Child and Family Agency Brunel Building Heuston South Quarter Dublin 8 corporatefoi@tusla.ie 7th August, 2020 Mr. Ken Foxe Right to Know By email to: Ken@righttoknow.ie FOI Request T53-2020 Decision Dear Mr. Foxe, I refer to your request made under the Freedom of Information Act 2014, on which the scope was clarified by email on 24th June, 2020. Your request sought access to the following; “Copies of all correspondence between Tusla and the Data Protection Commissioner with regard to the imposition of fines following investigations by the DPC. Copies of any briefings/submissions/reports prepared for the board or senior management with regard to fines levied on Tusla by the Data Protection Commissioner This request to cover the period 1 January 2020 to date of receipt of the request.” i.e. 2nd June 2020 Searches for the above records to be undertaken in the following offices within Tusla; • Data Protection Unit, • The Board, • The Office of the CEO At the outset, I wish to apologise for the delay in relation to your request, and wish to thank you for your patience in the matter. I am the decision maker assigned to your request, and I have today decided to part grant your request. The purpose of this letter is to convey my decision which is set-out in the following parts: 1. 2. 3. a schedule of all of the records covered by your request; an explanation of the relevant findings concerning the records to which access is denied, a statement of how you can appeal this decision should you wish to do so. This letter addresses each of these three parts in turn. 1. Schedule of records The attached schedule identifies the records which fall within the scope of your request. It identifies the level of release for each record concerned and refers to the sections of the FOI Act which apply to prevent release where an exemption has been applied. The schedule also refers you to sections of the detailed explanation given under heading 2 below, which is relevant to the record in question. It also provides a summary and overview of the decision as a whole. 2. Findings, particulars and reasons for decisions to deny access The sections of the Act which can apply to deny access to records are known as its exemption provisions. In my decision on your request I have applied the following exemption to certain record entries: 1. 2. 3. 4. Section 29(1)(a) Matters relating to the deliberative process Section 30(1) Functions and negotiations of public bodies Section 31(1)(a) Legal Professional Privilege (Regulatory Privilege) Section 37(1) Personal Information (1) Section 29(1)(a) Deliberative Process - Explained Section 29(1) provides for the discretionary refusal of a request, (a) if the record concerned contains matter relating to the deliberative processes of an FOI body, including opinions, advice, recommendations and the results of consultations considered by the body for the purpose of those processes and (b) the body considers that the granting of the request would be contrary to the public interest. The particular records subject to your request relate to considerations by the DPC concerning the imposition of fines, remedial measures to be implemented and Tusla’s proposed plan to address the concerns raised. Certain matters relating to the fines imposed are also before the Courts. As the records relate to deliberations of both the DPC and Tusla, it is my view that they are covered by the exemption set-out in s29(1)(a) of the FOI Act, 2014. The harm which I envisage would arise from disclosure of the records is harm to the integrity of the investigative process. Notwithstanding that I have found this exemption to apply to the record, I must now advise on my considerations on how granting the request would be contrary to the public interest. In arriving at my decision that this would be the case, I have taken the following factors into account: Findings for the release of the records in the public interest; • • There is a public interest in openness, transparency and accountability in the manner in which public bodies perform their functions. There is a public interest in members of the public exercising their rights under the FOI Act. Findings for protection of the record in the public interest; • Weighing against the public interest in granting access to the records concerned is the strong public interest in preserving the integrity of the DPC’s investigative process by allowing it to be conducted without detailed public scrutiny at all stages of the process including processes relating to considerations by Tusla leading to the detailed responses prepared. • There is a public interest in ensuring that Tusla can implement identified changes effectively and without damage to public confidence. • There is also a public interest in ensuring that the release of information during an investigation does not impact on the willingness and/or ability of the parties to engage in the process. It is well recognised that open and candid exchanges are an important element of ensuring that the principles of fair procedures are followed. • It should be noted that the Oireachtas saw fit to exclude certain records held by the DPC from release under the FOI Act, other than records of administrative nature. It is my view that this exclusion was a recognition that records relating to the core functions of the DPC and its investigative work should be treated as confidential and worthy of a higher level of protection than other non-core related records. Furthermore, I feel that it is unlikely that the Oireachtas intended that a ‘back door’ would be provided to enable the record categories which were unavailable from partially included bodies to be accessible through Freedom of Information from other public bodies as this would run contrary to the public interest. • The ‘public interest’ in openness, transparency and accountability will be addressed by the publication of information relating to investigations at the discretion of the Data Protection Commissioner sometime in the future. It has also been addressed to a certain extent in my decision in the release of some records falling within scope of your request. To conclude, after careful consideration and having regard to the matters setout above, I consider that the release of the record at issue would be contrary to the public interest. (2) Section 30(1) Functions and Negotiations of Public Bodies Explained Section 30(1) of the FOI Act, 2014 is a discretionary exemption which protects certain records relating to the functions of FOI bodies. The functions in particular relate to tests, examinations, investigations, inquiries or audits of FOI bodies (or the procedures or methods used for them) in addition to other management and negotiation functions. This is a ‘harm based’ exemption and the ‘harm’ I envisage which could occur from release would be harm to the review process which is currently taking place to identify new security measures and systems to address findings of the DPC. To this end, it is necessary that Tusla be provided with every opportunity to evaluate appropriate options and arrive at the optimum solution without undue interference. This exemption is subject to a ‘public interest override’ which means that even where the requirements of subsection (1) have been met, the exemption does not apply where the public interest would, on balance, be better served by granting access than by refusing to grant the request. I have set-out my considerations in relation to what I view would best serve the public interest in (1) above and I believe these factors are also relevant in the consideration of this exemption. (3) Section 31(1)(a) Legal Professional Privilege (Regulatory Privilege) - Explained Section 31(1)(a) of the FOI Act is a mandatory exemption for records which attract legal professional privilege. Litigation, investigatory or regulatory privilege applies in respect of any documents brought into being for the dominant purpose of engaging with regulatory and investigative processes. As the records at issue has been brought into effect for this purpose, it is my view that the exemption set out in section 31(1)(a) of the FOI Act also applies. This exemption is not subject to a public interest test or override. (4) Section 37(1) Personal Information – Explained Section 37(1), subject to other provisions of section 37, provides for the mandatory refusal of access to a record containing personal information. Section (37)(1) of the FOI Act states that “An FOI Body shall refuse to grant a request if access to the record concerned would involve the disclosure of personal information relating to an individual other than the requester” The effect of section 37(1) is that a record disclosing personal information relating to a third party or third parties cannot be released to another person, unless one of the other relevant provisions of section 37 applies. Circumstances when the provision outlined within Section 37(1) does not apply. (Section 37(2) Explained) There are some circumstances, provided for at section 37(2), in which the exemption at section 37(1) does not apply. I am satisfied that none of the circumstances identified at section 37(2) arise in this case. That is to say, (a) the information contained in the records does not relate solely to the applicant; (b) the third parties have not consented to the release of their information; (c) the information is not of a kind that is available to the general public; (d) the information at issue does not belong to a class of information which would or might be made available to the general public; and (e) the disclosure of the information is not necessary to avoid a serious and imminent danger to the life or health of an individual. I find that section 37(2) does not apply to the withheld information. Section 37(5) Explained Section 37(5) of the FOI Act states that a request that would fall to be refused under section 37(1) may still be granted where; (a) on balance the public interest that the request should be granted outweighs the right to privacy of the individual to whom the record relates, (b) or the grant of the information would be to the benefit of the person to whom the record relates. Public Interest Considerations Section 37(5)(a) provides for access to the personal information of a third party where the public interest that the request should be granted outweighs the right to privacy of the individual to whom the information relates. I have considered the ‘public interest’ factors which arise in this case and have identified the following: Findings for the release of the records in question; • There is a public interest in openness, transparency and accountability in the manner in which Tusla performs its functions. There is a public interest in members of the public knowing that the information held by public bodies about them, or those they represent is accurate. There is a public interest in members of the public exercising their rights under the FOI Act. • • Findings for protection of information within the records in question; • Weighing against the public interest in granting access to the records concerned is the strong public interest in protecting the right to privacy. The public interest in protecting privacy rights is reflected both in the language of section 37 and in the Long Title to the Act (which makes clear that the release of records under FOI must be consistent with the right to privacy). The right to privacy also has a constitutional dimension in Ireland. I do not consider it appropriate for me to attempt to seek third party consent, therefore I am satisfied that in this case there is little or no advantage to be gained in the release of third party information, and whatever public interest there might be, I do not believe that the release of the withheld information would be to the benefit of the third party concerned. Having regard to all the circumstances, I do not consider that the public interest in this instance in the release of the withheld information out weighs on balance the significant public interest in protecting the rights of the individual to whom the information relates; therefore, Section 37(5) does not apply. In all matters raised above relating to the public interest, I consider that I have satisfied the public interest as regards openness, transparency and accountability in the release of the remainder of the records falling within the scope of your request. 3. Rights of Review If you are unhappy with this decision you may appeal it. In the event that you need to make such an appeal, you can do so by writing to Tusla Corporate Freedom of Information Office, at the address included above. Your correspondence should include a fee of €30 for processing the appeal. This fee is reduced to €10 for a current holder of an Irish Medical Card, documentary evidence required. Payment should be made by way of bank draft, money order, postal order or personal cheque made payable to Tusla. You should make your appeal within 4 weeks from the date of this notification, where a day is defined as a working day excluding, the weekend and public holidays; however, the making of a late appeal may be permitted in appropriate circumstances. The appeal will involve a complete reconsideration of the matter by a more senior member of the staff of this body. Yours sincerely, Theresa Friel Decision Maker Freedom of Information Schedule of Records - Summary of Decision Making FOI Request Reference: T53-2020 File 1; 299 gages Page No. Brief description of Decision Basis for refusal - Other record Exempt under FOI Act 1 Letter dated 7?11 April 2020 Refuse 829(1)(a) Deliberations of Pages have been from DPC to Tusla FOI Bodies removed S30 Functions and Negotiations Legal Professional Privilege 2?23 Data Protection Decision Refuse S29(1)(a) Deliberations of Pages have been dated 7th April, 2020 FOI Bodies removed S30 Functions and Negotiations 831(1) Legal Professional Privilege 24-50 Data Protection Decision Refuse S29(1)(a) Deliberations of Pages have been dated 21st May, 2020 FOI Bodies removed S30 Functions and Negotiations Legal Professional Privilege 51-58 Affidavit Refuse S30(1)(a) Functions and Negotiations Pages have been removed 59-217 Sworn Exhibits Refuse S29(1)(a) Deliberations of FOI Bodies S30 Functions and Negotiations S31(1) Legal Professional Privilege Pages have been removed 218-220 Legal Documents Refuse S31(1)(a) Legal Professional Pages have been Privilege removed 221-222 Letter dated 15th May, 2020 to Tusla Refuse S31(1)(a) Legal Professional Pages have been Privilege removed 223 Email Correspondence Grant N/A 224-246 Duplicates N/A N/A Pages have been removed 247-249 Tusla Board Briefing Document Refuse S29(1)(a) Deliberations of FOI Bodies S30(1)(c) Functions and Negotiations Pages have been removed 250-251 Tusla SMT Briefing Document Refuse S29(1)(a) Deliberations of FOI Bodies S30(1)(c) Functions and Negotiations Pages have been removed 252-259 Tusla CEO Briefing Document Refuse S29(1)(a) Deliberations of FOI Bodies S30(1)(c) Functions and Negotiations Email Correspondence Grant N/A 261-262 Tusla Action Plan Refuse S29(1)(a) Deliberations of FOI Bodies S30(1)(c) Functions and Negotiations Pages have been removed 263-287 Draft Document on Decision Refuse Pages have been removed 288-291 Document for meeting on Grant 13th May, 2020 S29(1)(a) Deliberations of FOI Bodies S30 Functions and Negotiations S31(1) Legal Professional Privilege N/A 292-295 Document for meeting on Refuse 13th May, 2020 S29(1)(a) Deliberations of FOI Bodies S30 Functions and Negotiations Pages have been removed 260 Pages have been removed 296-297 Document for meeting on N/A 13th May, 2020 N/A 298-299 Document for meeting on Grant 13th May, 2020 N/A Not related to request 223 From: To: Cc: Subject: Date: Attachments: Vicky G. Byrne CEO Tusla; Bernard Gloster; Fergus Ocuanachain; Gerard Brophy; Dermot Halpin; Linda Creamer; Aisling.Gillen Pat John Smyth; Cormac Quinlan; Pamela Benson1; Brian Lee1; Alan Breen; Jenny Finnegan; Eleanor Reidy; Laura Slevin; Madeleine Halpin; Sharon Foley; Patricia Finlay; Kim Hayes; Chief Operations; Jim Gibson James Mark Plunkett [On behalf of James Plunkett] - DPC Final Decision, IN-19-10-01 (Confidential, not for onward circulation) Thursday 9 April 2020 12:47:00 07.04.2020 Decision InquiryIN191001 Tusla.pdf image003.png Dear Colleagues, On behalf of James Plunkett and for your information, I enclose correspondence from the Data Protection Commission (DPC) in respect of the ‘3 x breach inquiry’ (ref. IN-19-10-01). The DPC has now made a final decision in respect of this inquiry. In summary, Tusla has been issued with a reprimand and an administrative fine, and has been given until 02 November 2020 to implement the corrective measures as set out in the most recent submission of 02 April 2020. This decision will be discussed in further detail at the next Taskforce meeting, scheduled for Tuesday 14th April. In the meantime, feel free to reach out to James if you have any questions. Kind Regards, Vicky Vicky Byrne GDPR Programme Data Protection Unit 6th Floor, Brunel Building, Heuston South Quarter, Dublin 8 cid:image003.png@01D55F26.EA7E9D60 260 From: To: Cc: Subject: Date: Attachments: Vicky G. Byrne CEO Tusla; Bernard Gloster; Fergus Ocuanachain; Gerard Brophy; Dermot Halpin; Linda Creamer; Aisling.Gillen ; Pat John Smyth; Cormac Quinlan; Pamela Benson1; Brian Lee1; Alan Breen; Jenny Finnegan; Eleanor Reidy; Laura Slevin; Madeleine Halpin; Sharon Foley; Patricia Finlay; Kim Hayes; Chief Operations; Jim Gibson James Mark Plunkett DPC Inquiries - Confidential Wednesday 22 April 2020 09:19:00 Taskforce Action Plan - 14 April 2020 v2.0.xlsx 16.04.2020 DraftDecision Tusla IN-19-12-8.pdf image003.png Tusla Final Inquiry Report IN-18-11-04.pdf Dear Colleagues, On behalf of James Plunkett, please see attached documentation relating to the three DPC inquiries: 1. 