Tusla: questions to answer about data protection
Under Article 37.1 of the GDPR, all public bodies are required to have a Data Protection Officer (a DPO). The DPO is the person in the organization who is charged with ensuring the organization complies with data protection legislation. For organisations with large databases of sensitive personal data, it is a critical role.
One such organization is Tusla, the state agency responsible for providing support services for children. Tusla has already faced national controversy as a result of its failure to manage and protect sensitive personal data .
We have recently learned that Tusla’s first Data Protection Officer had left employment some weeks after the GDPR came into force.
The organisation has contact details for a DPO published in its Privacy Notice, but the email listed leads, not to an independent Data Protection Officer contact, but to “datacontroller@tusla.ie”. The Data Controller, of course, is the very entity about whose behaviour an individual would want to contact an independent DPO.
We understand that, after the departure of the original appointee, inquiries to the DPO were redirected to external legal representatives- but that those external agents were not the designated Data Protection Officer.
The person currently designated as the Data Protection Officer for Tusla is part of the Office of the Chief Executive and has also been described by Tusla as also holding the role of Director of Corporate Services. Although the role was previously advertised, Tusla is not currently seeking to recruit a Data Protection Officer.
As the GDPR repeatedly emphasises, the DPO for an organisation cannot be the person liable for Data Protection compliance in the organisation. That duty remains with the Data Controller.
Article 38 (6) specifically prohibits a DPO being assigned any task or duties that result in a ‘conflict of interests’ with their DPO role. The Article 29 Working Party of the EU’s Data Protection Authorities have issued a paper explaining the DPO role, stating “This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” While the nature of such positions will vary according to each organisation, they set out a non-exhaustive list of roles they foresee would be incompatible.
“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
In addition, a conflict of interests may also arise, for example, if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.”
The independence of an organisation’s DPO is a critical part of the role. This independence is considered so significant by the GDPR that Article 38.3 specifically grants job protections on the DPO in order to ensure that they can operate Independently.
“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”
This week, Digital Rights Ireland has written to Tusla seeking details of
- The job description for the DPO role;
- The steps taken to advertise or recruit for the DPO role, including details of any internal or external competition;
- The criteria for the appointment of the DPO;
- The qualifications of the DPO;
- Any guidance or training given to the DPO;
- The reporting arrangements for the DPO to “directly report to the highest management level”;
- The steps taken to ensure that the DPO is independent and does not have any conflict of interest; and
- The staff/resources/budget given to the DPO.
DRI has also written in similar terms to a number of Government Departments and agencies who are Data Controllers for significant databases of personal data.
Having truly independent Data Protection Officers in Government Departments and other public bodies is a key part of the architecture of the GDPR’s protection of citizen’s data.
The public sector’s blanket requirement to appoint a DPO is a reflection of the profound depth and sensitivity of the data stored by the state. Few public bodies hold more sensitive personal data than Tusla.
DRI will continue to monitor the implementation of the DPO role, and if necessary, to highlight any threat to the independence of DPOs