a spokesman for Tusla said: “Tusla voluntarily consulted with the Data Protection Commission regarding the Data Protection Impact Assessment.

“The DPC made recommendations regarding certain risks that [were] identified. This is a normal part of the process, which identifies and addresses risk.” 

The Data Protection Commission said it had engaged with Tusla as part of its supervision function to provide guidance, especially around the right of access to records for survivors.

A statement said: “The DPC raised a number of matters concerning Tusla’s policies and procedures for handling data subject access requests. In response to the matters raised, Tusla has revised its policies and procedures to align with the requirements of the GDPR.”