It'll be sold as a brand and used in future years to flog products made by others. Wait? erm, I'll get back to you.
561 posts • joined 16 Jan 2013
As it's almost entirely dependent on self-reporting I'm willing to bet a lot of it is down to companies just not owning up. The UK public sector is particularly good at reporting itself to the ICO quickly, within hours usually, knowing that if it does so there's far less chance of a monetary penalty at the end of it.
As the guy who works in public sector at the moment and who reports my organisation to the ICO when there's a breach I'd love for staff to face disciplinary when it happens. I rarely see that though.
Mistakes happen, genuine "shit I sent that to the wrong person" mistakes, should people lose their job over it? Well personally I think that should always be an option when they've caused actual harm by their actions. However I have yet to see it happen.
Staff names are typically removed from reports the ICO get, I'd love them to demand those and public those involved. My name will be on the ICO multiple times - as the person reporting it and the contact for the organisation, but others should be up there for having been held responsible for the breach.
This shouldn't just be the chief execs though, it has to include those who have direct line management responsibility if training was permitted to slip, if policies were not up to date and staff not aware of them etc. Putting a single name up won't be enough, it has to be the "chain of command" from top to bottom that could have prevented it.
There are also typically prosecutions that could be brought but again never are. Section 55 of the DPA is one such area but there are many others - we simply done' hold people accountable, but then again we don't for virus infections either even when it's personal USB sticks brought in from home - because the organisation should simply have tools to block those working right?
But surely if that sort of thing isn't permitted by policy (rules of your employment essentially) then you should be sacked for doing it?
IT breaches in general are seen as trivial when it comes to disciplinary action, I've seen people hit far harder for mistakes on their time sheets or breaking a window by accident..
Your argument makes little sense, if you've ever been involved in a breach you'd know that it's typically down to one persons mistake initially then a series of mistakes over the course of the next few days as people try to cover it up. The "best" breaches are those where staff put their hands up so you can try to contain and get control back over that information (usually not possible, but sometimes it is), you can then notify the ICO and you can talk to those involved most importantly the data subjects who's information has been spewed.
In terms of "taxpayer coughing up" the monetary penalty goes from the council to central government, it doesn't go to the ICO and then essentially through loans etc to councils will end up back there eventually.
The public need to start understanding that public sector organisations, (especially the NHS - and I'm excluding GPs as those are PRIVATE contractors) are very good at self-reporting to the ICO. This is why the stats typically show that the public sector are AWFUL at handling information but in reality they are generally better than private firms, just that they are far happier to notify the ICO when something happens.
Having worked in private and public sector over the past 25 years I can honestly say I've personally reported my organisations to the ICO half a dozen times, yet never had approval from private companies to do so - even when the incident was arguably far, far worse. It comes down to money and lack of "give a toss" about data subjects.
Yet I've been paying in at a higher rate than any of those currently retired, the pension age will keep increasing and I'll probably die before it.
The country as a whole needs to take pension funding more seriously, for starters they should NEVER be allowed to run in deficit.
Thing is with these companies that although they may include agreeing to have failover sites etc when sh!t happens and those don't work they just say "hey sorry, won't happen until the next time it happens" and as the NHS is f*cking awful at contract law they have no monetary clause to hammer them with.
Seen this so often in the past 10 years.
I've been saying this for years but it also has to apply to public sector organisations, as right now they get fined - they go to government ask for a loan for that amount (since it's the government who essentially fined them anyway) and they are back to square one.
Public sector are great at reporting themselves compared to private companies but they also have nothing personally to lose, we need to change that for directors and chief execs.
Just don't keep me hanging on for 30 minutes telling me every 30 seconds how ******** important my call is whilst I'm 305th in the queue also sort out the damn volume level between that message and the music so I'm not deafened by one or the other, then unable to immediately hear the call handler who's whispering in afterwards.
You could say the same for any department which is generally not "front of house" such as information security, information governance, cleaning, estates/facilities management, HR, occupational health etc.
They are all being outsourced where possible to "save money" but in reality I doubt any money at all is saved and the service is usually poorer and less flexible as a result.
