RegSol Blog

Data Protection Commission Fines Tulsa

May 2020

On the 21st of May 2020, Tusla was issued with a second fine by the Data Protection Commission (DPC) for a breach of data protection rules. 

The decision was issued to the Child and Family Agency following the completion of an inquiry that began in November 2019 and have 28 days to appeal the decision. 

It relates to a breach notified to the DPC in November 2019 regarding an unauthorised disclosure of sensitive personal data. The disclosure was made to an alleged abuser and the data was subsequently posted on social media.

"As the decision referred to has only just been received, we are not in a position to comment further until we have reflected on all of the matters," Tusla said in a statement.

Earlier this week the Sunday Times revealed that Tusla had become the first body to be fined in Ireland by the DPC for a data protection breach under the stricter rules contained in the General Data Protection Regulation (GDPR).

That case related to three breaches reported in February and March of last year.
One of those cases involved the accidental disclosure of the contact and location data of a mother and child to an alleged abuser.

The fine for the three breaches totalled €75,000.

"Tusla has and continues to engage constructively with the DPC and the public on these matters," it said.

That inquiry was launched by the regulator in January last year and was initiated following a receipt of a data breach notification by the social media platform.

It relates to its compliance with the requirement under Article 33 of the GDPR to notify the DPC of a breach within 72 hours and provide certain information.

Under GDPR, a company that breaks privacy laws can be fined up to 4% of global revenue or €20 million, whichever is higher.

By Judy de Castro - Regulatory Consultant