NUIG’s data breach denial: Just papering over the cracks?

SUMMARY: A Jan. 19th Connacht Tribune article by reporter Dara Bradley states that NUI Galway denies any breaches of data protection regarding a ‘misogynist’ health questionnaire given to prospective employees. However, the article notes that NUI Galway officials did acknowledge that job applicants were directed to send the questionnaire to Human Resources, not a physician, as had been claimed. The article then reveals e-mails in which a university HR manager advised against referring to this issue in the media “as it will add fuel to the fire” and recommended not addressing it “in the heat of the moment.” Sound like papering over the cracks to you? The questionnaire, which asked women about their menstrual periods and breast problems, was heavily criticised when it was reported on last March and, as the article points out, its use was subsequently suspended by the university.

The full Connacht Tribune article is reprinted below or can be accessed by clicking on this link: http://connachttribune.ie/no-data-breach-on-menstruation-questionnaire-says-nuig-808/

 

No data breach on ‘menstruation’ questionnaire, says NUIG

by Dara BradleyJan 19, 2016

NUI Galway insists there were no breaches of data protection of prospective employees who filled out health questionnaires which included questions about menstrual periods.

NUIG admits that its ‘misogynist’ health questionnaire, which caused a storm when revealed in this newspaper last March, in some instances was returned to the human resource office and not the university physician. But the university insists there were no breaches in data protection.

The pre-employment health assessment, which was subsequently suspended by NUIG following a storm of controversy, contained questions such as: “Do you suffer with any problems with your menstrual periods? Do you suffer any breast problems? Have you ever been treated for gynaecological problems? Have you ever suffered prostate problems?”

The line of questioning was described as “invasive”, “misogynist” and “excessively personal” by senior lectures at the university.

One senior lecturer who initially refused to fill out the form because she felt it was inappropriate was told that a job offered to her was contingent on the form being completed.

The young woman also said that she was required to fill out the questionnaire in addition to taking a medical check-up, which included a breast exam.She questioned the confidentiality of the forms, and said that the questionnaire was returned to Human Resources and not to the occupational health physician. She said this gave rise to possible data protection breaches.

Internal communication between the Human Resources (HR) department and the Communications Office at NUIG, released to this newspaper under the Freedom of Information Act, discuss that story and her version of events.

On March 6, 2015 Mr Gearóid Ó Conluain, Secretary of NUIG, in an email to colleagues asks if her account in the Galway City Tribune was false.

“It is stated once again in this article that the lecturer concerned was asked to send the completed form to HR and did so. Are we absolutely certain that this is false i.e. that we require all such questionnaires completed by any job applicant to be forwarded directly by the applicant to the occupational physician? Can we absolutely stand over this,” asked Mr Ó Conluain.

Mr Colm Flannery, HR Manager Employee Relations, confirms that the statement in the article was, in fact, true.

“Yes, the completed form is returned to the HR office and sent on to the doctor for examination. It should be returned in a sealed envelope but often this is not the case,” he said.

Mr Flannery then advised not to refer to this issue in media statements, “as it will add fuel to the fire”.

In an email to Michelle Ní Chróinín, NUIG Communications Officer, Mr Flannery added that the university would change this policy.

“Our revised process will see this changed to being sent from the doctor and returned to the doctor directly. As I have said below, I would not address this issue at this time in the heat of the moment,” said Mr Flannery.

According to NUIG’s Data Protection Policy, sensitive personal data include personal data as to “physical or mental health or sexual life”.

A breach of data protection, according to the same code, is “an incident which gives rise to a risk of unauthorised disclosure”, and it “must be brought to the attention of the Secretary of the University and the Data Protection Officer as soon as is practical” and “every effort should be made to remove the risk and to ensure that the data subjects are informed.”

However, in a statement, the university said: “An individual provides the data to NUIG, if the individual does not place the data in the provided envelope (with written instructions to seal it and return), he/she makes the disclosure hence there is no ‘unauthorised disclosure’ in this scenario.”

In response to a series of questions, NUIG said: “There was no breach of data protection regulations regarding this matter. The relevant University Officers are consulted in respect of data protection matters.

“It is inaccurate to state that there has been a data breach in respect of this matter. NUI Galway continually reviews its policies and procedures. It is inaccurate to state that there has been a data breach in respect of this matter therefore the remainder of your queries do not arise.”

Advertisements

2 thoughts on “NUIG’s data breach denial: Just papering over the cracks?

  1. Pingback: Ninth Level Ireland » Blog Archive » NUIG’s data breach denial: Just papering over the cracks?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s