Resources

Inquiry into City of Dublin Education and Training Board (CDETB) - June 2025

(IN-19-7-3)

Date of Decision: 23 June 2025

Type of Inquiry: Own-volition

Subject Matter: Data Breach

Material Scope: Articles 5(1)(f), 32(1), 32(2), 33(1), 34(1) and 34(4) GDPR

This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related to a personal data breach notified by City of Dublin Education and Training Board (‘CDETB’) in November 2018. CDETB is the state education and training authority for Dublin city and is also responsible for Student Universal Support Ireland (‘SUSI’), the national awarding authority for student grants.

Summary of the breach

SUSI was created in 2012 as a business unit of CDETB. CDETB, through SUSI, operates a website (https://www.susi.ie) on which third-level students can apply, and find information relating to their eligibility, for a higher education grant.

The breach arose due to a combination of two factors. Firstly, CDETB discovered that its webserver was retaining the personal data of student grant applicants who had uploaded information connected to their grant applications through CDETB’s website. Prior to this discovery, CDETB had assumed that personal data being submitted through its website were being emailed to the relevant SUSI team and were not been retained locally. Secondly, CDETB discovered that there was also malware present on the webserver, which presented a risk that the retained personal data had been unlawfully disclosed.

The breach impacted approximately 13,000 data subjects, identifiable by email address, who had submitted supplementary forms through the SUSI website during 2017 and 2018. The personal data impacted by the breach included names, surnames, birth dates, PPSNs, contact details, identification data and special categories of data (such as data revealing racial or ethnic origin and health data).

The DPC’s inquiry assessed CDETB’s technical and organisational measures for ensuring the security of the personal data that it processed, including whether it had carried out an appropriate risk assessment prior to its implementation of certain additional functionality to its website, and also examined CDETB’s compliance with its obligation to notify the breach to both the DPC and to affected data subjects.

Technical and organisational measures for security

The SUSI website was not originally intended to process personal data. Subsequently, in April 2017, CDETB added functionality to enable grant applicants to submit supplementary requests and information (including personal data) through the website. However, due to inadequate project scoping and risk assessment by CDETB, this information was stored locally on the webserver. The processing affected the personal data of a large number of individuals, so the DPC determined that the risks to be addressed in CDETB’s technical and organisational measures for security were high. As CDETB was not aware that personal data were being stored locally on the webserver, there were no technical and organisational measures in place to ensure that this personal data were being kept secure. The DPC’s inquiry found that, while CDETB had implemented a number of appropriate security measures, some significant failings and omissions were evident:

  • CDETB did not undertake a risk analysis to identify, analyse or address any threats to its processing activities in relation to the susi.ie website prior to the breach.
  • CDETB did not adequately archive access, event and error logs, did not undertake penetration testing and did not operate a web application firewall at the relevant time. 
  • CDETB did not carry out appropriate testing of its technical and organisational measures in order to evaluate their effectiveness and identify weaknesses.

While CDETB subsequently adopted a wide range of measures to remediate the deficiencies identified during the inquiry, the DPC found that CDETB had infringed Articles 5(1)(f), 32(1) and 32(2) GDPR at the material time by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data on its website, and by failing to assess the appropriate level of security.

Prompt notification of personal data breach

Article 33 GDPR requires data controllers to notify their supervisory authority of every personal data breach that is likely to pose a risk to rights and freedoms of persons. The notification must be made ‘without undue delay, and where feasible, not later than 72 hours after having become aware of it’.

CDETB informed the DPC that it became aware on 16 October 2018 that a breach relating to the security of the processing of personal data had occurred on its SUSI webserver. Following this discovery, CDETB commissioned an investigation into the breach. However, CDETB did not notify the DPC of the breach until 16 November 2018, approximately one month after it had become aware of it. CDETB’s notification to the DPC offered no explanation for this delay.

The DPC’s inquiry established that the personal data breach resulted in a risk to the rights and freedoms of data subjects which CDETB became aware of on 16 October 2018. The breach therefore became notifiable to the DPC at that time and CDETB was obliged to notify the DPC without undue delay. As CDETB did not notify the DPC of the breach until 16 November 2018, the DPC found that CDETB infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay.

