Three statutory inquiries have been opened by the Data Protection Commission (DPC) into the child and family agency, Tusla, in relation to its compliance with GDPR since the EU-wide regulation came into effect in May 2018.
The first inquiry relates to three breach notifications received between February and May 2019 relating to unauthorised disclosure of personal data.
In one breach, Tusla accidentally disclosed to an alleged abuser the contact and location data of a mother and child victim.
In another case, the agency accidentally disclosed to a grandparent the contact, location and school details of foster parents and children. The grandparent subsequently made contact with the foster parents.
In a third breach, Tusla accidentally disclosed the address of children in foster care to their imprisoned father, who used the information to contact his children.
The second inquiry relates to a breach notification received from Tusla in November 2019 regarding the unauthorised disclosure of sensitive personal data.
The disclosure was made to an individual against whom an allegation of abuse had been made. The data was subsequently posted on social media.
The third inquiry relates to 71 personal data disclosure breaches notified by Tusla in November 2018.
In a statement, Tusla said it continues to work "proactively" with the DPC to "continuously improve our systems and practices".
The agency said it is due to give further detailed responses to the commissioner next week and "we will await the final findings of these investigations before commenting on specific details."
Data Protection Commissioner Helen Dixon said that many of the GDPR breaches at Tusla are due to human error, but she is satisfied that the agency is treating the issues seriously.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
Speaking on RTÉ's Today with Sean O'Rourke, she said that Tusla made 137 breach notifications to the DPC last year and the three investigations take in a large proportion of those.
Ms Dixon said: "Human error is behind an awful lot of them, a failure to think before disclosing information in a certain form, poor redaction of a document or a failure to redact all of the data that would be necessary before disclosing it. So there is a huge amount of issues in terms of addressing compliance at Tusla."
She said she believes that significant changes are being implemented at the agency - including a new data protection team - following meetings with the DPC.
Ms Dixon said that Tusla is beginning "to professionalise as an absolute necessity around data compliance" and that while the agency is "not there yet," she is satisfied it is treating the issue seriously.
The Ombudsman for Children said the data breaches by Tusla in relation to GDPR compliance are "seriously concerning."
Dr Niall Muldoon said it is "crucial" that the agency maintains its information in a safe way.
He said a child who makes an allegation of abuse "should feel comfortable that it won't come back to bite them."
Dr Muldoon also said that foster parents should not be contacted by family members of a fostered child, if they are not supposed to.
He said systems must be put in place to ensure the incidents under investigation do not happen again.
Overall, there has been a significant increase in the volume of complaints received by the Data Protection Commission over the past year.
Publishing its annual report for 2019, the DPC said it had received 7,215 complaints, an increase of 75% on the figure for 2018.
The office said there was also a 71% increase in data security breaches over the same period.
The report outlines the work of the DPC for the first full calendar year since the introduction of the General Data Protection Regulation.
The commission dealt with 70 statutory inquiries in 2019, including 21 that were international.
Six inquiries were opened in relation to how multinational technology companies were complying with GDPR.
The number of staff employed by the Data Protection Commission increased from 110 at the end of 2018, to 140 by December last year.
Additional reporting Fergal O'Brien