To a certain extent, I'm playing "devil's advocate" here. I agree that
advising rather than chastising is, generally speaking, the most
effective tactic in this situation. But.... (you knew there would be a
but!)....., it's not rocket science to realise that holding thousands of
society members details on a laptop is an entirely avoidable security
risk. If a doctor kills someone due to medical negligence, they get
struck off. So I say, a Building Society manager not securing members
information should be sacked. Admittedly it's not as bad as the guy from
the MOD who left his laptop full of the nation's security plans in the
back of a taxi after a night on the **** (I wonder whatever happened to
that guy......?)
-----Original Message-----
From: Ian Welton [mailto:[log in to unmask]]
Sent: 20 February 2007 11:16
To: [log in to unmask]
Subject: Re: [data-protection] FW: Personal data loss - One Million
Pounds fine
I see all the points being made as valid, though a prime security policy
requirement, as per most security guidelines, is that where a security
weakness or breach exists any penalty should not deter an initial
report. A range of measures may therefore be required.
Where people noticing or considering reporting a security problem know
they are going to face disciplinary action, the organisational pressures
are set against any report being made in the first place, with the
organisation and its policies being weakened as a consequence. (Could
that be a factor in why the Nationwide problem initially does not
include details of any personal data loss?)
Perhaps advised rather than chastised is more suitable where
strengthening the organisation is one of the objectives, but that alone
would not always be sufficient.
The above does not say no to discipline, merely that any balance
necessarily has to initially promote swift and open reporting if
personal data security is to be enhanced rather than suppressed and a
learning environment encouraged.
Of course different organisations must apply their own methods to suit
their cultural requirements, where a control approach is adopted more
controlling and oppressive methods may be evident.
Any organisation learning a hard lesson must surely recognise that those
most immediately involved are likely to become more valuable in the
future as a result of the experiences they directly learn from.
Unfortunately many may also suffer as those organisational lessons are
learned, and if those data subjects have no knowledge of a vulnerability
they will not know it may be necessary to take precautionary measures
themselves. As the complexity is increased by the sheer variety of
approaches the issues then look as if any resolution becomes a senior
management problem to determine whether to openly address or avoid as
their personal preference maybe allow.
Ian W
----- Original Message -----
From: "Carter, Antoinette (MCS)" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, February 19, 2007 5:49 PM
Subject: Re: [data-protection] FW: Personal data loss - One Million
Pounds fine
I think that's a bit of a cop-out; I'm not interested in knowing who the
person was, only that they were suitably chastised!! (I can see visions
of Salome demanding the head of John the Laptop-User on a plate!)
This message is for the use of the intended recipient(s) only.
If you have received this message in error, please notify the sender and delete it.The British Council accepts no liability for loss or damage caused by software viruses and you are advised to carry out a virus check on any attachments contained in this message. Our purpose is to build mutually beneficial relationships between people in the UK and other countries and to increase appreciation of the UK's creative ideas and achievements. The British Council is registered in England as a charity.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|