Decisions
Inquiry into Tusla Child and Family Agency - August 2020
Area: Health
Topic: Children - legal basis
Articles: 32(4), 33(1), 5(1)(d), 32(1)
DPC Reference: IN-18-11-4
Decision Date: 12 August 2020
This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:
-
Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.
-
A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.
-
A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.
-
A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.
The corrective powers exercised:
-
The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.
-
The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.
-
The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR.
Decisions
Inquiry into Centric Health Ltd. (“Centric”) - February 2023
The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a result of this, 70,000 data subjects were affected by of access to, unauthorised alteration of, and loss of availability of their personal and special category data. Of these, 2,500 patients were permanently affected as their data was deleted with no backup available.
The decision considered whether Centric had complied with Articles 5(1)(f), 5(2) and 32(1) GDPR and, in particular, whether Centric had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.
The decision found that Centric had infringed its obligations under Articles 5(1), 5(2) and 32(1) GDPR and that the processing by Centric within its Patient Administration System failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The corrective powers exercised:
- The decision issued Centric with a reprimand in respect of the infringements.
- The decision imposed an administrative fine on Centric in the amount of €275,000 in respect of the infringement of Article 5(1)(f) GDPR.
- The decision imposed an administrative fine on Centric in the amount of €50,000 in respect of the infringement of Article 5(2) GDPR.
- The decision imposed an administrative fine on Centric in the amount of €135,000 in respect of the infringement of Article 32(1) GDPR.