It's not cretinous to not know about computers especially since many of those buying them for grand children didn't have access to them until they were well into adulthood. I'm sure a few of them could teach our millennials a few things about how even modern car engines worked as they are far more likely to have had to get their hands dirty maintaining their own car.
Using the wrong terminology is one thing, fact is they knew what they meant - storage space as that's typically what's marketed as good as it holds all the kids "college work", it's not as if other goods aren't marketed as equally daft at times, cars for example are typically done on fuel efficiency none of us ever see and on glamour when it's a tool most of us don't think twice about until it breaks.
There's ideas being mooted of merging some of the remaining health boards and/or potentially parts of councils too. I can see the merit in some of it, but as always with IT there's a lot of contracts which need to expire etc for it to start happening without a huge amount set aside for buying out/penalty clauses.
What I don't get is why England can't do something similar, if anything everything there is becoming more fragmented year on year.
Personally I have nothing against cyclists, I do however hate this them v us attitude from both sides. I live in a fairly rural community and what really grinds my gears (insert Peter Griffin here) is that planning it done almost entirely focused on cities when cycling clubs won't go out in the city for fun, they'll head to rural roads, as will family groups. Those are generally very poorly catered for, yeah you can get to cycling routes, if you shove your bikes on a car first.
There's shit cyclists, there's shit drivers and there's shit pedestrians. The sooner we tackle the main problem - namely many of us having to commute for a job we could likely do at home the sooner we'd all be a little happier. productive and fatter.. I mean less stressed.
I also find I'm increasingly being asked to build PCs for people, they may not have the confidence to do it themselves so just want me to hang out and double check things for them. I've no problem doing this as I'm the sort these days who says "I'm not private IT support" and I stick to that. But I'm happy to help give them confidence to tackle their build.
I've recently helped my 71 year old dad build his first gaming PC, he was bored after my mother died last year and he's gotten right into Skyrim and the Total War series since (with a bit of rocket league thrown in).
He was able to build the PC he wanted, with the monitor he wanted etc and without software he didn't want or pressure to buy "tech support" etc during the after sales pitch.
Company wise we still replace PCs in a cycle, which I think is increasingly mad and even our directors are starting to see it that way, PC slow? shove in another gig of RAM if it's a 64bit OS and an SSD, job done 99% of the time.
That this news comes out shortly AFTER a decision is made not to completely split BT from Openreach, one may ponder why it wasn't announced just a few weeks ago where it would have been seen as a fairly damning indictment of the way the two work together (but totally don't, no way, not at all.)
Hospitals are only the "losers" if local IT don't have appropriate backups running and local/network permissions set properly. At worse ransomware should encrypt local docs and shares the user has access too - that's assuming it gets past firewalls/sandboxing/AV and malware protection and application whitelisting etc.
Restoring a few folders is the bread and butter of most sysadmin roles, hardly a big deal and that's the WORSE case scenario in a well run IT department.
Proper application whitelisting alone massively reduces randomware infections on it's own.
The government (and people usually throw the NHS into that) self report to the ICO far, far more than any private companies do. That's a fact.
Just because they aren't reporting themselves doesn't mean breaches don't happen, they are merely more worried about bad PR than public employees, many of whom would report to the ICO even if their bosses told them not to (sorry MPs!).
Paper is exceptionally easy to sneak out of buildings especially if done over the course of several years. They only found 500-600 pages by the sounds of it, doesn't mean that's all of it.
As for them "missing" the 500 page set the first time around, there's nothing to say it was in the house at the time or if after the first search he thought "well that's that - let's get my own back".
Bottom line is we don't know enough about the discrimination case or investigation to draw any real conclusion.
There's a balance to be had with IT, I'm sure those who have worked in IT departments know this, there are always bad eggs (like every department).
If the organisation hero-worships IT then it'll never work properly, the bad eggs will do next to nothing and consider themselves above the rules that apply to other stuff. If the organisation treats IT like sh!t, they'll only have poor staff and a high turn over of decent workers.
Personally I think IT should always be treated like any core service department, it's given the funds it needs but oversight is fairly strict, importantly that oversight should be by someone who understands how IT functions e.g. a Director who has worked in IT hands on. You'd never have a finance director who'd never worked in payroll or accounting after all.
Biting the hand that feeds IT © 1998–2019