2. 3. Revised taskforce action plan relating to the 3 x breach inquiry; Draft DPC decision on the 1 x breach inquiry; and Final Inquiry Report for the 72 x breach inquiry (password to follow). We will be convening the taskforce again in the coming weeks (invite to follow) and will be circulating draft terms of reference for your consideration. Please do not hesitate to contact us if you have any queries in the meantime. Kind Regards, Vicky Vicky Byrne GDPR Programme Data Protection Unit 6th Floor, Brunel Building, Heuston South Quarter, Dublin 8 cid:image003.png@01D55F26.EA7E9D60 288 . AnGhn?nnhaireadumn Lean .111 1guzan?l?ca gm: vh tuhigem Executive Group Meeting 13th May 2020 Final v1.0 Agenda JSLA Item Relevant Documentation Owner Time Outside scope DPC draft decision (circulated Data Protection Commission 22/04/20) Discuss Statutory Inquiries: Draft submission (to be discussed 1 Breach Inquiry Review draft during meeting) submission developed in response to the draft . decision Taskforce action plan (Circulated James Plunkett 2 22/04/20) 45 minutes 3 Breach Inquiry (lN-19-10-01): Briefly discuss the (DPO) status of the Action Plan and agree next steps for updating the DPC. Outside scope Status update (to be discussed during meeting) 290 1 Welcome / Group Terms of Reference • • Brief introduction Review and agree terms of reference 3 Executive Group: Purpose and Terms of Reference The purpose of the Executive Group is to provide a senior level of ownership and accountability for the management of Tusla?s regulatory compliance with the General Data Protection Regulation Data Protection Act 2018; and the Freedom of Information Act 2014. roupExecume The Executive Group drIve Tusla transformation Journey Terms of Reference towards GDPR and FOI compliance by: ?0'0??meMammals? v12 :7 Decevrcriow include DPC TORs Amended 1'0 wed _01 May 2020 Providing decision making in a timely and effective manner to ensure that o_mAmobeoppr? the Programme meets its planned objectives and delivers expected benefits prioritisation of DPIAs and Addressing any risks and issues that have been escalated to, or identified by, the forum; Providing overall direction for the Programme to ensure it is aligned to the overarching corporate strategy and objectives; Ensuring ownership and accountability for GDPR and FOI compliance across the Agency and its Service Areas and Functional Units; and, if? Providing a layer of senior ownership and governance to the management and delivery of DPC inquiry action plans, and to the remediation of systemic issues identified by the regulator relating to data protection risk and issues in Tusla. med v2. Revised TORs [Revised TOR to be approved. Original version approved by SMT on 11th December 2019] Executive Group Decisions Required Approve revised ToRs, which now include the DPC Taskforce element. 4 Wrap Up Next Steps Wrapigtp Next Steps Minutes documentation to be circulated this week. DPC submission to be issued on Friday, 15 May 2020. Board update 29 May 2020 (TBC) documentation to be circulated to the Exec. Group. Next Exec. Group Meeting 09 June 2020. 12 Freedom of Information Schedule of Records - Summary of Decision Making FOI Request Reference: T53-2020 File 2; 36 gages Page No. Brief description of Decision Basis for refusal - Other record Exempt under FOI Act 1-5 CEO Report to Board of Granted where in Tusla 24th April, 2020 scope of request 6-7 Email Correspondence 13th Grant April, 2020 8-30 Duplicates 31-36 Tusla?s Submission dated Refused where in 829(1) Deliberations of FOI 2nd April, 2020 scope of request Bodies JSLA An Ghniomhaireacht um Leanal' agus an Teaghlach Child and Family Agency CEO Report to Boa rd of TUSLA April 24th, 2020 Not Relevant to Request 2 Not Relevant to Request Data Protection The matters are set out in more detail in the report of the Board sub committee (OD). Specific attention is drawn here to the first formal decision of the DPC in one of the three investigations previously advised to the Board. The significant points of note of this decision are the penalty stated (€75,000.00) and the timeline for compliance of the matters raised (November2020). The sub committee was briefed in early 2020 on the updated position of the GDPR programme introduced in 2018 and in April 2020 on the most recent issue (DPC formal decision on one of the three investigations – ‘3 Breach). The Board will be aware of two further and I understand imminent formal decisions (‘1 breach’ and ’72 breach’). While a task force across the organisation has been established to pursue the implementation agenda, I remain concerned at capacity and ability in respect of achievement. In addition to the ongoing work of the programme I am currently expediting several actions which will involve my own direct input at significant levels. These include (not exhaustive); x x x Review of the GDPR overall programme to identify the immediate components which are to be pursued in focused and measurable actions. Resourcing of key actions in the ultimate ‘owner’, the operational systems to include redirecting several internal resources and personnel from single Directorate focus to the collective achievement of the actions (This will be consistent but ahead of the overall structure reform intentions). Redirecting with some limited expansion of the previously approved resource contract (PWC) including the risk assessment on current NCCIS, preparation for the DPIA in design of the next generation NCCIS and the broader action plan for compliance with the DPC requirements. Not Relevant to Request 2 6 From: To: Subject: Date: Attachments: Bernard Gloster Kay Keilthy; Emma Dodrill FW: [On behalf of James Plunkett] - DPC Final Decision, IN-19-10-01 (Confidential, not for onward circulation) Monday 13 April 2020 13:27:33 07.04.2020 Decision InquiryIN191001 Tusla.pdf image001.png Kay Please issue attached and below to the O D Committee as follows cc Chair and myself Dear Paul I am writing to you and the OD committee following my discussions with the Chair of the Board. I attach for OD committee notice and consideration the decision of the ‘3 breach’ investigation by the Data Protection Commission. The details are as previously advised in the following processes; CEO report to the Board of three investigations by DPC of ‘1 breach’ ’72 breaches’ and ‘3 breaches’ the latter referred to here. Executive attendance at OD sub committee regarding the proposed action plans and corrective measures in respect of the three investigations (noting the 1 and 72 breach investigations are also nearing DPC final decision. Media response to the aforementioned three investigations following the DPC 2019 annual report publication several weeks ago in which she referenced the three investigations (CEO RTE Radio 1 This Week February 23rd) There are two aspects of the decision of particular relevance Compliance by November 2020 Fine €75,000.00 I have instructed the executive that we will not appeal the decision of this investigation having regard to; All matters we might submit in appeal have already been provided to DPC The fine sanction has already been reduced on mitigation The organisation is not in a position where any such appeal would likely succeed at this time. The commissioner has recognised our efforts and plans and the bona fides attaching to those. I would be grateful if the sub committee would review the decision and if required I am available with the relevant executive to meet by conference call and / or Your advice to the Chair re process of further briefing the wider Board on this decision and issues arising. 