The Data Protection Commissioner has criticised Tusla's processing of personal data in an investigation initiated following the controversy about the agency's handling of an allegation made against garda whistleblower Sergeant Maurice McCabe.

The commissioner's annual report found that Tusla did not sufficiently plan for the processing of personal and sensitive data with a robust data governance strategy.

The investigation found evidence of multiple and overlapping volumes of individual case files where no complete "master file" could be identified, and with no audit trail in relation to the handling of the file.

The report says it is critical that the casework management system deployed across all areas of Tusla generates a full and complete record of all material.

This should be done to mitigate the risk that the system might give an inaccurate, incomplete or distorted view.

Fifty-nine findings have been presented to Tusla and the agency has been requested to present a plan of action within two months outlining its response.

Officers inspected files at Tusla offices at Limerick, Tralee, Kilkenny, Drogheda, Navan, Churchtown, Portlaoise and at the agency's head office in Dublin.

Four of the inspections were unannounced.