Who We Are

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 5, 32, 33

DPC Reference: IN-18-11-4

Decision Date: 12 August 2020

This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:

  • Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.

  • A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.

  • A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.

  • A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.

The corrective powers exercised

  • The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.

  • The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.

  • The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR.

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency - August 2020 (PDF, 1.92mb).

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 32, 33

DPC Reference: IN-19-12-8

Decision Date: 21 May 2020

This inquiry was commenced in respect of one personal data breach notified by Tusla to the DPC. The personal data breach occurred when a social worker for Tusla wrote a safeguarding letter to the ex-partner of an individual against whom abuse allegations had been made. The purpose of this letter was to inform the ex-partner about the alleged abuse and to advise her of safeguarding procedures to ensure ongoing safety. However, the letter contained the names of three individuals who made the allegations and details of the allegations made. The ex-partner subsequently shared a photograph of the safeguarding letter on social media.

  • The decision found that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its safeguarding letters processing operation.

  • The decision also found that Tusla infringed Article 33(1) of the GDPR by failing to notify the DPC of the third breach without undue delay.

The corrective powers exercised

  • The decision imposed an administrative fine of €40,000 on Tusla for its infringements of Article 32(1) and Article 33(1).

  • The decision ordered Tusla to bring its processing operations into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risk.

  • The decision issued Tusla with reprimands in respect of the infringements of Articles 32(1) and 33(1) of the GDPR.

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency - May 2020 (PDF, 1.90mb).

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 32

DPC Reference: IN-19-10-1

Decision Date: 7 April 2020

This inquiry was commenced in respect of three personal data breaches notified by Tusla to the DPC. All three personal data breaches occurred in circumstances where Tusla failed to redact personal data when providing documents to third parties.

The first personal data breach occurred when Tusla unintentionally provided the father of two children in care with their foster carer’s address.

The second breach occurred when Tusla unintentionally provided an individual who was accused of child sexual abuse with the address of the child who made the complaint and with her mother’s telephone number.

The third breach occurred when Tusla unintentionally provided the grandmother of a child in care with the address and contact details of the child’s foster parents and the location of the child’s school.

  • The decision found that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data in respect of its sharing of documents with third parties.

  • The decision also found that Tusla infringed Article 33(1) of the GDPR by failing to notify the DPC of the third breach without undue delay.

The corrective powers exercised

  • The decision imposed an administrative fine of €75,000 on Tusla for its infringements of Article 32(1) and Article 33(1).

  • The decision ordered Tusla to bring its processing operations into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risk.

  • The decision issued Tusla with reprimands in respect of the infringements of Articles 32(1) and 33(1) of the GDPR

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency (PDF, 1.91mb).

Inquiry into Kerry County Council

Area: Public Authority

Topic: LED

DPC Reference: (02-SIU-2018)

Decision Date: 25 March 2020

This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:

  • A finding that the Litter Pollution Act 1997, the Waste Management Act 1996, and the Local Government Act 2001 do not provide a lawful basis for Kerry County Council’s use of CCTV to detect litter offences. The DPC comprehensively considered these Acts and found that they do not regulate this processing of personal data as is required by the Law Enforcement Directive, as transposed by the Data Protection Act 2018. Furthermore, the decision found that the Acts do not to meet the standards of clarity, precision, and foreseeability in respect of such processing as required by the case-law of the Court of Justice and the European Court of Human Rights.
  • The other findings in the decision include infringements relating to appropriate signage and general transparency, the lack of written rules or guidelines governing staff access to the CCTV, the use of smartphones or other recording devices in the CCTV monitoring room, the practice of sharing login details for accessing CCTV footage, auditing the audit trails of CCTV footage, and the requirement for Data Protection Impact Assessments, amongst others.

The corrective powers exercised

  • A temporary ban on the processing of personal data through the CCTV cameras at the five locations used for detecting and taking enforcement action against those engaged in littering and the CCTV cameras at Amenity Walk.
  • An order to Kerry County Council to bring its processing of personal data into compliance taking certain action specified in the decision.
  • A reprimand in respect of Kerry County Council’s infringements.

For more information, you can download a copy of the full decision at this link: Kerry County Council - March 2020 (PDF, 952 KB).

Inquiry into An Garda Síochána

Area: Garda

Topic: LED

Articles: S 38

DPC Reference: 01-SIU-2018

Decision Date: 23 August 2019

This inquiry concerned Garda operated CCTV schemes pursuant to Section 38(3)(a) of the Garda Síochána Act 2005. The findings made in the decision include:

  • Findings that An Garda Síochána had infringed the following Sections of the 2018 Act in respect of its use of Automatic Number Plate Recognition (ANPR) cameras:
    • Section 75(3) of the 2018 Act by failing to implement an appropriate data protection policy; 
    • Section 76 of the 2018 Act by failing to implement the appropriate data protection by design and default safeguards in respect of the ANPR cameras; and
    • Section 84 by reason of its failure to carry out a data protection impact assessment on the ANPR surveillance system for which it is the data controller, to test the necessity of ANPR cameras and to demonstrate that the use of ANPR cameras is justified and proportionate.
  • The other findings in the decision include infringements relating to excessive access to monitoring rooms, appropriate signage and general transparency, governance issues relating to the CCTV systems, and the absence of written contracts between AGS and third party data processors.

The corrective powers exercised

  • A temporary ban on the processing of personal data involving the operation of ANPR cameras.
  • An order to An Garda Síochána to bring its processing of personal data into compliance taking certain action specified in the decision.
  • A reprimand in respect of An Garda Síochána’s infringements.

For more information, access the full decision as PDF Document

Sharenting - Top Tips

21st November 2025

Parents often view posting and sharing important milestones in their children’s lives as a way of positively connecting with friends and family, but it’s important to remember that sharing online can never be 100% safe and carries many risks. ...