Dublin ETB fined 125000 for data protection breaches
pppTry from 150 weekppTry from 150 weekpppp
The Data Protection Commission concluded after a sixyear investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered Picture Brian LawlessPApp
Dublins Education and Training Board CDETB has been fined 125000 by the Data Protection Commission after the personal details of 13000 grant applicants were made available to unauthorised persons
pp
The commission concluded after a sixyear investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered
pp
The fine of 125000 is the second largest levied by the commission on an Irish State body
pp
That penalty stands second only to the 550000 fine handed to the department of social protection earlier this month for the use of biometric data on its public services card
pp
An ownvolition inquiry had been commenced by the commission in 2019 after CDETB discovered the previous November that the personal data of students whose grant applications were initially processed by the body were being retained on its web servers rather than being routinely deleted after being forwarded on to relevant team within grants administration agency Susi
pp
Susi itself is a subsidiary of the CDETB which was designated in 2012 as the single awarding authority for new student grants
pp
One month previously the ETB had likewise become aware of the presence of malicious malware on its web servers a fact which served to compound the data breach
pp
All told the data breach comprised the personal details of roughly 13000 people who had applied for grants during 2017 and 2018
pp
The data contained in the breach included names birth dates PPS numbers contact details details of race and ethnicity health status and identification data
pp
In addition to failing to notify the Data Ptorection Commission of the breaches within the statutory timeframe of 72 hours the Commission also found that the CDETB had declined to communicate the breach to the people who had been impacted despite being specifically requested to do so
pp
The DPC added that the fine of 125000 would have been higher with a top level of 210000 outlined in the Commissions initial draft decision on the matter but for the mitigating behaviour of the ETB once it discovered that it was to be the subject of an adverse ruling
pp
The final fines reflect the mitigation occasioned by CDETB accepting each of the findings of infringements set out in the draft decision the commission said adding that the ETB had acknowledged full responsibility for the breach
ppppppTry unlimited access from only 150 a weekppAlready a subscriber Sign inppIrish Examiners WhatsApp channelppFollow and share the latest news and storiesppMore in this sectionppppppppppMonday July 7 2025 1000 AMppMonday July 7 2025 700 AMppMonday July 7 2025 900 AMpp Examiner Echo Group Limited Linn Dubh Assumption Road Blackpool Cork Registered in Ireland 523712pp Examiner Echo Group Limitedp
The Data Protection Commission concluded after a sixyear investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered Picture Brian LawlessPApp
Dublins Education and Training Board CDETB has been fined 125000 by the Data Protection Commission after the personal details of 13000 grant applicants were made available to unauthorised persons
pp
The commission concluded after a sixyear investigation that the ETB had breached GDPR in multiple ways by both failing to ensure sufficient security for the personal data on its website and by then neglecting to inform the commission of the issue in due course when it was first discovered
pp
The fine of 125000 is the second largest levied by the commission on an Irish State body
pp
That penalty stands second only to the 550000 fine handed to the department of social protection earlier this month for the use of biometric data on its public services card
pp
An ownvolition inquiry had been commenced by the commission in 2019 after CDETB discovered the previous November that the personal data of students whose grant applications were initially processed by the body were being retained on its web servers rather than being routinely deleted after being forwarded on to relevant team within grants administration agency Susi
pp
Susi itself is a subsidiary of the CDETB which was designated in 2012 as the single awarding authority for new student grants
pp
One month previously the ETB had likewise become aware of the presence of malicious malware on its web servers a fact which served to compound the data breach
pp
All told the data breach comprised the personal details of roughly 13000 people who had applied for grants during 2017 and 2018
pp
The data contained in the breach included names birth dates PPS numbers contact details details of race and ethnicity health status and identification data
pp
In addition to failing to notify the Data Ptorection Commission of the breaches within the statutory timeframe of 72 hours the Commission also found that the CDETB had declined to communicate the breach to the people who had been impacted despite being specifically requested to do so
pp
The DPC added that the fine of 125000 would have been higher with a top level of 210000 outlined in the Commissions initial draft decision on the matter but for the mitigating behaviour of the ETB once it discovered that it was to be the subject of an adverse ruling
pp
The final fines reflect the mitigation occasioned by CDETB accepting each of the findings of infringements set out in the draft decision the commission said adding that the ETB had acknowledged full responsibility for the breach
ppppppTry unlimited access from only 150 a weekppAlready a subscriber Sign inppIrish Examiners WhatsApp channelppFollow and share the latest news and storiesppMore in this sectionppppppppppMonday July 7 2025 1000 AMppMonday July 7 2025 700 AMppMonday July 7 2025 900 AMpp Examiner Echo Group Limited Linn Dubh Assumption Road Blackpool Cork Registered in Ireland 523712pp Examiner Echo Group Limitedp
