Who We Are

Inquiry into Tusla Child and Family Agency

Area: Public Authority

Topic: Data security

Articles: 32

DPC Reference: IN-19-10-1

Decision Date: 7 April 2020

This inquiry was commenced in respect of three personal data breaches notified by Tusla to the DPC. All three personal data breaches occurred in circumstances where Tusla failed to redact personal data when providing documents to third parties.

The first personal data breach occurred when Tusla unintentionally provided the father of two children in care with their foster carer’s address.

The second breach occurred when Tusla unintentionally provided an individual who was accused of child sexual abuse with the address of the child who made the complaint and with her mother’s telephone number.

The third breach occurred when Tusla unintentionally provided the grandmother of a child in care with the address and contact details of the child’s foster parents and the location of the child’s school.

  • The decision found that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data in respect of its sharing of documents with third parties.

  • The decision also found that Tusla infringed Article 33(1) of the GDPR by failing to notify the DPC of the third breach without undue delay.

The corrective powers exercised

  • The decision imposed an administrative fine of €75,000 on Tusla for its infringements of Article 32(1) and Article 33(1).

  • The decision ordered Tusla to bring its processing operations into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risk.

  • The decision issued Tusla with reprimands in respect of the infringements of Articles 32(1) and 33(1) of the GDPR

For more information, you can download the full decision at this link: Inquiry into Tusla Child and Family Agency (PDF, 1.91mb).

Inquiry into Kerry County Council

Area: Public Authority

Topic: LED

DPC Reference: (02-SIU-2018)

Decision Date: 25 March 2020

This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:

  • A finding that the Litter Pollution Act 1997, the Waste Management Act 1996, and the Local Government Act 2001 do not provide a lawful basis for Kerry County Council’s use of CCTV to detect litter offences. The DPC comprehensively considered these Acts and found that they do not regulate this processing of personal data as is required by the Law Enforcement Directive, as transposed by the Data Protection Act 2018. Furthermore, the decision found that the Acts do not to meet the standards of clarity, precision, and foreseeability in respect of such processing as required by the case-law of the Court of Justice and the European Court of Human Rights.
  • The other findings in the decision include infringements relating to appropriate signage and general transparency, the lack of written rules or guidelines governing staff access to the CCTV, the use of smartphones or other recording devices in the CCTV monitoring room, the practice of sharing login details for accessing CCTV footage, auditing the audit trails of CCTV footage, and the requirement for Data Protection Impact Assessments, amongst others.

The corrective powers exercised

  • A temporary ban on the processing of personal data through the CCTV cameras at the five locations used for detecting and taking enforcement action against those engaged in littering and the CCTV cameras at Amenity Walk.
  • An order to Kerry County Council to bring its processing of personal data into compliance taking certain action specified in the decision.
  • A reprimand in respect of Kerry County Council’s infringements.

For more information, you can download a copy of the full decision at this link: Kerry County Council - March 2020 (PDF, 952 KB).

Inquiry into An Garda Síochána

Area: Garda

Topic: LED

Articles: S 38

DPC Reference: 01-SIU-2018

Decision Date: 23 August 2019

This inquiry concerned Garda operated CCTV schemes pursuant to Section 38(3)(a) of the Garda Síochána Act 2005. The findings made in the decision include:

  • Findings that An Garda Síochána had infringed the following Sections of the 2018 Act in respect of its use of Automatic Number Plate Recognition (ANPR) cameras:
    • Section 75(3) of the 2018 Act by failing to implement an appropriate data protection policy; 
    • Section 76 of the 2018 Act by failing to implement the appropriate data protection by design and default safeguards in respect of the ANPR cameras; and
    • Section 84 by reason of its failure to carry out a data protection impact assessment on the ANPR surveillance system for which it is the data controller, to test the necessity of ANPR cameras and to demonstrate that the use of ANPR cameras is justified and proportionate.
  • The other findings in the decision include infringements relating to excessive access to monitoring rooms, appropriate signage and general transparency, governance issues relating to the CCTV systems, and the absence of written contracts between AGS and third party data processors.

The corrective powers exercised

  • A temporary ban on the processing of personal data involving the operation of ANPR cameras.
  • An order to An Garda Síochána to bring its processing of personal data into compliance taking certain action specified in the decision.
  • A reprimand in respect of An Garda Síochána’s infringements.

For more information, access the full decision as PDF Document

Sharenting - Top Tips

21st November 2025

Parents often view posting and sharing important milestones in their children’s lives as a way of positively connecting with friends and family, but it’s important to remember that sharing online can never be 100% safe and carries many risks. ...