Dublin ETB fined €125,000 for data protection breaches
The Data Protection Commission concluded after a six-year investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered. Picture: Brian Lawless/PA
Dublin’s Education and Training Board (CDETB) has been fined €125,000 by the Data Protection Commission after the personal details of 13,000 grant applicants were made available to “unauthorised persons”.
The commission concluded after a six-year investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered.
The fine of €125,000 is the second largest levied by the commission on an Irish State body.
That penalty stands second only to the €550,000 fine handed to the department of social protection earlier this month for the use of biometric data on its public services card.
An own-volition inquiry had been commenced by the commission in 2019 after CDETB discovered the previous November that the personal data of students whose grant applications were initially processed by the body were being retained on its web servers rather than being routinely deleted after being forwarded on to relevant team within grants administration agency Susi.
Susi itself is a subsidiary of the CDETB, which was designated in 2012 as the single awarding authority for new student grants.
One month previously the ETB had likewise become aware of the presence of malicious malware on its web servers, a fact which served to compound the data breach.
All told the data breach comprised the personal details of roughly 13,000 people who had applied for grants during 2017 and 2018.
The data contained in the breach included names, birth dates, PPS numbers, contact details, details of race and ethnicity, health status, and ‘identification data’.
In addition to failing to notify the Data Ptorection Commission of the breaches within the statutory timeframe of 72 hours, the Commission also found that the CDETB had declined to communicate the breach to the people who had been impacted, despite being specifically requested to do so.
The DPC added that the fine of €125,000 would have been higher — with a top level of €210,000 outlined in the Commission’s initial draft decision on the matter — but for the mitigating behaviour of the ETB once it discovered that it was to be the subject of an adverse ruling.
“The final fines reflect the mitigation occasioned by CDETB accepting each of the findings of infringements set out in the draft decision,” the commission said, adding that the ETB had acknowledged “full responsibility for the breach”.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
