The child and family agency Tusla was warned it should reduce its use of fax machines, particularly for transmitting sensitive or confidential personal information, after it was found there was “substantial” use of fax between the agency and An Garda Síochána.

A risk report prepared by data protection consultants for the agency said that for “legacy reasons” and despite the availability of alternative electronic communications, the use of fax machines to transmit information persisted.

Consultants Sytorus said it “strongly” recommended that the continued use of fax for correspondence, particularly where it contained sensitive or confidential personal information, should be “reduced and kept to a minimum”.

Where it was possible to draft a letter or memo to be faxed, “it must be equally possible to email the same document via a more secure, encrypted connection, and for the recipient to then save the document safely on arrival”.

The report focused on Tusla’s management of data connected with its provision of child welfare services.

The consultants wrote that there was “no evidence of a formal data retention and destruction policy” within the organisation, other than a “general belief heard regularly . . . requiring that all records are to be held ‘indefinitely, in perpetuity’.”

Unnecessary burden

While this view was understandable, given the nature of the work and the sensitivity of the material held by the agency, it nonetheless created an unnecessary burden on Tusla in terms of “storage, accuracy and security obligations”.

The consultants also noted there was “a reported tendency to gather and record information simply because it is available, rather than because it is actually needed for the provision of care”.

“Anecdotally, there is also evidence of substantial volumes of highly confidential and sensitive records being held in non-secure and inappropriate environments, thereby running the risk that such records will be inadvertently lost or disclosed, or will be damaged by exposure to the elements, damp or unintentional destruction, thereby defeating the purpose of their retention in the first place.”

Some actions by Tusla will come under scrutiny by the Disclosures Tribunal, chaired by Mr Justice Peter Charleton, which is examining how it came to process false allegations of sexual misconduct against Garda whistleblower Sgt Maurice McCabe.

‘Responsibilities’

In a statement, Tusla said it was “fully cognisant of its responsibilities in respect of data protection legislation”. It was “actively preparing for the introduction of the EU General Data Protection Regulation”, which comes into force in May.

It said it had engaged a data protection specialist to undertake an assessment of a “discrete sample” of its data management activities. This was in line with Tusla’s “continued commitment to a robust and compliant system of corporate governance”.

The work being undertaken on data protection was part of the agency’s wider transformation programme which would “enhance many core organisational aspects of the agency, including organisational culture, strategic HR capacity, and corporate and practice governance systems”, it said.

Tusla said the new National Childcare Information System (NCCIS) was expected to be live by the summer. The system would “ultimately enhance and improve the quality, safety, responsiveness and delivery of children’s services”.