Tusla Personal Information (Data) Access Portal Privacy Notice
The Privacy Notice will set out the following:
-
The Purpose
The Data Controller
The Data Protection Officer (DPO)
What Personal Data is Collected?
What we use your Personal Data for?
Legal basis for processing
Cookies on the website
How long will we hold onto your Personal Data?
Who will have access to your Personal Data?
International data transfers
Your Rights
Complaints
1. The Purpose
Tusla, the Child and Family Agency (‘we’ or ‘us’ or ‘our’) is committed to providing a clear privacy notice to explain how we use and process the Personal Data impacted during the Health Service Executive (HSE) cyber-attack.
2. The Data Controller
We are the Data Controller for all Personal Data which is collected and used by this website for the purpose of the Tusla notification process. A Data Controller is the legal entity which determines how and why Personal Data is collected and used. Our headquarters are located at the Brunel Building, Heuston South Quarter, Saint John's Road West, Dublin 8, D08 X01F. You can view our full Privacy Notice here.
3. The Data Protection Officer
We have appointed a Data Protection Officer to oversee our compliance with our data protection obligations. You can contact the Tusla Data Protection Officer (DPO) by email at DPUHelp@tusla.ie or by post at the Brunel Building, Heuston South Quarter, Saint John's Road West, Dublin 8, D08 X01F.
4. What Personal Data is Collected?
‘Personal Data’ means any information relating to you which allows us to identify you, such as your name, address, contact phone numbers and email address. Tusla processes personal data to carry out the functions assigned to the Agency by the Child and Family Agency Act 2013 and other relevant legislation, to promote the development, welfare and protection of children and families.
We will collect and use the following Personal Data about you in relation to your use of the notification portal:
|
Description | What its used for |
|---|---|
First and last name | We collect your first and last name to help us identify you when you log onto the Tusla notification portal during the registration process. It is used for verification purposes and to deal with your queries. |
Unique Personal Identification Number (PIN) | The Unique PIN provided to you in your notification letter will be used to help identify you when you log onto the portal during the registration process. |
Phone Number | We collect your mobile phone number to help us identify you and to send relevant service-based SMS notifications. |
Date of Birth | We collect your date of birth to help us identify you. |
Address | We collect your address to help us identify you. |
Email Address | We collect your email address via the portal during the portal registration process, to help us identify you and to communicate with you. |
IP Address | IP address is recorded only when you access the portal. |
Identity documents (ID) of individuals (‘data subjects’) who are successfully authenticated in ID-Pal | We collect your identity document during the ID Verification process. Where you consent to the ID verification process, you will be requested to upload a photo of your government issued ID in the integrated ID verification system (ID-Pal). This is to help us verify your identity and prevent fraud. |
Photo - authenticated in ID-Pal | As part of provisioning access for you on the portal, you will have the option to consent for an online ID verification. As part of this online ID verification process, we via ID-Pal, will collect and store incoming information from you, which is voluntarily provided. This will involve biometric data (photo) and Personal Data (ID documents) to verify your identity. |
SMS Messages | We may send you SMS messages to assist us with logistics arising from the notification process. |
Identity documents (Photocopies provided during the face-to-face interaction) | We collect your identity document where you choose to verify your identity during the face-to-face interaction, where applicable. |
| Additional documents required to prove guardianship status | We will collect various documents (birth certificate, court order, marriage certificate, and guardianship declaration) during the ID verification process in order to validate legal guardianship status. |
5. What we use your Personal Data for?
It is a legal and regulatory requirement for us to contact you (the impacted data subjects), share details of the breach and further facilitate any requests by you regarding the breached data. Throughout this process, Personal Data will be used only where necessary for the purposes set out above.
Any Personal Data we collect from you through this website will only be used by us for the following purposes:
- to verify your identity, to register you on the notification portal and help us manage any queries you may have.
- to verify the guardianship status of your appointed legal guardian (where applicable).
- to contact (via letter, phone, and SMS) you, if you have been previously notified that your data or the data of your child was breached, as part of the May 2021 cyber-attack on the HSE.
- to ensure secure access to the notification portal through multi-factor authentication.
- to deliver the notification process and portal.
6. Legal basis for processing
Under data protection legislation (such as the General Data Protection Regulation (GDPR) and Data Protection Act), we can only process Personal Data where we have a legal basis to do so. Our legal basis for processing Personal Data, in the course of this notification process, is as follows:
- Processing Personal Data for the purposes of notifying you of the data breach that occurred (Article 34 of the GDPR).
- The processing is necessary for a legal obligation to which we are subject (Article 6(1)(c) of the GDPR).
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Article 6(1)(e) of the GDPR).
- The data subject has given explicit consent to the processing (Article 6(1)(a) and Article 9(2)(a) of the GDPR) of their biometric data through the ID-Pal web/mobile integrated application for identity verification.
- We may rely on Sections 41 and 47 of the Data Protection Act 2018 to retain Personal Data for the establishment, exercise or defence of legal claims.
