The Data Protection Commission (DPC) has found Tusla failed to demonstrate a lawful basis under General Data Protection Regulation (GDPR) for its processing of a whistleblower’s personal data.
Ciarán Kenneally resigned from his role with the Child and Family Agency in January 2019 shortly after making a protected disclosure about procurement issues at an aftercare service based at Liberty Street House, Cork city.
Mr Kenneally settled an unfair dismissal case with Tusla at the Workplace Relations Commission (WRC) in November 2019.
Records released to Mr Kenneally after the WRC case was settled confirmed Tusla had carried out a background check on him.
READ MORE
Mr Kenneally lodged a complaint with the DPC in 2021, alleging Tusla had unlawfully processed his personal data by carrying out “an unauthorised background check on me without any consent from me or to my knowledge”.
He also alleged Tusla had, without his consent, “obtained feedback from a counsellor” relating to therapy sessions he attended.
On January 13th, the DPC sent its final report to Mr Kenneally. The document acknowledged “a considerable amount of time has passed since the date on which your complaint was first submitted”, saying the delay was “very much regretted”.
The report said Tusla informed Mr Kenneally it processed his personal data in line with article 6(1)(e) of the GDP regulations. This article states that such processing can occur when it is necessary “for the performance of a contract to which the data subject is party”.
The DPC report said that while an employer “can raise performance issues or concerns relating to a person’s suitability for a specific role ... it is not evident that checking references or contacting previous employers would be a reasonable or foreseeable action carried out by an employer after the contract for employment has commenced”.
As such, the DPC found Tusla “failed to demonstrate a lawful basis under article six of the GDPR” for contacting Mr Kenneally’s previous employer while he worked for the agency.
In his complaint, Mr Kenneally also alleged Tusla had unlawfully obtained his personal data by obtaining “feedback” from counselling sessions he attended.
Tusla said it “had contact with the counselling service provider in order to facilitate payment for the provider’s services, but that feedback was neither sought nor received in this connection”, the report said.
The DPC said it “cannot make a determination regarding the alleged unlawful obtaining of your personal data, relating to feedback from your counselling sessions”.
Last November, Mr Kenneally submitted a second protected disclosure to Tusla, saying another former employee of the agency had contacted him with information which supported his initial disclosure.
Responding to the DPC report, Mr Kenneally said Tusla “failed to meet the basic legal standards expected of a professional public organisation”.
“My complaint to the Data Protection Commission took four years to conclude, resulting in one decisive and one inconclusive decision. I have since made a second protected disclosure,” he said.
“I am pursuing all available avenues to secure accountability, and I will not stop until accountability is achieved.”
A Tusla spokeswoman said the organisation “strongly believes in protecting the confidentiality and security of the personal data of our employees and service users”.
“We are fully aware of our responsibilities regarding the handling of personal data, and we take all data processing breaches very seriously,” a statement said.
“In the case of any personal data breach of which we become aware, we will react quickly to identify the cause, take steps to mitigate any potential impact, undertake a full risk assessment and inform impacted persons in appropriate cases.”
Tusla would continue to engage “constructively with the DPC as required”, the statement said.
The agency did not comment on the status of Mr Kenneally’s new protected disclosure.