7 For note I have actioned the following A meeting of the internal Task Force on implementation of the developed action plans in respect of all three investigations however I view this as one total action plan as distinct from individual reports. I have concerns about expectation on achievability of all desirable actions from an implmenetation perspective due to organisational capacity and other significant competing statutory requirements and risk issues. A consideration of the issues arising in the overall risk approach of the organisation. A further communication plan as decisions arise in the public domain however our main position on this is already known ref the aforementioned RTE programme. I am available to discuss at any time. Kind regards Bernard Gloster Chief Executive Urláir 2-5, Foirgneamh Brunel, An Ceantar Theas, Baile Átha Cliath 8 Floors 2-5, Brunel Building, Heuston South Quarter, Dublin 8 info@tusla.ie TUSUA An Ghniomhaircucht um Leanai agus an Teaghlach Child and Tusla?s Submission on the Draft Decision for Inquiry Ref: Final V1.0I 02.04.2020 [Strict/y Confidential] 32 Confidential Contents Not Part of Request 4. Administrative Fine .............................................................................................................................. 6 Not Part of Request 2 Page 02/04/2020 Freedom of Information Schedule of Records - Summary of Decision Making FOI Request Reference: T53-2020 File 3; 154 pages Page No. Brief description of Decision Basis for refusal - Other record Exempt under FOI Act 1-2 Email Correspondence Part Grant Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations 3-4 Report to the Board dated Part Grant Section 29(1)(a) 21St April, 2020 Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations 5-7 Email Correspondences Part Grant Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 8 Duplicate Page has been removed 9-10 Board Summary Sheet dated 24th April, 2020 Part Grant Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations 11-17 Board Briefing Part Grant Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations Section 37(1) Personal Information 18-23 Tusla Submission to DPC Part Grant Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 24-28 Board Minutes 29-34 CEO Briefing 24.03.2020 Part Grant 35-36 Outside of Scope N/A 37-41 Email Correspondences Grant Granted where in scope of the request Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations Section 37(1) Personal Information N/A Pages have been removed N/A 42-43 Letter from DPC dated 30th April, 2020 Refuse 44-45 Email Correspondence dated 8th April, 2020 Granted where in scope of request 46 Email Correspondence dated 22nd May, 2020 Grant N/A 47-73 DPC Decision dated 21st May, 2020 Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 74-78 Meeting minutes 13th May, Part Grant 2020 Section 29(1)(a) Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations 79-87 Tusla Submission Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege N/A 88-112 DPC Draft Document Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 113-118 Tusla Submission Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 119-120 Duplicate N/A N/A 121-125 Report to Board, 24th April Part Granted where in Section 29(1)(a) 2020 scope of request Deliberations of FOI Bodies Section 30(1)(a) Functions and Negotiations 126-132 Tusla Submission Draft Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege 133-154 DPC Draft Document Refuse Section 29(1)(a) Pages have been Deliberations of FOI Bodies removed Section 30(1)(a) Functions and Negotiations Section 31(1)(a) Legal Professional Privilege Pages have been removed 1 From: To: Cc: Subject: Date: Attachments: Bernard Gloster Kay Keilthy CEO Tusla FW: DPC Submission - final review Monday 25 May 2020 10:12:00 image001.png 21.05.2020 Decision InquiryIN19128 Tusla.pdf image001.png image004.jpg For Onward Attention of Board Members – Child & Family Agency Dear Colleagues I refer to ongoing briefings in respect of GDPR and associated issues. I refer to three investigations ‘one breach ‘three breach’ and ‘seventy two breach’ being conducted by the DPC in respect of the Agency. I refer to previous where the ‘three breach’ resulted in a fine of €75,000.00. s29(1)(a) Deliberations of Public Bodies, s30(1)(a) The fine issue appeared in media reports on the evening following the submission of papers by the DPC to the Court (weekend 15th May. I now attach the decision of the DPC received on 21st in respect of the ‘one breach’. Unlike the previous decision this matter appeared in media reports on the following day (i.e. without the 28 day appeal period passing as in the first decision). It is possible Board members may have seen these media references. s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations . s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations I will further address these matters at the Board meeting of May 29th next. Regards Bernard Bernard Gloster Chief Executive Url?ir 2-5, Foirgneamh Brunel, An Ceantar Theas, Baile Atha Cliath 8 Floors 2-5 Brunel Buildin Heuston South Quarter, Dublin 8 ?w 3 CEO Summary Report to ODC Sub Committee of the Board of TUSLA April 21st, 2020 Introduction: This is the CEO cover note of the detailed report attached from Tusla Corporate services specific to the following; 1. DPC Decision ‘3 Breach Inquiry’ 2. DPC Pending Decisions ‘1 Breach’ Outside 3. GDPR Programme Contextualised. scope Purpose: The Corporate services report is a follow on from discussions at the sub committee of the Board April 17th and previous meetings. CEO Commentary: The CEO has articulated to the Board previously the overarching concerns in respect of these matters. Now that the first formal decision of the DPC is recorded the following is of note; x x Financial Sanction Fine €75,000.00 Compliance November 2020 s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations Data Protection The matters are set out in more detail in the report of the Board sub committee (OD). Specific attention is drawn here to the first formal decision of the DPC in one of the three investigations previously advised to the Board. The significant points of note of this decision are the penalty stated (€75,000.00) and the timeline for compliance of the matters raised (November2020). 1 4 The sub committee was briefed in early 2020 on the updated position of the GDPR programme introduced in 2018 and in April 2020 on the most recent issue (DPC formal decision on one of the three investigations – ‘3 Breach). The Board will be aware of two further and I understand imminent formal decisions (‘1 breach’ Outside scope ’). While a task force across the organisation has been established to pursue the implementation agenda, I remain concerned at capacity and ability in respect of achievement. In addition to the ongoing work of the programme I am currently expediting several actions which will involve my own direct input at significant levels. These include (not exhaustive); x Review of the GDPR overall programme to identify the immediate components which are to be pursued in focused and measurable actions s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations Bernard Gloster Chief Executive Officer 2 5 From: To: Cc: Subject: Date: Attachments: Importance: Laura Slevin Bernard Gloster; James Mark Plunkett CEO Tusla; Marian Walsh RE: Final Decision: 3 x Breach Inquiry (ref. IN-19-10-01), Wednesday 8 April 2020 11:04:29 image005.png image006.png image007.jpg image008.png image009.png High Bernard, A letter will issue as outlined. We will revert on an earlier date for Taskforce Meeting. Kind regards, Laura Laura Slevin Director of Corporate Services TUSLA Child & Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 Tel: 01 cid:image003.png@01D5A5CF.4F6C0430 From: Bernard Gloster Sent: Wednesday 8 April 2020 10:17 To: James Mark Plunkett ; Laura Slevin Cc: CEO Tusla Subject: FW: Final Decision: 3 x Breach Inquiry (ref. IN-19-10-01), James Laura I would appreciate if you would write to the DPC and confirm that you are authorised by me as follows; s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations, s31(1)(a) Legal Professional Privilege A and are requests in the public interest and it is noted that the DPC has independence and