Should staff – rather than the taxpayer – be held liable for data breach penalties from the Information Commissioner’s Office? The move, whilst superficially attractive, could have negative results in the medium-to-longer term.
If the suggestion were applied to the staff of all government agencies, then – aside from a change in contracts being required – we could end up reducing employees to being ‘scared rabbits in the headlights’ as far as IT security is concerned, seeking 110 per cent levels of data security at the expense of operating efficiency.
And if the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time.
The irony here is that, as well as simply moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill – operational efficiencies are likely to suffer as well.
Despite this, there are some aspects of the public sector editorial that are potentially positive – since the mere discussion of this employee liability issue will make at least some of the staff more security conscious and responsible.
With the real possibility of disciplinary action being taken against employees who do not follow security policies and procedure, there is a strong likelihood that staff understanding – and therefore operational remediation – of security issues will be enhanced.
There is nothing like a faint whiff of disciplinary-related fear – regardless of its rationale – for making the less diligent members of the workforce smarten up their act.
Irrational fear, however, should never be part of employee relations, as the carrot-and-stick mentality should have disappeared at least a half a century ago. Fair and consistent communications, which inform and help people to understand and accept the corporate IT security posture is what brings about behavioural change.
The reality in 2012 is that teamwork and working towards a common good – especially in the public sector – should be the order of the day. This is why I welcome the prospect of open discussion along the lines of better understanding of responsibilities via-a-vis IT security matters. There needs to be a full and frank debate on both sides of the management/employee divide on this subject.
But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion.