Written answers
Wednesday, 19 March 2025
Department of Children, Equality, Disability, Integration and Youth
Child and Family Agency
Aidan Farrelly (Kildare North, Social Democrats)
Link to this: Individually | In context | Oireachtas source
1314. To ask the Minister for Children, Equality, Disability, Integration and Youth if she will provide a schedule of fines issued to Tusla in respect of breaching general data protection regulations, by year, from 1 January 2020 to date in 2025; and if she will provide a breakdown by amount, year and breach criteria cited. [10810/25]
Norma Foley (Kerry, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Thank you Deputy for your question relating to fines Issued to Tusla for Breaches in Data Protection.
See below the schedule of fines issued to the Data Protection Unit paid in 2020 and 2025.
| Year | Fine reference number | Amount of fine | Date of DPC decision | Notice of fine | Breach criteria cited |
|---|---|---|---|---|---|
| 2020 | FN/IN-19-10-1 | €75,000 | 7 April 2020 | 5 November 2020 | Art. 32(1) – Tusla failed to implement a level of security appropriate to the risk presented by its processing of personal data. |
| Art 33(1) – Tusla failed to notify the DPC of a personal data breach without undue delay. | |||||
| 2021 | FN/IN-19-12-8 | €40,000 | 12 May 2020 | 27 April 2021 | Art. 32(1) – Tusla failed to implement a level of security appropriate to the risk presented by its safeguarding letter processing operation. |
| Art. 33(1) – Tusla failed to notify the DPC of a personal data breach without undue delay. | |||||
| FN/IN-18-11-4 | €85,000 | 12 August 2020 | 27 April 2021 | Art. 32(1) – Tusla failed to implement a process for regularly testing the effectiveness of its Record Management Policy and Information Classification and Handling Policy. | |
| Art 32(1) – Tusla failed to implement a level of security appropriate to the risk presented by the internal and external transmission of personal data. | |||||
| Art. 32(1) – Tusla failed to implement appropriate technical measures to ensure a level of security appropriate to the risk presented by its printing and processing operation. | |||||
| Art. 33(1) – Tusla failed to notify the DPC of 8 personal data breaches without undue delay. | |||||
| 2022 | No fines issued | ||||
| 2023 | No fines issued | ||||
| 2024 | No fines issued | ||||
| 2025 | No fines issued |
No comments