We are arguing in favour of the same thing, I think.

I think I see you say "The Privacy Officer's role stops at providing the
policies and ensuring that they are enshrined in disciplinary policies" 

If that is what you are saying, then I agree with you wholeheartedly

My feelings on the disciplinary process itself is that, unless we are asked
as a Privacy Officer to advise the people engaged in a disciplinary process
about the seriousness of the breach, the disciplinary process itself should
not concern us.  We are concerned with the good management of data subject
to the DPA 1998, not about the decision about whether Peter should be
warned, fired or congratulated.

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: 19 May 2006 10:29
To: [log in to unmask]
Subject: Re: [data-protection] Status of volunteer staff

Tim Trent on 18 May 2006 at 16:59 said:-

> I still disagree with the concept of a different penalty or treatment 
> of staff.  But I think you are now past the point of the problem.

Because the point appears to have been missed.

I observe that a course of conduct carried out by a person with many years
of experience with an organisation or sector can generally be looked upon
differently than the same course of conduct carried out by a person new to
the organisation and unfamiliar with many things.

One very real problem allied to an inherent issue contained in this
discussion which can illuminate some relational factors there is that
breaches of varying degrees of seriousness will take place, so one reaction
for all degrees of breach is unlikely to be fitting.
If a person makes a mistake because of poor training or memory, should they
be fired or are they less likely to make that error again and hence be more
valuable to the organisation as a result? In an allied way in IT security,
good practice guidance states a person who reports a security breach should
not be treated harshly; otherwise security breaches will go unreported. (The
opposite of that is if you wish an organisations IT security to merely look
good, be seen to harshly punish all reported security weaknesses in some way
and fewer weaknesses will be reported.)

>We are not, surely, the judge, jury and executioner?

As you state DPO's are not, as they should give clear advice straight down
the line of the act and the relevant guidance leaving people to make their
own choices within the parameters of the guidance provided. If a
determination to move outside that guidance is made, provided the guidance
has been clearly given the decision maker must accept any consequences.
Unfortunately any DPO and others can be inexorably caught within those
consequences if they are aware a breach is taking place or have failed to
create adequate protection.

In my opinion the simplest and most effective way of attempting to meet all
the requirements and deal with various influencing factors is to link any
policy directly into an organisations terms of employment and disciplinary
procedures. In that way professionals who have looked closely at all the
known HR issues, considering and reviewing them regularly will provide a
more robust and appropriate training and disciplinary background fitting for
the organisation than a variety of individual policies containing similar
issues which will constantly require revision to match other organisational
policy changes. Getting those individuals to understand DP issues and the
risk to an organisation so as to take them seriously may be another thing.


