I see all the points being made as valid, though a prime security policy
requirement, as per most security guidelines, is that where a security
weakness or breach exists any penalty should not deter an initial report. A
range of measures may therefore be required.
Where people noticing or considering reporting a security problem know they
are going to face disciplinary action, the organisational pressures are set
against any report being made in the first place, with the organisation and
its policies being weakened as a consequence. (Could that be a factor in why
the Nationwide problem initially does not include details of any personal
data loss?)
Perhaps advised rather than chastised is more suitable where strengthening
the organisation is one of the objectives, but that alone would not always
be sufficient.
The above does not say no to discipline, merely that any balance necessarily
has to initially promote swift and open reporting if personal data security
is to be enhanced rather than suppressed and a learning environment
encouraged.
Of course different organisations must apply their own methods to suit their
cultural requirements, where a control approach is adopted more controlling
and oppressive methods may be evident.
Any organisation learning a hard lesson must surely recognise that those
most immediately involved are likely to become more valuable in the future
as a result of the experiences they directly learn from.
Unfortunately many may also suffer as those organisational lessons are
learned, and if those data subjects have no knowledge of a vulnerability
they will not know it may be necessary to take precautionary measures
themselves. As the complexity is increased by the sheer variety of
approaches the issues then look as if any resolution becomes a senior
management problem to determine whether to openly address or avoid as their
personal preference maybe allow.
Ian W
----- Original Message -----
From: "Carter, Antoinette (MCS)" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, February 19, 2007 5:49 PM
Subject: Re: [data-protection] FW: Personal data loss - One Million Pounds
fine
I think that's a bit of a cop-out; I'm not interested in knowing who the
person was, only that they were suitably chastised!! (I can see visions of
Salome demanding the head of John the Laptop-User on a plate!)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
