Ireland: First GDPR fine issued in Ireland

Eilis McDonald & John Magee

Tusla, Ireland’s child and family agency, has become the first organisation fined under the GDPR in Ireland. The Irish Data Protection Commission filed papers in the Circuit Court on Friday to confirm the €75,000 fine against the Agency. It is reported the fine will not be challenged by Tusla.

In its 2019 Annual Report, the DPC reported three separate statutory inquiries into Tusla in respect of a number of breaches which had been reported to it since May 2018. The breaches included various instances of inappropriate system access, accidental and inappropriate disclosure of personal data by email and unauthorised disclosure of data.

Tusla collects and processes highly sensitive, often special category data concerning children, vulnerable women and families across Ireland. When it was established in 2014, it combined the casework of over 4,000 members of staff which had previously worked for various other State agencies.  In 2017, the DPC’s Special Investigation Unit (SIU) investigated the governance of Tusla, examining the processing of personal data in child protection cases. It found that there had been insufficient governance planning when Tusla was established, taking into account the volume of cases which it subsumed in 2014. In particular, the initial SIU report found there to be legacy IT infrastructure still in place between Tusla and some other State agencies including the HSE, whose sub agencies now form part of Tusla.

Organisations must ensure they have robust access controls and security measures in place to prevent against unauthorised disclosure. The internal mapping of data flows is a key element of a strong data governance regime, and is an exercise which will highlight any potential gaps or loopholes in the flow of personal data throughout an organisation.

This fine is the first issued by the DPC in the GDPR era and others are likely to follow shortly. The decision also highlights a noteworthy aspect of Irish data protection enforcement – that all GDPR fines must be confirmed by the courts. It will act as a reminder to organisations of the powers of the regulator when considering their obligations in relation to privacy, data protection and information security governance.

Please contact the authors or your usual DLA Piper contact if you would like further assistance.