Ian


> -----Original Message-----
> From: This list is for those interested in Data Protection issues 
> [mailto:[log in to unmask]] On Behalf Of Tim Trent
> Sent: 18 May 2006 16:59
> To: [log in to unmask]
> Subject: Re: Status of volunteer staff
>
>
> I still disagree with the concept of a different penalty or treatment 
> of staff.  But I think you are now past the point of the problem.
>
> When Peter transgresses the policy he is disciplined whether he is a 
> volunteer or paid staff.  That is the extent of the DPA part of the 
> policy.
>
> The mechanism of the disciplinary action is for any disciplinary 
> hearing or other process that is convened because of the breach of the 
> policy at all. Privacy  people such as we should be concerned only 
> with the fact that a breach has taken place.  We are not, surely, the 
> judge, jury and executioner?
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues 
> [mailto:[log in to unmask]] On Behalf Of Ian Welton
> Sent: 18 May 2006 16:53
> To: [log in to unmask]
> Subject: Re: [data-protection] Status of volunteer staff
>
> Policy should exist.
>
> My wording was insufficient.
>
> Any deterrent value of particular penalties emanating from a policy 
> may well need to vary according to the status of a person carrying out 
> the duties involved and the situation of those duties.  i.e. dismissal 
> for a volunteer is a less onerous penalty than dismissal for a paid 
> member of staff in a similar way that stating to somebody who is in 
> the process of committing suicide the legal penalty for attempting 
> suicide is death.
>
> Hence a volunteer may require something like a different level of 
> supervision as a means of ensuring organisational policies are 
> correctly applied. If an organisation is unable to supervise 
> efficiently or the volunteer works with information unsupervised then 
> the deterrent mechanisms will probably require a different approach 
> for volunteers. My experience has been that often the volunteer 
> contract/agreement includes any necessary variations which then apply 
> across all organisational policies, but local issues may affect the 
> effective implementation or interpretation of volunteer agreements.
>
> Perhaps it would be worthwhile looking at charitable organisations to 
> see how they manage volunteers who have unsupervised access sensitive 
> personal data.  Certainly they used to use various approaches in 
> managing confidentiality.
>
> Ian
>
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues 
> > [mailto:[log in to unmask]] On Behalf Of Tim Trent
> > Sent: 18 May 2006 14:33
> > To: [log in to unmask]
> > Subject: Re: Status of volunteer staff
> >
> >
> > The issue, oddly, is not with ensuring that people obey the
> policies,
> > but that one has policies which may be enforced.
> >
> > It does not matter that firing Peter because he has broken the 
> > policies simply stops Peter from coming to work free of
> charge.  What
> > matters is that Peter can be fired, and that he has been fired.  He 
> > can thus not do it again.
> >
> > I do not think one should have any different policies for type of 
> > staff member.  The policy must simply be all embracing, enforceable 
> > and enforced.
> >
> > Tim Trent - Consultant
> > Direct: +44(0)1344 392644 Mobile:+44(0)7710 126618
> > email: [log in to unmask]
> > Marketing Improvement Limited, Abbey House, Grenville Place, 
> > Bracknell, United Kingdom, RG12 1BP 
> > http://www.marketingimprovement.com
> >
> >
> >
> >
> > Important: This mail contains proprietary information some or all of 
> > which may be legally privileged. It is for the intended recipient 
> > only. If an addressing or transmission error has misdirected this 
> > email, please notify the author by replying to this email.
> if you are
> > not the intended recipient you must not use, disclose, distribute, 
> > copy, print or rely on this email. If you are not the named
> recipient
> > please notify us immediately.  This email and any attachment(s) are 
> > believed to be virus-free, but it is the responsibility of the 
> > recipient to make all the necessary virus checks. This
> email and any
> > attachments to it are copyright of Marketing Improvement Limited 
> > unless otherwise stated. Their copying, transmission,
> reproduction in
> > whole or in part may only be undertaken with the express
> permission,
> > in writing, of Marketing Improvement Limited.
> >
> >
> >
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues 
> > [mailto:[log in to unmask]] On Behalf Of Ian Welton
> > Sent: 18 May 2006 11:35
> > To: [log in to unmask]
> > Subject: Re: [data-protection] Status of volunteer staff
> >
> > Bear in mind that the regular policy deterrents alone are
> unlikely to
> > be as effective with volunteers as with staff who receive 
> > remuneration, as a consequence a need to consider if
> different actions
> > would be required in the case of any breach of
> confidentiality or DP
> > by volunteers exists.  e.g. serious breaches may lead to dismissal, 
> > but dismissal to a volunteer may not be viewed as a serious matter.
> >
> > Regular organisational policy deterrents alone may therefore seem 
> > unlikely to provide a level of data protection sufficient to meet 
> > principle 7 requirements.
> >
> > All the vetting in the world could not necessarily identify if a 
> > volunteer had volunteered with the specific objective of obtaining 
> > some information for other uses.
> >
> > Ian
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: This list is for those interested in Data Protection issues 
> > > [mailto:[log in to unmask]] On Behalf Of PETER SELENIC
> > > Sent: 17 May 2006 16:47
> > > To: [log in to unmask]
> > > Subject: Status of volunteer staff
> > >
> > >
> > > I am being asked increasingly to provide IT access to our
> volunteer
> > > staff, who maily operate from Student Support, and our
> > Governors (who
> > > also are "voluntary")
> > >
> > > If a volunteer where to pass on data or violate our AUP
> the college
> > > would place itself at risk and not be able to pursue this
> unless a
> > > clear commitment were to be obtained from the volunteer that they 
> > > agree to abide by all the college policies whilst engaged
> > in official
> > > college activity.
> > >
> > > I am sure these individuals are vetted and of
> > un-impeachable character
> > > but whilst a possibility exists for a loophole then I think
> > that it is
> > > in the best interests of these volunteers that no ambiguity is 
> > > present.
> > >
> > > There is a certain air of "regulation gone mad" on the part of my 
> > > colleagues but I wonder how other institutions cover their
> > voluntary
> > > staff.
> > >
> > >
> > > Regards
> > >
> > > Peter Selenic
> > > DP Officer
> > > Epping Forest College
> > > **********************EFC disclaimer *********************
> > >
> > > This message is sent in confidence for the addressee only. It may 
> > > contain confidential or sensitive information. The contents
> > are not to
> > > be disclosed to anyone other than the addressee. Unauthorised 
> > > recipients are requested to preserve this confidentiality and to 
> > > advise us of any errors in transmission. Thank you.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.6.1/343 - Release Date: 5/18/06

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^