The Data Protection Commissioner says Tusla appears to have a particular issue around human error.
Three investigations are underway into the Child and Family Agency after it reported a number of breaches to the Commission in 2019.
According to the DPC's annual report, one breach relates to contact and location details of a mother and child being given to their alleged abuser.
In another, sensitive personal data was given to a person who had been accused of abuse - and the information was later posted on social media.
Data Protection Commissioner Helen Dixon today told the Pat Kenny Show that 'serious wrongs' have been done, noting that the child and family agency notified 137 breaches to the Data Protection Commission in 2019 alone.
Ms Dixon said: "There are many actions that Tusla is undertaking and will be required to take to bring themselves fully into compliance with the GDPR.
"There seems to be a particular issue around human error.
"A lot of the cases... were cases where there were three copies of a certain document, and the redactions were done correctly on two of them, but not on the third one... and that's the one that was incorrectly disclosed."
Beyond Tusla, Ms Dixon said data complaints in general have rocketed since the introduction of the EU's General Data Protection Regulation (GDPR) rules.
The new report details the work of the DPC in the first full calendar year since the introduction of the new rules
The number of complaints made to the commission rose by 75% to 7,215 last year, while the number of breaches it was informed of rose by 71%.
Ms Dixon explained: "There's been a significant interest now on the part of many individuals to exercise their rights under the [regulation].
"A lot of organisations that we supervise report to us that they are getting a lot more requests from individuals to access a copy of their personal data or have their data erased - and in turn then that's generating more complaints to my office."
She pointed out that under the law individuals "don't need a well-motivated reason" to request access to personal data held by organisations - noting that "you can just go and look for a copy of your personal data".