Our DP Code of Practice/Procedures state that sensitive personal data must be sent securely i.e. by secure e-mail address (GSI/GSX) or password protected and the respondent of the e-mail phones the sender for the password.
I am very surprised that they anyone would send by fax these days - it could lie around for days and anyone passing could read the information.
I am sure as a result of the fine that DP will be taken more seriously.
Doreen
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 25 November 2010 11:00
To: [log in to unmask]
Subject: Re: First DP Fines for breaches announced
I was not concerned to dissect this in any detail. None of us has anything except published facts.
What did concern me is that we had not discussed positive ways of getting the Data Protection Officer involved as very much central to any processes where external data touches the outside world.
At the very least a Touch Point Analysis should be undertaken to identify the touch, and thus risk, points. This most unfortunate pair of accidents in the council concerned was very difficult to guard against, for example. How does one put a positive process in place that is easy to follow at all times to militate against a future accident.
Those are the things we should be bringing our mass professional mind to bear on.
So, to start this positive set of thoughts off, how DO you prevent someone dialling the wrong number?
And how can the incident(s0 be used to make the DPO central rather than peripheral. The role is intended to be proactive, not reactive. This is a great chance, especially for those in public bodies, to raise their professional profiles. The other edge to that sword s, of course, that you have to get it right! But that is what we all strive to do.
On 25 Nov 2010, at 09:23, Lawrence Serewicz wrote:
Tim
Council tax payers need to be aware of this situation to put pressure on their councils. This is the transparency agenda in another form leading to accountability. The fines show that the council has to be accountable to the regulators and indirectly the council tax payer.
The reason why an appeal is the fact that the same breach occurred in 2 weeks with equally sensitive material. Do you really want to have a public appeal to keep revisiting these arguments? (Haringey shows that the best defence is not a good offence if you are in the wrong (if you heard the interview on BBC radio 4 PM you will know what I mean). It is like blaming the referee. They did not score the goal or create the penalty and they certainly were not playing the 90 minutes against you.
I would advise accepting the fine as graciously as possible and quietly go about fixing the issue. The only time to appeal is if there is something manifestly and demonstrably wrong enough for you to endure 2 - 3 news cycles fighting it. Even then it may be better to take the hit and be ready for next time by showing the regulator that you can grin and bear it.
The regulator will not go into this lightly and an appeal simply ratchets up the pressure on them to defend and prosecute their case.
As to why there is no discussion, a number of factors are in play. One is as Jonathan says "there but for the grace of God". Human nature what it is, errors are made, means we all have our own burdens that may be heavier rather than lighter.
Second professional courtesy. These are our colleagues and dissecting them public is tough on them and ourselves. I certainly do not want to revisit their errors. I want to learn from it and help my council. Any investigation by other list members may be better in private rather than public.
Third, no one should underestimate the power of this negative publicity. I met a corporate officer from Haringey 9 months after the event. The officer was not in that service but they were visibly shaken by the mere mention of it and the fact that they had to say their council's name. To be sure the cases are different in degree, but the negative publicity is powerful.
What will be of interest will be the 2nd and 3rd cases as those councils and organisations will have had the opportunity to learn from this. In a sense this is the chicken and monkey situation. It is best to learn what not to do and take this as a golden opportunity to drive the message home.
How many corporate directors or heads of service are going to suggest that they can avoid data protection issues and run the risk of a breach? This is real and the stakes are high in that 100k is 2-3 jobs . Who really wants to be responsible for that in their council?
I think that at the next dp training and awareness session people will be paying attention and thinking this through.
Best
Lawrence
------Original Message------
From: Tim Trent
To: Data Protection list
ReplyTo: Tim Trent
Subject: Re: [data-protection] First DP Fines for breaches announced
Sent: 24 Nov 2010 17:37
Am I strange in wondering why this gets so little comment from us? The day truly is a milestone. Our dear old Chihuahua has suddenly shown us that it has a bite that can hurt. There could be huge ramifications from this. He could generate sufficient monetary penalty revenue to subsidise Iceland as well as Ireland! How "fair" is it that Council Tax payers have to meet a fine? Is it fair to fine governmental organisations like this? Is it just moving money around for no real purpose? Who gets the money? On 24 Nov 2010, at 07:08, Clare Watts wrote: http://www.bbc.co.uk/go/rss/int/news/-/news/uk-11821203 Just in case you haven't heard the first fines have been announced. £100,000 for a council faxing incident and £60,000 for a lost unencrypted laptop by a private firm. Regards, Clare Watts FCE Bank plc Tim Trent - Consultant Tel: +44 (0)7710 126618 web: ComplianceAndPrivacy.com<http://ComplianceAndPrivacy.com> - where busy executives go to find the news first personal blog: timtrent.blogspot.com/<http://timtrent.blogspot.com/> - news, views, and opinions personal website: Tim's Personal Website - more than anyone needs to know
Important: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. This email and any attachment(s) are believed to be virus-free, but it is the responsibility of the recipient to make all the necessary virus checks. This email and any attachments to it are copyright of Meadowood Associates, owners of Compliance And Privacy, unless otherwise stated.
Lawrence W. Serewicz
Principal Information Management Officer
Room 4/140
Durham County Council
DH1 5UF
0191-372-8371
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
________________________________
Tim Trent - Consultant
Tel: +44 (0)7710 126618
web: ComplianceAndPrivacy.com<http://complianceandprivacy.com/> - where busy executives go to find the news first
personal blog: timtrent.blogspot.com/<http://timtrent.blogspot.com/> - news, views, and opinions
personal website: Tim's Personal Website<http://www.trent.karoo.net/> - more than anyone needs to know
[cid:~WRD000.jpg]<http://feeds.feedburner.com/~r/MarketingByPermission/~6/1>
Important: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. This email and any attachment(s) are believed to be virus-free, but it is the responsibility of the recipient to make all the necessary virus checks. This email and any attachments to it are copyright of Meadowood Associates, owners of Compliance And Privacy, unless otherwise stated. Their copying, transmission, reproduction in whole or in part may only be undertaken with the express permission, in writing, of Meadowood Associates, at 16 Coombe Road, Dartmouth, Devon, United Kingdom TQ6 9PQ
________________________________
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)
________________________________
**********************************************************************
This email and any files transmitted with it are privileged, confidential and subject to copyright. Any unauthorised use or disclosure of any part of this email is prohibited. If you are not the intended recipient please inform the sender immediately; you should then delete the email and remove any copies from your system.
The views or opinions expressed in this communication may not necessarily be those of Scottish Borders Council.
Please be advised that Scottish Borders Council's incoming and outgoing GSX email is subject to regular monitoring and any email may require to be disclosed by the Council under the provisions of the Freedom of Information (Scotland) Act 2002.
**********************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
