It's also very important to ensure that people feel (and with good reason) that they will be treated fairly if they are the cause of a breach. In many cases the priority in the case of a breach is for the organisation to know about it as soon as possible, so that it can take steps to limit any damage and, if relevant, inform any affected Data Subjects. If staff feel that they may be treated harshly, they are more likely to try to hide the breach. I'm not arguing that there should be no disciplinary sanctions; people should have to take responsibility for their mistakes. I think it would be better, though, if it was made clear that people will be given credit for owning up straight away, and that disciplinary action will be appropriately graded. Paul Ticher 0116 273 8191 22 Stoughton Drive North, Leicester LE5 5UB ----- Original Message ----- From: "Tim Turner" <[log in to unmask]> To: <[log in to unmask]> Sent: Thursday, September 23, 2010 3:04 PM Subject: Re: Disciplinary Sanctions Everywhere I have worked recently has gone along the lines of "may result in disciplinary action". The reason for this is largely to avoid fettering the discretion of the disciplinary process - it's difficult to operate a fair system if an outcome automatically results from an incident because every incident has different circumstances. I think the faliure comes in not taking appropriate disciplinary action when appropriate - in many circumstances, it's obvious that by not considering disciplinary action, a data controller cannot argue that it is taking the appropriate steps. However, blithely sacking someone to stave off a monetary penalty without following a fair and balanced disciplinary process is likely to create another set of difficulties (e.g. unfair dismissal). Tim Turner NHS Manchester -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw Sent: 23 September 2010 14:15 To: [log in to unmask] Subject: [data-protection] Disciplinary Sanctions The ICO has clear guidance with examples of what he considers to be serious enough to merit montary penalty : http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_ specialist_guides/ico_guidance_monetary_penalties.pdf Does anyone do something similar internally ? e.g. clear guidance on what you would consider would merit : * a quiet word * an informal warning * a disciplinary hearing alleging misconduct * a disciplinary hearing alleging gross misconduct * instant dismissal or does your policy just say "breach may result in disciplinary sanction - a very broad 'may' ? If not how do you ensure consistency over time or between sections if your organisation is large ? Would failure to have something in place be a breach of principle 7 - is it an appropriate organisational measure ? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Any requests under the Freedom of Information Act should be directed to [log in to unmask] Please notify the sender immediately if this email appears to have been sent to you by mistake; Respect the confidentiality of any information you receive from us; Remember that emails sent or received by our staff may be disclosed under the Freedom of Information Act; Let us know straight away if you suspect this email is infected with a virus by ringing 0161 7654700 [if outside the UK +44 161 7654700]. (We take all possible steps to ensure that our systems are virus-free but no system is completely secure.) Please note that the contents of incoming and outgoing emails are automatically scanned for inappropriate content. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^