Data watchdog warns Tusla over record keeping
The number of complaints being dealt with by the Data Protection Commission soared to 2,642.
The country’s data watchdog has warned child and family agency Tusla about its poor record keeping in the wake of a false sex abuse allegation being circulated about whistleblower Sergeant Maurice McCabe.
The Data Protection Commission said the organisation did not properly plan for the processing of personal and sensitive data when it was set up almost four years ago.
It launched a special investigation into Tusla’s personal data controls after it emerged in February 2017 that an unfounded rape allegation had been put on a file relating to Sergeant McCabe and circulated to gardai three years earlier.
Tusla has apologised and the scandal has been examined at the Disclosures Tribunal.
The Data Protection Commission did not specifically reference the McCabe affair in its annual report.
It is critical that the casework management system deployed across all areas of Tusla generates a full and complete record of all casework material concerning each case Data Protection Commission
It said its inquiry was launched in March last year into the governance of personal data concerning child protection cases. It found multiple and overlapping volumes of individual case files.
It said: “The processing of personal and sensitive personal data, in the context of file management and record keeping overall, was not sufficiently planned for in the form of a robust data governance strategy when Tusla was established in 2014, bringing together a considerable volume of case work and over 4,000 staff from three existing, but distinct, agencies.
“It is critical that the casework management system deployed across all areas of Tusla generates a full and complete record of all casework material concerning each case to mitigate the risk that the system might give an inaccurate, incomplete or distorted view of each case.
“Evidence was identified in the investigation of multiple and overlapping volumes of individual case files where no complete ‘master file’ could be identified, and with no audit trail in relation to the handling of the file.”
The Data Protection Commission carried out unannounced inspections in Tusla offices in Limerick, Tralee, Kilkenny, Drogheda, Navan, Churchtown, Portlaoise and the Dublin headquarters.
Tusla was issued with 59 findings by the Data Protection Commission in January and given two months to set out a plan of action.
Elsewhere, the watchdog said it expects to issue its first findings before June on its inquiries into the Public Services Card.
In its annual report, the office noted that it took in a record number of complaints in 2017 – 2,642, compared to 1,479 in 2016.
It also revealed that it dealt with a record 2,973 data breach notifications – 2,795 of which were classed as valid.
And Ms Dixon warned: “Cybersecurity must now be a key priority for all organisations to maintain ‘integrity and confidentiality’ – particularly as this is one of the two new general principles of data protection introduced under the GDPR (Europe’s General Data Protection Regulation) and against which the higher level of fines under GDPR will apply.”
The Commission also investigated 21 complaints on the “right to be forgotten”. Six were upheld, 12 were rejected and another three are still being examined.