Two local authorities have been hit by financial penalties from the Information Commissioner's Office (ICO) after sending highly sensitive personal information to the wrong recipients. The penalties have been imposed on North Somerset council and Worcestershire county council as the ICO is pressing for stronger powers to audit …
>People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure."<
So, instead of raising council taxes by fining the councils why not sack the employee guilty of mismanaging files? or, you know, a public flogging... I'd pay to see that. Obviously mistakes happen, so probably have to be second or third time cock up - even better, first time mistake - stocks (rotten tomatoes etc), second time - a flogging, third disembowelment...
Entertainment for the masses and proves they value our personal data.
Something has to be done to ram home the message that just because the individual involved isn't sitting in front of you, peering at you through a perforated perspex window in some miserable council office - it doesn't mean that the raw data doesn't have the same value to that individual!
Without looking to excuse any body, it's the separation from the human bean and their data that underpins the laxity I'm sure - but I'm not sure what the solution is.
"...Two local authorities have been hit by financial penalties from the Information Commissioner's Office..."
sounds a bit different when you read it as:
"....The taxpayers of two local authorities have been hit by financial penalties from the Information Commissioner's Office..."
That is all...
Got there before me - I'd just highhlighted that sentence to make the same remark!
Fines are no good
for local authorities - they'll just close a libary to pay for it ... there should be a specific criminal offence, with a possible jail sentence for extreme breaches.
Why not sack the persons whose responsibility it was
to ensure the confidential information was protected.
Anyone can make a mistake with email but why was it possible to make such a mistake?
I support the Public Sector strike because we need good people working in the Public Sector to try and prevent these things from happening. Would people rather have some donut working for minimum wage with the minimum pension with minimum qualifications?
.. sack the guilty employee ..
I have to agree.
I've been involved in something similar, explained tot he employee what she was doing wrong and how to make sure she got the right address.
i) it wasn't her (showed her the email trail so show it was)
ii) I wasn't important enough to tell her how to do her job.
She carried on sending info to the wrong person. She has left us now (probably promoted).
One of the reasons why the Health & Safety at Work Act is deemed so successful (some would say 'too successful') is that it establised the principle that failing to take reasonable precautions to ensure the safety of employees and others should be deemed a criminal offence and that managers/employers could be sent to prison rather than simply being fined.
If , where Data Privacy legislation were breached, the odd council leader were banged up once in a while, 'pour encourager les autres', I wonder if we might see more awareness of data privacy issues?
Who do we blame?
Whenever a data protection breach occurs, it is almost always blamed on a "junior" employee. But how many "junior" employees do we have to scapegoat before we look at the cause rather than the symptoms?
Junior employees are by definition, at the bottom of the chain of command. They're told to do something and do it quickly because speed==efficiency in the eyes of politicians and if there's one thing the civil service is constantly told, it's that it needs to be more efficient. The junior employees may have concerns about the process but are they going to raise them and be labled a trouble maker when the threat of redundancy looms? Are they going to be listened to when the solution is going to cost money when public expenditure is being squeezed?
So who do we blame? The junior employees who are powerless to effect change? The managers who are implementing the policies of their political masters? The politicians, who promise us a leaner, cheaper public service? Or ourselves, for demanding perfection without being willing to pay for it?
The ICO going for the easy win again
Yet again, we see further examples of how the ICO will take action against governement agencies - because it's an easy win for them. However, ask them to take action against a company that has the resources to argue their case in court, and they don't want to know. The ICO operates a double standard.
Apples and oranges
I think it's a fair generalisation that while most private companies hold personal data (primarily financial) and that it is a serious breach if it gets out - the worst that can happen is some fraud and inconvenience. That's not to trivialise it, or excuse it, by the way.
However state bodies - local authorities, healthcare trusts, et al, hold much *more* data which has a much more serious potential for misuse. Also, in many cases this data is gathered under a statutory framework - i.e. jail time if you don't supply it, or supply it incorrectly.
So while I agree with your point, in a land of finite resources, it makes sense for the ICO to keep closer tabs on the state side of things than the private sector. It may not be right, but unless we want to increase the ICO budget, it's the way it is.
Sounds as though it was only an inter-departmental breach... not as serious as mailing to an external address list.
I think mistakes like these are not entirely preventable, especially if you have a hyperactive Exchange server, where hundreds of random distribution lists (which anyone's free to add to) and similar sounding group names are used.
I've seen this kind of thing happen in the private sector on occassion - there are procedures in place to deal with it and when the breach is inside the same company it tends to be handled fairly well without any public outcries or calls for sacking.