will ultimately determine and this will be respected. Bernard Bernard Gloster Chief Executive Url?ir 2-5, Foirgneamh Brunel, An Ceantar Theas, Bajle Atha Cliath 8 Floors 2'5, Buildin Heuston South Quarter, Dublin 8 From: James Mark Plunkett? Sent: Wednesday 8 April 2020 07:57 To: Bernard Gloster Subject: Final Decision: 3 Breach Inquiry (ref. Dear Bernard, Please find enclosed the Data Protection Commission (the Final Decision regarding the 3 Breach Inquiry (ref. issued by Ms. Dixon yesterday, 07 April 2020. I am in the process of preparing a formal brie?ng note on this (for yourself, Board, SLT etc.), however in summary, Tusla has been issued with a reprimand; a ?75,000 administrative fine; and has been given until 02 November 2020 to implement the corrective measures as set out in our most recent submission of 02 April 2020 to the DPC. I am proposing to convene the DPC taskforce (via conference call) on Tuesday let April 2020 to discuss this and a number of other key matters relating to DPC inquires. I will engage with Madeleine regarding your availability for the let and I will propose an alternative if you are not available. I will circulate other relevant documents to yourself and the group closer to the time. For now, the purpose of the meeting is to: a) Discuss the outcome of the 3 breach inquiry and agree next steps in terms of the fine, corrective measures and communications; b) Brief the taskforce on the DPC Final Report for the 1 breach inquiry (ref. IN-19-12-08) and outline next steps in terms of the inquiry process; omoescope Many thanks James James Plunkett Data Protection Of?cer TUSLA Child Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 D60 TUSLA BOARD Paper Smnmary Sheet Agenda Item: Report Title: Board Brie?ng on DPC Final Inquiry s. 110 209 Decision [three breach inquiry] Responsible Executive: James thkett, Data Protection Of?cer Laura Slevin, Director of Corporate Services Presenter: Bernard Gloster, Chief Executive Of?cer Board Meeting Date: Friday, 24th April 2020 Decision Required 1. On the recommendation of the CEO and OD Committee, the Board accepts the Data Protection Commission Final Inquiry 5.110 209 Decision [three breach inquiry] i.e. Tusla will comply with both the reprimand fine and the compliance timeline set out. Tusla waives its right of appeal in respect of the aforementioned decision. 0 Tusla notes two other inquiries 1 breach Outside scope nearing ?nal decision and would respectfully request the DPC to comprehend the individual decisions in one wider context the 329(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations 2. The Board notes the [three breach inquiry] project plan, associated risks and mitigations at Appendix and notes that this is subject to further implementation actions expected in the coming days pending ?nalisation by the CEO, in the context of the wider Programme. Board Action Required For Decision: I For Information/Discussion: I Information to Note: Tusla Board Committee Schedule Work Plan Report Descriptor: The purpose of this report is to provide a brie?ng to the Board on the Data Protection Commission Final Inquiry 5.110 209 Decision [three breach inquiry] and Tusla?s plan to implement the DPC recommendations and findings by November 2020 Outside scope The paper is accompanied by appendices provided to the ODC. Presented to Originating Committee: Next Steps: CEO or SMT: 0 Audit Risk Committee 0 Subsequent Approval by Minister Date: . . . Serv1ce Quallty 0 Approval by PER Org Development Committee IZI Strategy Implications Strategic Objective 6 How is this aligned to Tusla?s agreed strategic and Business Plan 2020 reference 6222 business plans (State Section) Financial Implications No additional cost in respect of the speci?c three Explain implications of breach inquiry programme of work but anticipated additional cost expected for broader Programme as a consequence of de?cits in implementation capacity within current organisational structure. Three breach inquiry programme of work supported by internal DPU resources and external third party on a drawdown basis from contract for Page 1 of 9 OD Committee Bn'e?ng v0.4 Final 21.04. 2020. doc 10 ?Provision of Specialist Services to support the Implementation of Tusla?s GDPR Programme (Phase 2) - HSE 12483 Risk Analysis Management Major risks associated with the proposal and explain how these risks will be managed See Appendix for detailed project plan [three breach inquiry] and associated risks and mitigations. Legal and Compliance Outline any legal implications of the proposal If Tusla does not implement the ?ndings of the Data Protection Commission [three breach inquiry] Decision by November 2020 there is a risk that the DPC will exercise any of its investigative, corrective or enforcement powers provided for under the Data Protection Act 2018 including and not limited to a restriction of processing. Reputational Public Con?dence Is communications response required? Communications already commenced (ref CEO RTE Radio 1 This Week February 23rd). Likely signi?cant public interest in the DPC decision of three breach inquiry and two other inquiries when decisions issued. Review arrangements Outline what KPIs and/or reporting back to the Board will occur during and after implementation Progress report on Programme implementation of which DPC inquiries are a work stream actioned through the following governance sequence: - 1. DPC Inquiries Taskforce which currently has a single item focus i.e. the DPC inquiries, [responsible for implementation], chaired by 2. OD Committee; and 3. Board Page 2 of 9 OD Committee Brie?ng v0.4 Final 21.04. 2020. doc s37 11 Board Brie?ng on DPC Final Inquiry s. 110 209 Decision [three breach inquiry] 24 APRIL 2020 1. Purpose The purpose of this report is to provide a briefing to the Board on the Data Protection Commission Final Inquiry 5.110 209 Decision [three breach inquiry] and Tusla?s plan to implement the DPC recommendations and ?ndings by November 2020 Outside 2. Executive Summary 2.1 DPC Statutory Inquiries As noted in previous brie?ng document supplied to the OD Committee on 20 February 2020 and Board on 27 February 2020 (Appendix A), there are currently three statutory inquiries underway in Tusla which are being led by the DPC. These are: . 5.110 Inquiry 2019.a ?3 breach inquiry? and supporting documentation (Ref. lN-19-10- 01) . Outside scope 5.110 Inquiry 2019b ?1 breach inquiry? (Ref. IN-19-12-O8) 2. 1.1. s. 1 10 Inquiry 2019.a ?3 breach inquiry? (Ref. lN-19-10-01) (substantive matter for purpose of this Board briefing) 3 breach inquiry Background: This inquiry relates to 3 personal data breaches which were notified by Tusla to the DPC between 20 February and 28 May 2019. Each of the breaches in scope of this inquiry involved an accidental disclosure of personal data to a third party. The DPC commenced this inquiry in October 2019, and the scope relates to the security of personal data and the data breach notification process in Tusla. Synopsis of the Data Breaches: 1) Personal Information, 529(1)(a) Deliberations of Public Bodies, 530(1)(a) Functions and Negotiations Page 3 of 9 OD Committee Brie?ng v0.4 Final 21.04. 2020. doc 12 s37(1) Personal Information, 529(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations Appendix B: DPC Final Inquiry Report 26 February 2020 Appendix C: Tusla Action Plan 02 April 2020 Appendix D: DPC Final Decision 07 April 2020 Appendix E: Tusla Detailed Project Plan and associated risks and mitigations for Inquiry Inquiry Status I Outcome: The DPC concluded its investigation and issued a ?nal inquiry report to Tusla on 26 February 2020 (Appendix B). Tusla subsequently submitted an action plan (Appendix C) to the DPC outlining the remedial actions which would be implemented to address the issues identi?ed through this inquiry. The DPC then issued its ?nal decision to Tusla on 07 April 2020 (Appendix D) which included a reprimand, corrective measures (to be implemented by November 2020) and an administrative ?ne of ?75,000. The three signi?cant emerging themes are:- . Policy development and implementation; . Process specific data privacy training; and . Management oversight. Activity Progress to Date: 0 Tusla?s Taskforce?, chaired by the CEO (the ?taskforce?) was reconvened in January 2020 to manage the actions arising from DPC statutory inquiries. A detailed project plan, associated risks and mitigations was subsequently developed (Appendix E) and a programme manager has been assigned to oversee the work of the taskforce in completing their assigned actions. Page 4 of 9 OD Committee Brie?ng v0.4 Final 21.04. 