# VHI Employee Assistance Programme- Data Protection Issue



## MarySmyth (30 Jul 2013)

My employer operates a EAP via VHI https://www.vhi.ie/jsp/employers/employeeassistanceprogramme.jsp

On the single occasion I contacted same in June, I was surprised at the amount of advance questions required by the phone operator in advance of receiving assistance to what is described in leaflets and company briefings as a 'confidential service'- name/ employer/ home address/ phone/ email/ etc.

One month later I received an email regarding 'satisfaction survey' and was surprised to see over 40 other email addresses listed in the addressee list. These were similar other employees from other companies who accessed the 'confidential' service. 

It transpires that the service is operated by an outsource organisation in the UK
[broken link removed]

Following investigation, the issue arose due to 'human error', which by all accounts could happen with any of us sending emails. However, I would be reluctant to use the service again. Any advice/ comments?

P.s. when I asked VHI for an 'access request' to find out what data held by themselves or PPC- they said I must contact the UK company!


----------



## cmalone (30 Jul 2013)

*VHI data breach*

Sorry to hear you were affected by the data breach by VHI. Not sure what you are looking for them to make amends by- 

expect data commissioner takes such matters seriously. also your employer may note and consider same when renewing contract with the EAP


----------



## Spear (31 Jul 2013)

Apparently the VHI isn't regulated by the Central Bank. Maybe it also has an exemption from the DPC


----------



## Jim2007 (31 Jul 2013)

MarySmyth said:


> One month later I received an email regarding 'satisfaction survey' and was surprised to see over 40 other email addresses listed in the addressee list. These were similar other employees from other companies who accessed the 'confidential' service.





MarySmyth said:


> Following investigation, the issue arose due to 'human error', which by all accounts could happen with any of us sending emails. However, I would be reluctant to use the service again. Any advice/ comments?



There will always be the potential for human error in any service, so I'm not really sure what you are expecting to happen.



MarySmyth said:


> It transpires that the service is operated by an outsource organisation in the UK
> [broken link removed]



Provided you agreed to the transfer of your data to a third party service, there is nothing to say on this one.  The data was transferred into a country where the EU directive applies so there is no issue there.  



MarySmyth said:


> P.s. when I asked VHI for an 'access request' to find out what data held by themselves or PPC- they said I must contact the UK company!



This is correct.  VHI are responsible for the data held by them and PPC are responsible for the data held by them.  The only real question to be asked is did you approve the transfer of the data in the first place???  I expect you'll find that somewhere in all the documentation, you did, but you never know...


----------



## ajapale (31 Jul 2013)

Mary,

Have you reported this serious breach to the DPC?

aj


----------



## MarySmyth (31 Jul 2013)

*Vhi/ ppc*

Thank you for feedback- As an employee, I was unaware that the service was being provided by an outsource company other than VHI- I expect my employer may have been aware.

Matter reported to Office of the Data Protection Commissioner- but expect this is simply standard nowadays and standard type responses issues. Nothing regarding the confidential nature of the service and need to reassure all affected staff and others....

Has anyone else a similar type service operating in their organisation?

Other providers Include
EAP Consultants [broken link removed]
Penisula Business Services [broken link removed]
Laya Healthcare http://www.layahealthcare.ie


----------



## ajapale (31 Jul 2013)

MarySmyth said:


> Matter reported to Office of the Data Protection Commissioner- but expect this is simply standard nowadays and standard type responses issues.



The office of the data protection commissioner take such reports very seriously indeed as is evidenced by case studies on their [broken link removed].



> These case studies provide an insight into some of the issues that this Office investigates on a day to day basis.


----------



## Time (31 Jul 2013)

They wouldn't dare send a standard response to the DPC.


----------



## MarySmyth (31 Jul 2013)

*Data Protection- VHI/ PPC*

Not sure if you have had any contact with ODPC. It is obvious they are overburden with work and find it difficult these days to even reply months later! So I expect once VHI actually corresponded with them will be taken as a positive action on there side- ODPC confirmed that they have a standard requirement of 3 actions and VHI said yes to all 3- compliance file closed by ODPC thereafter!


----------



## Mrs Vimes (31 Jul 2013)

If I was you Mary, I would send an email to all the email addresses you got (maybe set up a new email address to keep your own privacy) telling them what happened - use the BCC function so you don't repeat the offense.

If the DPC got 40 complaints they might act.


----------



## MarySmyth (31 Jul 2013)

*Update*

Yes one of the affected staff members from a different organisation did that- and forwarded copies of the supposedly 'private and confidential' responses received from VHI and ODPC. It is clear that they only react to those who shout loudest, as despite everyone else being affected to the same extent- they just sent 1 reply from VHI and nothing from ODPC to everyone else...


----------



## Jim2007 (31 Jul 2013)

MarySmyth said:


> Yes one of the affected staff members from a different organisation did that- and forwarded copies of the supposedly 'private and confidential' responses received from VHI and ODPC. It is clear that they only react to those who shout loudest, as despite everyone else being affected to the same extent- they just sent 1 reply from VHI and nothing from ODPC to everyone else...





Mrs Vimes said:


> If I was you Mary, I would send an email to all the email addresses you got (maybe set up a new email address to keep your own privacy) telling them what happened - use the BCC function so you don't repeat the offense.
> 
> If the DPC got 40 complaints they might act.



What exactly are you complaining of and what to you expect them to do???


----------



## MarySmyth (31 Jul 2013)

*complaint*

Complaining about their handling of the matter- unfortunately all VHI/ PPC have done after the incident is the minimum required under the ODPC requirements.

They have not reassured affected staff that their personal data remains confidential - their letter without a date or reference to the actual scheme looks like something they took 'off the shelf' in their USA Head Office and simply photocopied. They even stated on the letter that staff can contact them by phone and failed to state the relevant number!

Best option would be for affected staff to ask employers to move with their feet,,,


----------



## Jim2007 (1 Aug 2013)

I understand that you are upset that this happened, but there is nothing to suggest it was anything other human....



MarySmyth said:


> Complaining about their handling of the matter- unfortunately all VHI/ PPC have done after the incident is the minimum required under the ODPC requirements.



If they have complied with the requirements of the ODPC, then I don't see what more the ODPC can do. 



MarySmyth said:


> Best option would be for affected staff to ask employers to move with their feet,,,



Well that is just not going to happen, unless it starts to cost the employer's more than than the savings they are making by outsourcing!


----------



## MarySmyth (1 Aug 2013)

*Vhi*

John thanks for comments-

You will be interested to know that our union is not happy that staff are now reluctant to use this 'confidential' service and employer has been notified to provide alternatives! Appears this particular employer listens to staff...

Regrettable that ODPC is so under resourced these days that it is unable to investigate cases- aware of numerous examples...


----------

