The Data Protection Commission (DPC) has found Tusla failed to demonstrate a lawful basis under General Data Protection Regulation (GDPR) for its processing of a whistleblower’s personal data.
Ciarán Kenneally resigned from his role with the Child and Family Agency in January 2019 shortly after making a protected disclosure about procurement issues at an aftercare service based at Liberty Street House, Cork city.
Mr Kenneally settled an unfair dismissal case with Tusla at the Workplace Relations Commission (WRC) in November 2019.
Records released to Mr Kenneally after the WRC case was settled confirmed Tusla had carried out a background check on him.
Mr Kenneally lodged a complaint with the DPC in 2021, alleging Tusla had unlawfully processed his personal data by carrying out “an unauthorised background check on me without any consent from me or to my knowledge”.
He also alleged Tusla had, without his consent, “obtained feedback from a counsellor” relating to therapy sessions he attended.
On January 13th, the DPC sent its final report to Mr Kenneally. The document acknowledged “a considerable amount of time has passed since the date on which your complaint was first submitted”, saying the delay was “very much regretted”.
The report said Tusla informed Mr Kenneally it processed his personal data in line with article 6(1)(e) of the GDP regulations. This article states that such processing can occur when it is necessary “for the performance of a contract to which...
Welcome to Reality Check, NewsGuard’s nonpartisan newsletter that tracks the false claims and conspiracy theories that shape our world — and who’s behind them. Support us by becoming a premium memb...