2020. doc 14 2.1.3. 5.110 Inquiry 2019.b ?1 breach inquiry? (Ref. IN-19-12-08) 1 breach inquiry Background: This inquiry relates to 1 personal data breach which was noti?ed by Tusla to the DPC on 04 November 2019. This breach involved an accidental disclosure of personal data to a third party. The DPC commenced this inquiry in December 2019, and the scope relates to the security of personal data and the data breach noti?cation process in Tusla. Synopsis of the Data Breach: s37(1) Personal Information, 329(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations The breach however was not noti?ed to Tusla?s DPU until 31 October 2019 following the receipt and investigation of a complaint from the affected data subjects. Tusla subsequently notified the DPC of the breach on 04 November 2019, over eight months passed the statutory timeframe. Supporting Documentation: . Appendix H: DPC Final Inquiry Report 26 March 2020 . Appendix I: DPC Draft Decision 17 April 2020 Inquiry Status I Outcome: The DPC concluded its investigation and issued a ?nal inquiry report to Tusla on 26 March 2020 (Appendix H). The taskforce reviewed this report in the context of the other inquiry action plans, as well as the work underway with the Child Abuse Substantiation Procedures (CASP). The DPC then issued a draft decision to Tusla on 17 April 2020 (Appendix I). Next Steps - Tusla must now prepare a final submission on this inquiry by 07 May 2020, which will include a remediation action plan to rectify the issues identi?ed in this inquiry. This action plan will be considered by the DPC decision maker as a mitigating factor and will assist the DPC in determining the corrective measures and ?nes to be applied for this inquiry. Activityl Progress to Date: . The Taskforce has reviewed this inquiry report in the context of the other inquiry action plans and has identi?ed provisional remedial actions owners timelines for the systemic issues identified. . A programme manager has been assigned to oversee the work of the taskforce and to support them in ?nalising the detailed project plan for each of the remedial actions relating to this inquiry. 629(1'iial Dellbefm (1 MR: 50GB. 630(1k?al FM NW5 Page 6 of 9 OD Committee Brie?ng v0.4 Final 21.04. 2020. doc 17 4. Appendices Appendices supplied to the 0D Committee in support of this report. Appendix A OD Committee brie?ng 20 February 2020 Appendix B: DPC Final Inquiry Report 26 February 2020 (password required) Appendix C: Tusla Action Plan 02 April 2020 Appendix D: DPC Final Decision - 07 April 2020 Appendix E: Tusla Detailed Project Plan, associated risks and mitigations for Inquiry Appendix F: DPC Draft Inquiry Report 17 January 2020 (password required) Appendix G: Tusla Draft Action Plan 28 February 2020 Appendix H: DPC Final Inquiry Report 26 March 2020 (password required) Appendix I: DPC Draft Decision 17 April 2020 JAMES PLUNKETT DATA PROTECTION OFFICER 20 APRIL 2020 LAURA SLEVIN DIRECTOR OF CORPORATE SERVICES 20 APRIL 2020 Page 9 of 9 OD Committee Brie?ng v0.4 Final 21.04. 2020. doc 24 An Ghniomhaireacht um Leanai agus an Teaghlach Child and Family Agency CHILD AND FAMILY AGENCY MINUTES OF BOARD MEETING HELD ON FRIDAY 29 May 2020 Via Video Conference Attendance Name Initials Role Present Pat Rabbitte Chair PR Chairperson Present Anne O?Gara AOG Deputy Chair Present Charles Watchorn CW Board Member Present Liam Irwin LI Board Member Present Deirdre Kiely DK Board Member Present Avril McDernlott Board Member Present Paul White PW Board Member/ Chair of ODC Present Sean Holland SH Board Member/ Chair of SQC Present Patricia Dollerty PD Board Member In Bernard Gloster Chief Executive Attendance Pat Director of Finance In part Cormac Quinlan Director of Policy Transformation Kim Hayes Interim Director of HR Emma Dodrill Board Administrator Kay Keilthy Board Secretary SIGNED: DATE: CHAIRPERSON 26 3.3 The CEO advised the Board that the second of three investigations, ?one breach? investigation, had now been determined by the DPC and a reduced ?ne of ?45,000 imposed. Outside scope 3.4mm Outside scope 29 CEO Briefing Data Protection Unit Current Priorities DRAFT v0.3 24.03.2020 30 DRAFT, In Confidence Introduction The purpose of this document is to provide a briefing to the CEO on some priorities underway in the Data Protection Unit at present, including: 1. 2. 3. 4. DPC Statutory Inquiries NCCIS Security Risk Assessment Data Breaches Subject Access Requests This document is intended for internal use only and should not be circulated for further use. 2 P age 24/03/2020 31 DRAFT, In Confidence 1. DPC Statutory Inquiries As noted in the CEO update of 20 January 2020, there are currently three inquiries underway in Tusla which are being led by the Data Protection Commission (DPC). These are: Outside scope 2. 3. s.110 Inquiry 2019.a (3 x personal data breaches) IN-19-10-01 s.110 Inquiry 2019.b (1 x personal data breach) IN-19-12-08 Outside scope Outside scope . 3 P age 24/03/2020 32 DRAFT, In Confidence 1.2. s.110 Inquiry 2019.a (3 x Breaches 1) IN-19-10-01 Background: 3 x personal data breaches were notified by Tusla to the DPC between 20th February and 28th May 2019, each of which concerned a disclosure personal data to a third party. The DPC subsequently notified Tusla on 24th October 2019 that an inquiry was being launched in this regard. Inquiry Status Action to date: x 28 November 2019 – DPC authorised officers concluded their investigation and issued Tusla with a ‘Draft Inquiry Report’. x 21 January 2020 – Tusla submitted a response regarding the ‘Draft Inquiry Report’. x 14 February 2020 - DPC issued follow up queries to Tusla in relation to the measures which were in place, at the time of the breaches notified, to comply with Article 32 GDPR and by reference to the principle set down in Article 5(1)(f) GDPR. x 21 February 2020 - Tusla submitted a second response regarding the Draft Inquiry Report and to answer the DPC questions posed on 14 February 2020. x 26 February 2020 – DPC investigator issued the ‘Final Inquiry Report’ to Tusla and to the DPC independent decision maker. x 09 March 2020 – Tusla issued a letter to the DPC requesting clarification on some elements of the Final Inquiry Report and the procedures for the decision making stage of the inquiry. DPC responded to these on 11 March 2020. x 12 March 2020 – DPC independent decision maker issued a ‘Draft Decision’ to Tusla which outlines the DPC provisional view of (i) whether or not an infringement has occurred/is occurring; and (ii) a proposal in respect of corrective powers. Next Steps: x Tusla has a final opportunity to make a submission on the provisional views set out in the Draft Decision and comment on the proposed range for the administrative fine. A deadline of 02 April 2020 has been set by the DPC for this. x The DPC will consider Tusla’s submission and will issue a Final Decision pursuant to Section 111 of the Data Protection Act, 2018. 1.3. s.110 Inquiry 2019.b (1 x Breach) IN-19-12-08 Background: 1 x personal data breach was notified by Tusla to the DPC on 4th November 2019 which concerned a disclosure personal data to a third party. The DPC subsequently notified Tusla on 11th December 2019 that an inquiry was being launched in this regard. Inquiry Status Action to date: x 24 January 2020 – DPC authorised officers concluded their investigation and issued Tusla with a ‘Draft Inquiry Report’. x 21 February 2020 – Tusla submitted a response regarding the ‘Draft Inquiry Report’. x 24 February 2020 - DPC issued follow up queries to Tusla in relation to the measures which were in place, at the time of the breaches notified, to comply with Article 32 GDPR and by reference to the principle set down in Article 5(1)(f) GDPR. 11 Note: This inquiry includes s37(1) Personal Information 4 P age 24/03/2020 33 . JS DRAFT, In Confidence Child and Mun) 02 March 2020 - Tusla submitted a second response regarding the ?Draft Inquiry Report? and to answer the DPC questions posed on 24 February 2020. Next Steps: 0 The DPC will consider Tusla?s submission and prepare the ?Final Inquiry Report?. This will be furnished to the independent decision maker in the DPC who will ascertain a) if an infringement has/has not occurred; b) an appropriate corrective power to apply; and c) whether an administrative fine should be issued. 