Notification to data subjects

Article 34(1) GDPR requires data controllers to communicate a personal data breach to data subjects without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of those data subjects. Article 34(4) GDPR requires data controllers to notify data subjects of a data breach where the relevant supervisory authority (in this case the DPC) requires the controller to do so, after the supervisory authority determines that it is necessary to do so having considered the likelihood of the personal data breach resulting in a high risk to data subjects.

CDETB initially informed the DPC that they would be informing affected data subjects of the data breach. However, CDETB subsequently stated that it would not notify data subjects of the incident until it had considered legal advice. CDETB would eventually inform the DPC that, as a result of receiving an incident report about the data breach, it was of the opinion that the risk to data subjects was low and therefore, there was no obligation to inform data subjects of the breach.

However, the DPC determined that due to the high number of data subjects affected and the broad nature of the personal data involved, there was a high risk to the data subjects concerned. The DPC found that CDETB was under an obligation to notify the affected data subjects without undue delay and that, by failing to do so, CDETB infringed Article 34(1) GDPR.

On 15 January 2019, the DPC issued CDETB with a formal direction under Article 34(4) GDPR to notify all affected data subjects of the breach. The DPC informed CDETB that, due to the nature of the breach and the nature of the personal data potentially impacted, the DPC considered that the risk posed to data subjects could be severe. However, CDETB declined to comply with the DPC’s direction at that time, because in CDETB’s view the threshold for notification to data subjects had not been met. CDETB did not communicate the personal data breach to the affected data subjects until 16 December 2020. As a result, the DPC found that that CDETB infringed Article 34(4) GDPR by failing to communicate the personal data breach to data subjects when required to do so by the DPC as its supervisory authority on 15 January 2019.

Corrective measures

The DPC exercised a number of corrective measures on foot of the infringements found in the inquiry. In deciding on the corrective measures to be exercised, the DPC took account of all required factors including the risks posed by the processing, the types of personal data and numbers of persons affected, as well as the remedial steps taken by CDETB. The DPC also had regard to section 141(4) of the Data Protection Act 2018, which sets a maximum of €1,000,000 for administrative fines that may be imposed on ‘public authorities’, a category that includes bodies such as CDETB.

Corrective measures exercised by the DPC were:

  • a reprimand to CDETB in respect of the infringements identified,
  • an order to CDETB to bring its processing into compliance with the GDPR’s security requirements and to report to the DPC on the steps taken,
  • an administrative fine of €50,000 in respect of CDETB’s infringement of Articles 5(1)(f), 32(1)(b), 32(1)(d) and 32(2) GDPR,
  • an administrative fine of €15,000 in respect of CDETB’s infringement of Articles 33(1) GDPR,
  • an administrative fine of €10,000 in respect of CDETB’s infringement of Article 34(1) GDPR, and
  • an administrative fine of €50,000 in respect of CDETB’s infringement of Article 34(4) GDPR.

However, the DPC commends the tenor and tone of CDETB’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its Decision. These fines, totalling €125,000, are substantially lower than the fining range proposed in the draft Decision, the maximum of which was €210,000. The final fines reflect the mitigation occasioned by CDETB accepting each of the findings of infringements set out in the draft Decision, acknowledging full responsibility for the breach, apologising to both the data subjects affected and the regulator and in proactively taking steps, without having specifically been directed to do so by the DPC, to reduce the likelihood of similar breaches occurring in future.

Key Takeaways

  • Carry out proper risk assessments when making changes to ICT systems in order to determine whether personal data may be impacted and to ensure proper organisational and technical security measures are put in place if so.
  • Act promptly and diligently in notifying data breaches to the DPC and to data subjects, where required – do not cause undue delay while awaiting the outcome of third party investigations in order to determine whether each risk threshold has been met; the controller is responsible for ensuring the DPC is notified without undue delay.
  • Where, as in this case, the DPC specifically directs that a breach be notified to data subjects pursuant to Article 34(4), controllers should act without delay in doing so.

The full decision is now available for download (20MB, PDF).

The corrigendum to the decision is also available for download (4.5MB, PDF)