Re: Named council employees?
As the guy who works in public sector at the moment and who reports my organisation to the ICO when there's a breach I'd love for staff to face disciplinary when it happens. I rarely see that though.
Mistakes happen, genuine "shit I sent that to the wrong person" mistakes, should people lose their job over it? Well personally I think that should always be an option when they've caused actual harm by their actions. However I have yet to see it happen.
Staff names are typically removed from reports the ICO get, I'd love them to demand those and public those involved. My name will be on the ICO multiple times - as the person reporting it and the contact for the organisation, but others should be up there for having been held responsible for the breach.
This shouldn't just be the chief execs though, it has to include those who have direct line management responsibility if training was permitted to slip, if policies were not up to date and staff not aware of them etc. Putting a single name up won't be enough, it has to be the "chain of command" from top to bottom that could have prevented it.
There are also typically prosecutions that could be brought but again never are. Section 55 of the DPA is one such area but there are many others - we simply done' hold people accountable, but then again we don't for virus infections either even when it's personal USB sticks brought in from home - because the organisation should simply have tools to block those working right?
But surely if that sort of thing isn't permitted by policy (rules of your employment essentially) then you should be sacked for doing it?
IT breaches in general are seen as trivial when it comes to disciplinary action, I've seen people hit far harder for mistakes on their time sheets or breaking a window by accident..