0 The DPC independent decision maker will issue a ?Draft Decision? to Tusla which will outline the DPC provisional view of whether or not an infringement has occurred/is occurring; and (ii) a proposal in respect of corrective powers. 0 Tusla will have a final opportunity to make a submission on the provisional views set out in the Draft Decision. 0 The DPC will consider Tusla's submission and will issue a Final Decision pursuant to Section 111 of the Data Protection Act, 2018. 1.4. Statutory Powers of the DPC For all three inquiries, the DPC may utilise its statutory powers for the purposes of sections 124(3) and 125(3) of the Data Protection Act, which are to: 0 issue a warning that the intended data processing is likely to infringe a relevant provision; 0 issue a reprimand where data processing has infringed a relevant provision; 0 order Tusla to bring processing into compliance with a relevant provision, in a specified manner and within a specified period; 0 impose a temporary or definitive limitation, including a ban on processing; 0 impose a restriction on processing; and/or 0 issue an enforcement notice. Should Tusla fail to comply with an enforcement notice without reasonable excuse, it shall be guilty of an offence and shall be liable - on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or (ii) on conviction on indictment, to a fine not exceeding ?250,000 or imprisonment for a term not exceeding 5 years or both. 1.5. DPC Statutory Inquiries - Conclusion 329(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations 529(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations 5 Page 24/03/2020 37 From: To: Cc: Subject: Date: Attachments: Importance: James Mark Plunkett Laura Slevin; Bernard Gloster Vicky G. Byrne FW: Final Decision - Inquiry IN-19-10-01 Thursday 30 April 2020 17:34:11 image002.png image003.png image004.png IN-19-10-01_LtOut_BernardGloster_30.04.2020.pdf image007.png image008.png High Dear Bernard, Please see the attached correspondence I received from Ms Helen Dixon in response to the correspondence I issued on your behalf this morning. Let me know if you require anything further. Many thanks James James Plunkett Data Protection Officer TUSLA Child & Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 cid:image002.png@01D59FAB.D52651E0 cid:image003.png@01D55F26.EA7E9D60 From: Cian X. O'Brien Sent: Thursday 30 April 2020 15:16 To: James Mark Plunkett Cc: Helen X. Dixon Subject: RE: Final Decision - Inquiry IN-19-10-01 Dear James, Please find attached the Commissioner’s response to Mr Gloster’s correspondence. Kind Regards, Cian From: James Mark Plunkett Sent: Thursday 30 April 2020 11:42 To: Cian X. O'Brien Subject: RE: Final Decision - Inquiry IN-19-10-01 38 Dear Cian, Please see attached correspondence from Mr Bernard Gloster, Chief Executive, Tusla, Child and Family Agency in respect of IN-19-10-01. Many thanks James James Plunkett Data Protection Officer TUSLA Child Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 Sent: Thursday 9 April 2020 16:31 To:James Mark Plunkett? Subject: RE: Final Decision Inquiry lN?19?10-01 Hi James, Many thanks for confirming. Have a nice Easter. Kind Regards, Cian From: James Mark Plunkett? Sent: Thursday 9 April 2020 16:19 Datacmroner? Cc: Helen x. Dixon? Subject: RE: Final Decision Inquiry lN-19-lO-01 Hi Cian, I can con?rm I have received the registered letter. I will review and revert in the coming days. Happy Easter to all in DPC. Many thanks James 39 James Plunkett Data Protection Officer TUSLA Child Family Agency Floor 4, Brunei Building Heuston South Quarter Dublin 8 nonconxonnon? Sent: Tuesday 7 April 2020 12:36 To: oonoo Mono Plonkono? Conoouon? coonoonxonon? Subject: Final Decision - Inquiry IN-19-10-01 Dear Mr Plunkett, Please find attached the Commissioner?s final Decision in this Inquiry. This Decision is also being issued by Registered Post today. I wonder if you could please confirm receipt of the registered post copy when it is received by Tusla? Kind Regards, Cian Legal Researcher An Coimisii'in um Chosainf Sonrai Legal Unit (Decisions and Con?ective 21 Cearn?g I\,Ihic Liam, BAC 2, Powers) D02 RD28, Eireann. Data Protection Commission 21 Fitzwilliam Square. Dublin 2. ?mm: ataprotectionJe D02 RD28, Ireland Is le haghaidh an duine 116 an eintitis a1' a blifuil si dii?ithe. agus le haghaidh an duine 116 an eintitis sin amhain. a bheaitaitear an ?iaisn?is a tarchuircadh agus f?adfaidh s? go blifuil abhar faoi n'm agus/no faoi phiibhl?id inti. Toiimisctear aon athbhi?eithnil'l. atarchur no leathadh a dh?anamh ar an bhfaisn?is seo. aon i'lsaid eile a bhaint aisti no aon glmiomh a dh?anamh at a hiontaoibh. ag daoine 116 ag eintitis seachas an faighteoir beai?taithe. Ma fuair t1'1 seo tn' dheaimad. t?igh i dteagmhail leis an seoltoir. 16 do thoil. agus sc1ios an t-abhar as aon riomhaii?e. Is beams 11a Roiime Dli agus Ciit agus omhionamiais. na IIOi?gi seirbhisi T131131 Roiime 40 seoladh ábhair cholúil a dhícheadú. Más rud é go measann tú gur ábhar colúil atá san ábhar atá sa teachtaireacht seo is ceart duit dul i dteagmháil leis an seoltóir láithreach agus le mailminder[ag]justice.ie chomh maith. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. It is the policy of the Department of Justice and Equality and the Agencies and Offices using its IT services to disallow the sending of offensive material. Should you consider that the material contained in this message is offensive you should contact the sender immediately and also mailminder[at]justice.ie. ********************************************************************************** .................................................... When we go through tough time, little things like talking about our problems, getting regular exercise, drinking less alcohol and being involved in activities we enjoy can make a big difference to how we feel. Find the little things that work for you at yourmentalhealth.ie "Tá an fhaisnéis sa ríomhphost seo (ceangaltáin san áireamh) faoi rún. Baineann sé leis an té ar seoladh chuige amháin agus tá sé ar intinn go bhfaighfidh siadsan amháin é agus gurb iadsan amháin a dhéanfaidh breithniú air. Más rud é nach tusa an duine ar leis é, tá cosc iomlán ar aon fhaisnéis atá ann, a úsáid, a chraobhscaoileadh, a scaipeadh, a nochtadh, a fhoilsiú, ná a chóipeáil . Seains gurb iad tuairimí pearsanta an údar atá san ríomhphost agus nach tuairimí FSS iad. Má fuair tú an ríomhphost seo trí dhearmad, bheadh muid buíoch dá gcuirfeá in iúil don Deasc Seirbhísí ECT ar an nguthán ag +353 1 6352757 nó ar an ríomhphost chuig service.desk@hse.ie agus ansin glan an ríomhphost seo ded' chóras." "Information in this email (including attachments) is confidential. It is intended for receipt and consideration only by the intended recipient. If you are not an addressee or intended recipient, any use, dissemination, distribution, disclosure, publication or copying of information contained in his email is strictly prohibited. Opinions expressed in this email may be personal to the author and are not necessarily the opinions of the HSE. If this email has been received by you in error we would be grateful if you could immediately notify the ICT Service Desk by telephone at +353 1 6352757 or by email to service.desk@hse.ie and thereafter delete his e-mail from your system" ********************************************************************************** Is le haghaidh an duine nó an eintitis ar a bhfuil sí dírithe, agus le haghaidh an duine nó an eintitis sin amháin, a bheartaítear an fhaisnéis a tarchuireadh agus féadfaidh sé go bhfuil ábhar faoi rún agus/nó faoi phribhléid inti. Toirmisctear aon athbhreithniú, atarchur nó leathadh a dhéanamh ar an bhfaisnéis seo, aon úsáid eile a bhaint aisti nó aon ghníomh a dhéanamh ar a hiontaoibh, ag daoine nó ag eintitis seachas an faighteoir beartaithe. Má fuair tú é seo trí dhearmad, téigh i dteagmháil leis an seoltóir, le do thoil, agus scrios an t-ábhar as aon ríomhaire. Is é beartas na Roinne Dlí agus Cirt agus Comhionannais, na nOifígí agus na nGníomhaireachtaí a úsáideann seirbhísí TF na Roinne seoladh ábhair cholúil a dhícheadú. Más rud é go measann tú gur ábhar colúil atá san ábhar atá sa teachtaireacht seo is ceart duit dul i dteagmháil leis an seoltóir láithreach agus le mailminder[ag]justice.ie chomh maith. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. It is the policy of the Department of Justice and Equality and the Agencies and Offices using its IT services to disallow the sending of offensive material. Should you consider that the material contained in this message is offensive you should contact the sender immediately and also mailminder[at]justice.ie. ********************************************************************************** .................................................... 41 When we go through tough time, little things like talking about our problems, getting regular exercise, drinking less alcohol and being involved in activities we enjoy can make a big difference to how we feel. Find the little things that work for you at yourmentalhealth.ie "Tá an fhaisnéis sa ríomhphost seo (ceangaltáin san áireamh) faoi rún. Baineann sé leis an té ar seoladh chuige amháin agus tá sé ar intinn go bhfaighfidh siadsan amháin é agus gurb iadsan amháin a dhéanfaidh breithniú air. Más rud é nach tusa an duine ar leis é, tá cosc iomlán ar aon fhaisnéis atá ann, a úsáid, a chraobhscaoileadh, a scaipeadh, a nochtadh, a fhoilsiú, ná a chóipeáil . Seains gurb iad tuairimí pearsanta an údar atá san ríomhphost agus nach tuairimí FSS iad. Má fuair tú an ríomhphost seo trí dhearmad, bheadh muid buíoch dá gcuirfeá in iúil don Deasc Seirbhísí ECT ar an nguthán ag +353 1 6352757 nó ar an ríomhphost chuig service.desk@hse.ie agus ansin glan an ríomhphost seo ded' chóras." "Information in this email (including attachments) is confidential. It is intended for receipt and consideration only by the intended recipient. If you are not an addressee or intended recipient, any use, dissemination, distribution, disclosure, publication or copying of information contained in his email is strictly prohibited. Opinions expressed in this email may be personal to the author and are not necessarily the opinions of the HSE. If this email has been received by you in error we would be grateful if you could immediately notify the ICT Service Desk by telephone at +353 1 6352757 or by email to service.desk@hse.ie and thereafter delete his e-mail from your system" ********************************************************************************** Is le haghaidh an duine nó an eintitis ar a bhfuil sí dírithe, agus le haghaidh an duine nó an eintitis sin amháin, a bheartaítear an fhaisnéis a tarchuireadh agus féadfaidh sé go bhfuil ábhar faoi rún agus/nó faoi phribhléid inti. Toirmisctear aon athbhreithniú, atarchur nó leathadh a dhéanamh ar an bhfaisnéis seo, aon úsáid eile a bhaint aisti nó aon ghníomh a dhéanamh ar a hiontaoibh, ag daoine nó ag eintitis seachas an faighteoir beartaithe. Má fuair tú é seo trí dhearmad, téigh i dteagmháil leis an seoltóir, le do thoil, agus scrios an t-ábhar as aon ríomhaire. Is é beartas na Roinne Dlí agus Cirt agus Comhionannais, na nOifígí agus na nGníomhaireachtaí a úsáideann seirbhísí TF na Roinne seoladh ábhair cholúil a dhícheadú. Más rud é go measann tú gur ábhar colúil atá san ábhar atá sa teachtaireacht seo is ceart duit dul i dteagmháil leis an seoltóir láithreach agus le mailminder[ag]justice.ie chomh maith. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. It is the policy of the Department of Justice and Equality and the Agencies and Offices using its IT services to disallow the sending of offensive material. Should you consider that the material contained in this message is offensive you should contact the sender immediately and also mailminder[at]justice.ie. ********************************************************************************** 44 From: To: Cc: Subject: Date: Attachments: James Mark Plunkett Bernard Gloster CEO Tusla; Laura Slevin Final Decision: 3 x Breach Inquiry (ref. IN-19-10-01), Wednesday 8 April 2020 07:56:39 07.04.2020 Decision InquiryIN191001 Tusla.pdf image001.png image002.png Dear Bernard, Please find enclosed the Data Protection Commission (the ”DPC”) Final Decision regarding the 3 x Breach Inquiry (ref. IN-19-10-01), issued by Ms. Dixon yesterday, 07 April 2020. I am in the process of preparing a formal briefing note on this (for yourself, Board, SLT etc.), however in summary, Tusla has been issued with a reprimand; a €75,000 administrative fine; and has been given until 02 November 2020 to implement the corrective measures as set out in our most recent submission of 02 April 2020 to the DPC. I am proposing to convene the DPC taskforce (via conference call) on Tuesday 21st April 2020 to discuss this and a number of other key matters relating to DPC inquires. I will engage with Madeleine regarding your availability for the 21st and I will propose an alternative if you are not available. I will circulate other relevant documents to yourself and the group closer to the time. For now, the purpose of the meeting is to: a) Discuss the outcome of the 3 x breach inquiry and agree next steps in terms of the fine, corrective measures and communications; b) Brief the taskforce on the DPC Final Report for the 1 x breach inquiry (ref. IN-19-12-08) and outline next steps in terms of the inquiry process; Outside scope Many thanks James James Plunkett Data Protection Officer TUSLA Child & Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 46 From: To: Subject: Date: Attachments: James Mark Plunkett Vicky G. Byrne; Bernard Gloster; CEO Tusla; Laura Slevin; Fergus Ocuanachain; Cormac Quinlan; Gerard Brophy; "Aisling.Gillen@tusla.ie"; "Halpin, Dermot"; Linda Creamer; Patricia Finlay; Brian Lee1; Kim Hayes; Pat John Smyth; Pamela Benson1; Alan Breen; Frances Haigney; Linda Orourke2; Seamus Omathuna RE: DPC Submission - final review Friday 22 May 2020 07:58:40 image001.png 21.05.2020 Decision InquiryIN19128 Tusla.pdf image002.png image003.png Good morning all, For your information, please see attached the Data Protection Commission (the ”DPC”) final decision in respect of DPC Ref: IN-19-12-8 which I received yesterday evening. A fine of €40,000 has been imposed in respect of this infringement. I will issue further correspondence in respect of this matter in the coming days. Many thanks James James Plunkett Data Protection Officer TUSLA Child & Family Agency Floor 4, Brunel Building Heuston South Quarter Dublin 8 cid:image002.png@01D59FAB.D52651E0 cid:image003.png@01D55F26.EA7E9D60 .- Executive Group: Minutes, 13 May 2020 . Meeting Details: Meeting: Executive Group Meeting Purpose Agenda: Meeting Agenda: Meeting Date (Time): Attendees: (by conference call) Apologies [Confidential] Welcome Group Terms of Reference . Brief introduction Review and agree terms of reference Data Protection Commission Discuss Statutory Inquiries: . 1 Breach Inquiry Review draft submission developed in response to the draft decision. 3 Breach Inquiry Briefly discuss the status of the Action Plan and agree next steps for updating the DPC. Wrap up Next Steps Wednesday 13 May 2020, 9.00 10.30 I CEO - Bernard Gloster (Chair) [86] Data Protection Officer - James Plunkett I Director of Corporate Services Laura Slevin I Director of Transformation Policy - Cormac Quinlan I Chief Social Worker Gerard Brophy I Service Director, West ?Aisling Gil/en I Service Director, South Dermot Halpin I Service Director, Dublin North East - Linda Creamer I Service Director, Dub/in Mid Leinster? Patricia Finlay I Director of HR Kim Hayes and delegate Frances Haigney I Head of Legal Services Pamela Benson I Delegate for Brian Lee Seamus O'Mathuna I Delegate for Alan Breen - Jenny Finnegan I representatives - Michael McDaid Gary Holohan and Vicky Byrne I Director of Quality Assurance Brian Lee I Head of Communications Alan Breen I Director of ICT - Fergus O?Cuanachain I Director of Finance Pat Executive Group: Minutes, 13 May 2020 - Meeting Notes: Welcome/Gmup Tenn: of Reference: s30(1)(c) Functions and negotiatives of FOI bodies, 529(1)(a) Deliberations of Public Bodies 121 CEO Report to Board of TUSLA April 24th, 2020 Introduction: This is the seventh report of the current Chief Executive Officer to the Board (excluding a March 2020 specific briefing Covid-19). Outside scope 122 Outside scope Data Protection The matters are set out in more detail in the report of the Board sub committee (OD). Specific attention is drawn here to the first formal decision of the DPC in one of the three investigations previously advised to the Board. The significant points of note of this decision are the penalty stated (€75,000.00) and the timeline for compliance of the matters raised (November2020). s29(1)(a) Deliberations of Public Bodies, s30(1)(a) Functions and Negotiations Outside scope 2