7. Cookies on the website
Cookies are small files that are created and saved on your phone, tablet, or computer when you visit a website. The term cookies can refer to cookies set in your web browser (e.g., Chrome, Safari, Edge, Firefox or Brave) as well as several similar technologies including tracking pixels/web beacons, local shared objects/flash cookies and access to device information.
The notification portal makes use of essential cookies only. Essential Cookies are necessary for the website to function and cannot be switched off in our systems. They enable functionality such as log in, network management and security. You can set your browser to block or alert you about these cookies, but some parts of the site may not work correctly. These cookies do not store any personally identifiable information.
The following table describes the cookies that are active on the notification portal, alongside their timeframe.
|
Cookie Name | Description | Timeframe | Type |
|---|---|---|---|
__RequestVerificationToken | Used by the anti-forgery system. | Session | Essential |
.AspNet.ApplicationCookie | Used to identify user sessions. A user session starts when a user browses the portal for the first time. It ends when the session is closed. Authentication site settings can be used to change session expiry time span. | Session | Essential |
ARRAffinity | Added automatically by Azure websites and ensures that requests are load balanced between different sites. Doesn't store any user information. | Session | Essential |
ASP.NET_SessionId | Used to maintain the session of a logged in user to avoid repeated sign-in. | Session | Essential |
ContextLanguageCode | Stores the default language of the user accessing the portal within a session and across webpages. The cookie is deleted after session closes. | Session | Essential |
Dynamics365PortalAnalytics | Critical service cookie to analyse service usage anonymously and aggregated for statistical purpose. | 90 days | Essential |
isDSTObserved | Stores a value to indicate if the current moment is in daylight saving time. | Session | Essential |
isDSTSupport | Indicates whether a specified date and time falls in the range of daylight-saving time. | Session | Essential |
timeZoneCode | Stores the timezonecode field value of CRM timezonedefinition table for the current timezone. | Session | Essential |
timezoneoffset | Stores the timezone difference between UTC and Local browser time. | Session | Essential |
MC1=GUID | These web analytics cookies, provided by Microsoft Inc., are used to collect information about how visitors use the site. The information is used to compile reports and to help Microsoft improve the site. | Session | Essential |
MS0 | The cookie enables user tracking by synchronising the ID across many Microsoft domains. Used widely by Microsoft as a unique user ID. There will be no advertising on this website. | Session | Essential |
x-ms-cpim-csrf | Cross-Site Request Forgery token used for CRSF protection. | Session | Essential |
x-ms-cpim-sso:tuslatesthsedataprotectionb2c.onmicrosoft.com_0 | Used for maintaining the SSO session. | Session | Essential |
x-ms-cpim-cache|f49gnefauu6mg456ne69wq_0 | Used to track transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology. | Session | Essential |
x-ms-cpim-trans | Used for tracking the transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology. | Session | Essential |
ARRAffinitySameSite | Added automatically by Azure websites and ensures that requests are load balanced between different sites. Doesn't store any user information. | Session | Essential |
ai_session | This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform | Session | Essential |
ai_user | This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform. This is a unique user identifier cookie enabling counting of the number of users accessing the application over time. | Session | Essential |
ASP.NET_SessionId | Used to maintain the session of a logged in user to avoid repeated sign-in. | Session | Essential |
8. How long will we hold onto your Personal Data?
We will retain the following types of Personal Data:
- Cookies and other tracking tools used on the notification portal, and this website are retained for the duration of their “Timeframe” set out above in section 7.
- Personal Data collected and processed for identification and verification checks by automated means via ID-Pal is retained (i) where successful, for the life of the notification service; or (ii) where unsuccessful, for no longer than 30 days.
- All other Personal Data collected by us is retained for the life of the notification process and where necessary for the establishment, exercise or defence of any legal claims, proceedings or related complaints concerning your Personal Data (based on the relevant limitation periods for taking related legal action). For these purposes, such Personal Data collected and processed will be retained for the life of the notification process and up to seven years. We will conduct scheduled reviews of the retention periods for this purpose to ensure that your personal data is not kept for longer than is necessary. Personal Data may be retained for a longer period where necessary due to the existence of, or where we become aware of likely, related legal proceedings.
- When we no longer need your Personal Data for purposes of the cyber-attack notification programme, we will securely delete or destroy your Personal Data.
9. Who will have access to your Personal Data?
Our staff, agents and suppliers who are directly involved with the management and delivery of the notification portal will have access to your Personal Data. These suppliers provide services including but not limited to identity verification services, telephony and SMS, website and customer relationship management portal.
In certain situations, we may have to disclose information to other agencies where permitted or required by law. The categories of other organisations that we may share information with include the following:
- Consultants, general contractors, and professional advisors (including legal, business and risk management advisors) hired or engaged by us, where they may be working on enhancing and/or enabling delivery of the notification process and Portal.
- Departments and other statutory or public agencies, including courts, in accordance with legal requirements.
