Mick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

10. To ask the Minister for Children and Youth Affairs her views on the fact that no data protection impact assessment or policy was prepared prior to the unveiling of a new information technology system by Tusla, the national child care information system; her further views on whether Tusla is in breach of statutory data protection requirements; if she has communicated these views to Tusla; and if she will make a statement on the matter. [38008/18]

Mick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

Tusla recently launched its new national child care information system. This new centralised system may well improve quality and efficiency through improved sharing of information, but Tusla has admitted that it did not complete a privacy impact assessment prior to the launch. When asked about this, Tusla responded on one of its social media platforms that a data protection policy would be prepared on this as soon as is practicable. In correspondence with solicitor and privacy rights expert, Rossa McMahon, Tusla stated that a privacy impact assessment, PIA, had been conducted during the project and that a final PIA would be conducted in due course. This is a breach of the general data protection regulation, GDPR, and the Data Protection Act 2018. It also completely ignores the notion of privacy by design which is fundamental to the GDPR.

Is the new centralised IT system live and operational? Was the Minister aware of the absence of a completed data privacy impact assessment prior to its launch?

Katherine Zappone (Dublin South West, Independent)
Link to this: Individually | In context | Oireachtas source

When the national child care information system, NCCIS, was being developed, Tusla carried out a privacy impact assessment in 2013. This preceded the requirements of the general data protection regulation, GDPR, which came into effect in May of this year. The system was also the subject of design and security considerations prior to its national launch last July. Following the original privacy impact assessment, Tusla is now progressing a data protection impact assessment, in line with best practice. It is hoped to complete this by the end of the year.

The NCCIS is an extremely important technology solution for social workers in child protection and welfare services. The system allows social workers to record the case history of every child who is the subject of a child protection or welfare concern, from the point of referral to case closure. I regard it as a vital part of Tusla's work to protect children.

The NCCIS has the capacity to facilitate the integration and sharing of information on child protection and welfare cases between Tusla areas where appropriate. The development and national roll-out of the NCCIS has enhanced working systems for those working in child protection and welfare services. I am happy to have secured the funding for the introduction of this system.

Tusla is prioritising the progression of its ICT strategy, and the NCCIS is the first step in realising a modern, efficient and integrated service for children and families throughout Ireland. The principle of a data protection impact assessment in the GDPR is for organisations to consider data protection risks in the design of new systems. I am pleased that Tusla is carrying out the assessment at the earliest opportunity but I believe the priority is to ensure the NCCIS is fully operational in order that it can help to protect vulnerable children.

Tusla has advised that future modules of the NCCIS, when developed, will be subject to data protection impact assessments. As part of the training provided on the introduction of the NCCIS, Tusla staff have been trained in the use of safeguards in the system in order that appropriate data security and processing is maintained.

I want to ensure that we meet our obligations under data protection legislation, but I make no apology for prioritising child protection measures. The safety and best interests of children come first.

Mick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I realise that the project was in the making before the GDPR came into being, but is Tusla's privacy impact assessment now a box-ticking exercise? Rape Crisis Network Ireland, RCNI, immediately expressed concern at Tusla's statement about the absence of a PIA. The GDPR, and specifically section 76 of the Data Protection Act 2018, refer to data protection by design and by default. Section 35 of the GDPR and section 84 of the Data Protection Act 2018 specifically state that where a type of processing is likely to result in a high risk to rights and freedoms, data controllers should carry out a data protection impact assessment prior to carrying out the processing. Data protection safeguards must be designed into products and services from the earliest days of development.

I point out to the Minister that there are half a million children on these files. One might be forgiven for suspecting that Tusla is not taking this as seriously as the GDPR might recommend.

Katherine Zappone (Dublin South West, Independent)
Link to this: Individually | In context | Oireachtas source

To be clear, Tusla is not in breach of the GDPR in respect of the NCCIS. This system is fully compliant with the current legislation. The data protection impact assessment currently in progress was started in early 2018 and is due to finish by the end of this month. A total of 12.5 of the 17 Tusla areas were using the NCCIS system in advance of the GDPR coming into effect on 25 May 2018. The remaining 4.5 areas went live over the following two months, with all 17 areas fully live by the end of July 2018. As Deputy Wallace has indicated, a data protection impact assessment is a requirement of the GDPR. Assessments are legally mandatory only for processing operations that were initiated after the GDPR implementation date of 25 May 2018, and are particularly relevant when a new processing technology is introduced. What I am indicating here is that Tusla began a protection impact assessment in early 2018 and this is due to finish by the end of the month.

Is the Deputy seriously suggesting that I put data protection requirements above the vital need to protect children at risk? Tusla began this process in early 2018, prior to the GDPR coming into place. The agency is continuing with this and that is good practice.

Mick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

It is disingenuous to suggest that I would recommend putting children at risk in any form. Has Tusla learnt anything from the lessons of the HIQA probe that the Minister ordered on its disastrous handling of the allegations made against Sergeant Maurice McCabe?

With regard to the new IT system, Tusla's head of project management stated publicly that the agency intends to keep all the data in the childcare database "in perpetuity", and that it will then work out a new policy and remove data if necessary. The GDPR, however, has a clear storage limitation principle. The same principle applies in any case under the old data protection directive, and under the previous Data Protection Acts 1988 and 2003, that personal data should not be retained longer than is necessary. Can the Minister confirm that personal data that is no longer required will be deleted?

Katherine Zappone (Dublin South West, Independent)
Link to this: Individually | In context | Oireachtas source

I thank the Deputy. I will put those questions to Tusla or my officials rather than say that I can confirm that now because it is important to be exact and accurate. With due respect, I asked the Deputy the question whether it would be placing the protection of children at risk because that is what he is asking me. In terms of the GDPR I am indicating that they are not in breach and that they began the process of an impact assessment prior to finishing the final and full roll-out of this operational system which will enable the protection of children to be more effective as we move into the future. The way Tusla has responded on this is adequate. At the same time, in light of the HIQA investigation mentioned by the Deputy, serious issues and concerns were identified. The board, the chief executive and I have been working hard to put in place an action plan that will be implemented to ensure that the systems that need to be changed and reformed will be put in place as we move forward.