I see all the points being made as valid, though a prime security policy requirement, as per most security guidelines, is that where a security weakness or breach exists any penalty should not deter an initial report. A range of measures may therefore be required. Where people noticing or considering reporting a security problem know they are going to face disciplinary action, the organisational pressures are set against any report being made in the first place, with the organisation and its policies being weakened as a consequence. (Could that be a factor in why the Nationwide problem initially does not include details of any personal data loss?) Perhaps advised rather than chastised is more suitable where strengthening the organisation is one of the objectives, but that alone would not always be sufficient. The above does not say no to discipline, merely that any balance necessarily has to initially promote swift and open reporting if personal data security is to be enhanced rather than suppressed and a learning environment encouraged. Of course different organisations must apply their own methods to suit their cultural requirements, where a control approach is adopted more controlling and oppressive methods may be evident. Any organisation learning a hard lesson must surely recognise that those most immediately involved are likely to become more valuable in the future as a result of the experiences they directly learn from. Unfortunately many may also suffer as those organisational lessons are learned, and if those data subjects have no knowledge of a vulnerability they will not know it may be necessary to take precautionary measures themselves. As the complexity is increased by the sheer variety of approaches the issues then look as if any resolution becomes a senior management problem to determine whether to openly address or avoid as their personal preference maybe allow. Ian W ----- Original Message ----- From: "Carter, Antoinette (MCS)" <[log in to unmask]> To: <[log in to unmask]> Sent: Monday, February 19, 2007 5:49 PM Subject: Re: [data-protection] FW: Personal data loss - One Million Pounds fine I think that's a bit of a cop-out; I'm not interested in knowing who the person was, only that they were suitably chastised!! (I can see visions of Salome demanding the head of John the Laptop-User on a plate!) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^