All our staff, agents and suppliers who may have access to Personal Data shall be bound by confidentiality and legal agreements and are obliged to keep your Personal Data secure, and to use it only for the purposes specified by us. A full list of suppliers is available upon request via the contact details in section 3 (The Data Protection Officer (DPO)) above.
10. International data transfers - Will your Personal Data be transferred outside of the European Economic Area (EEA)?
There are special requirements set out under Chapter V of the GDPR to regulate transfers of Personal Data outside the European Economic Area (EEA) and to ensure that adequate security measures are in place to safeguard and maintain the integrity of your transferred Personal Data.
Where we transfer your Personal Data outside the EEA to our suppliers, we will make sure that it is done in compliance with the provisions of data protection laws (including Chapter V of the GDPR). We aim to ensure that such Personal Data is protected to the same extent as in the EEA and we will use at least one of the following safeguards:
- transfer it to a non-EEA country, with privacy laws that the European Commission has determined to offer an adequate level of data protection,
- put in place Standard Contractual Clauses (SCCs) approved by the European Commission, or
- ensure that other appropriate safeguards are in place with the recipient (that means they must protect it to the same standards as the EEA) and which we will have taken steps (through transfer impact assessments and supplementary technical, organisational and contractual measures) to ensure that they are effective in practice.
Some of the suppliers involved with the notification process who provide SMS communication services as part of the identity and verification process may process your mobile number outside the EEA to the United States.
The supplier used for sending SMS communication relies upon EU approved Binding Corporate Rules (BCRs) and SCCs to ensure compliance with applicable data protection laws (including the GDPR) when processing Personal Data on behalf of us.
For further information on international data transfers involving Personal Data in the delivery of the notification process, please contact us via the contact details in section 3 (The Data Protection Officer (DPO)) above.
11. Your Rights
Under certain circumstances, data subjects have certain legal rights concerning their personal information and the manner in which we process it, such as:
|
Right of access | You have the right to request a copy of the information that we hold about you. |
Right of rectification | You have a right to correct data that we hold about you that is inaccurate or incomplete. |
Right to erasure | You can request for the data that we hold about you to be erased from our records in the following instances:
This right does not apply where Personal Data is required for the purpose of compliance with a legal obligation. Therefore, this right is not applicable in respect of much of the processing undertaken for the notification process. |
Right to restriction of processing | Where certain conditions apply, you have the right to restrict the processing of your Personal Data. Where this right is exercised, we are still permitted to store your Personal Data, but other use of the data is prohibited, save in certain limited circumstances. |
Right of portability | You have the right to have the data we hold about you in a format that enables you to transfer that Personal Data to another organisation who is processing your Personal Data on the basis of consent or on the fulfilment of a contract. This right does not apply where Personal Data is required for the purpose of compliance with a legal obligation and so is not applicable in this case. |
Right to object | In certain circumstances, you have the right to object to certain types of processing of your Personal Data. We will comply with your objection unless there is a compelling legitimate reason, or if we need to use your Personal Data in connection with any legal claims. |
Right not to be subject to a decision based solely on automated processing which results in legal or similarly significant effects upon you unless certain conditions are met | Where your identity is verified by ID-Pal, identification and verification checks are conducted by automated means. This processing is only carried out where you have explicitly consented to the processing. You may contest the outcome of this verification processing by contacting the email address below. You may also choose to have your identity verified via other means, for example, during the face-to-face interaction, if this is something you prefer. |
Right to review | In the event that we refuse your request under the right of access, we will provide you with a reason as to why. |
Right to withdraw your consent | Where you have uploaded your biometric data for the purpose of verification, you may withdraw your consent at any time. This will not affect the lawfulness of our processing before the withdrawal. |
Right to make a complaint to the Data Protection Commission | If you do not think that we have processed your Personal Data in accordance with this Notice, please contact us in the first instance (see contact details below or in section 3 (The Data Protection Officer (DPO)) above). If you are not satisfied, you can make a complaint to the Data Protection Commission. Please see further information below. |
If you wish to exercise any of these rights, then please submit a request, to us, either via the Agency’s Data Subject requests portal, by email, or by post to Data Protection Unit, Tusla, 6th Floor, Brunel Building, Heuston South Quarter, St. John’s Road West, Dublin 8, D08 X01F. When submitting a request, we may need information from you to confirm your identity. Once your identity has been confirmed, we will supply you with your information free of charge, however, we may charge a reasonable fee if we believe your request is clearly unfounded, excessive, or repetitive.
12. Complaints
If you are unhappy with the way that we have processed your Personal Data, please contact our Data Protection Officer (DPO). You can contact them by email at the email addresses: DPregulatory@tusla.ie. If we are not able to resolve your complaint, you have the right to lodge a complaint directly with our supervisory authority, the Data Protection Commission online, by email to info@dataprotection.ie or by post to 21 Fitzwilliam Square South, Dublin 2, D02 RD28. Additional information on how to do this is available on the Commission’s website (www.dataprotection.ie).
Version 2.0 | 05 April 2023