Hi Andrew
Following Lawrence's points, I think a separate panel would also be a recipe for delaying a breach investigation and report. You'd be at risk if a further breach occurred that you knew what was wrong, your specialist (you) knew how to fix it, but you hadn't told anyone or taken action due to delayed panel sign off.
Victoria Blyth
Information Manager
Information Management Team
London Borough of Barnet, North London Business Park, Oakleigh Road South, London N11 1NP
Tel: 020 8359 2015
please consider the environment - do you really need to print this email?
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
Sent: 28 July 2014 13:20
To: [log in to unmask]
Subject: Re: [data-protection] [MASSMAIL]Re: Data Breach Handling - Who and How?
Andrew,
I appreciate the situation you describe. The question you might ask is whether this is design to help the individual who suffered the data breach or to protect the organisation.
If the organisation is not taking these steps to find the best advice and solution to resolve the data breach and to prevent them in the future, it raises the question "What is the purpose of the panel."
If this is to meet the DPA requirements, then it would appear that you need DPA experienced officers. If it is to protect the organisation, then you have to consider what role is your advice serving with in the organisation.
As others have mentioned, much will depend on your corporate culture. If the data breach is synonymous with a disciplinary offence and the investigations are treated interchangeably, then you can see the organisational issues you face.
Do you want to find out why the barn door was left open, so it can be closed or do you want to find who left the barn door open so they can be disciplined. The two do not lead to the same result.
I will be interested in what you find as the agreed approach.
Best,
Lawrence
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Andrew Goodfellow-Swaap
Sent: 28 July 2014 13:12
To: [log in to unmask]
Subject: [MASSMAIL]Re: Data Breach Handling - Who and How?
Hi Simon,
Many thanks for the info. I'll check out the guidance you've mentioned.
Regarding the level, formally I'm a Senior Information Officer which, in our structure, is one below the Infomation Co-ordinator (manager by another name). I've been handling all breaches for some time with no issues or problems and have given advice to all levels of the organisation in a multitude of circumstances and am in the position that, as you put it, what I say goes.
What is being suggested now is that the advice I give is approved by a panel of the Info Coordinator, our Head of Service and an Information Specialist (who sits alongside our team structure and has similar experience and expertise to my own) before being put to the relevant area. Neither the IC or HoS have any DPA qualification or experience although they of course have experience of the organisation generally.
Perhaps unsurprisingly, I have a number of concerns with this proposal but I'm more than willing to look at how other organisations works to see whether any of these concerns are reflected in actual practice in the real world of breach handling.
Thanks,
Andrew
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This email and any attachments to it are intended solely for the individual to whom it is addressed. It may contain sensitive or confidential material and should be handled accordingly. However, it is recognised that, as an intended recipient of this email, you may wish to share it with those who have a legitimate interest in the contents.
If you have received this email in error and you are not the intended recipient you must not disclose, distribute, copy or print any of the information contained or attached within it, all copies must be deleted from your system. Please notify the sender immediately.
Whilst we take reasonable steps to identify software viruses, any attachments to this email may contain viruses which our anti-virus software has failed to identify. No liability can be accepted, and you should therefore carry out your own anti-virus checks before opening any documents.
Please note: Information contained in this e-mail may be subject to public disclosure under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|