Tusla spend over €400k on consultants without proper tender process

Thu, 17 Nov, 2022 - 02:00

Cianan Brennan

Child and family agency Tusla spent more than €400,000 hiring a consultancy firm, without a tender process, to deal with requests seeking access to personal information, including from survivors of mother and baby homes.

The agency spent some €406,750 in 2021 on data protection consultants Pembroke Privacy for the processing of personal information requests.

It is believed that the use of a private contractor would primarily be for the purposes of redaction of information in line with data protection law.

Data subject access requests (SARs) are a key component of the General Data Protection Regulation (GDPR), which gives individuals the right to request a copy of any of their personal data which has been processed by a separate entity. Such requests by law must be responded to free of charge.

A document on Tusla’s noncompliant procurement of Pembroke Privacy, submitted to the Oireachtas Public Accounts Committee, describes the services provided as being for processing SARs “in accordance with statutory requirements for children's files on data breaches which built up during Covid, the cyber attack, and as a consequence of the Mother and Baby Home Report”.

Ireland’s public procurement laws require that all contracts valued at greater than €25,000 must be subject to a full e-tenders process.

Tusla did not directly respond to a request for comment as to how many SARs were processed under the Pembroke contract in 2021, nor as to why the tender for the same contract was awarded without a full tender competition.

A spokesperson for the agency however said that the summary explanation “may have given rise to the perception that the work was about data breaches, when in fact it was about processing applications for records which had been delayed and built up and that itself would have been a breach of legislation pertaining to freedom of information and SARs”.

They added that Pembroke privacy are “established experts” and that the expenditure had occurred “in the context of the Covid-19 period, the cyber-attack on HSE systems, and the Mother and Baby Homes Report”.

Tusla is satisfied that this was a necessary expenditure at the time and in the context.

The issue of personal data and the right of access to same became a hot topic issue in the aftermath of the publication of the Mother and Baby Home Commission report in January 2021.

Privacy solicitor Simon McGarr said that “we know from previously released documents that Tusla has advocated for very broad redactions of people’s personal data in response to SARs from mother and baby home survivors”.

“These records reveal the financial cost of their singular interpretation of GDPR, on top of the human cost of withholding information about people’s lives from them,” Mr McGarr added.