On the PSNI data breach, it’s important to remember there’s an individual somewhere who right now just wants to find the Marianas Trench and dive into it. Their management chain, mindful of their own legal and financial liability for the breach, will be looking to shift as much blame as possible down the tree to the individual.
They’ll point to the annual mandatory training all employees have in information governance, and say it’s therefore entirely the individual employee’s fault that this monumental stuff up took place.
Mandatory annual information governance training does little to actually prevent accidental data breaches from occurring; the purpose of mandatory information governance training isn’t to prevent breaches, it’s so that when a breach happens the organisation can throw their employee to the wolves and say ‘well the employee had their training so it’s not the organisation’s fault the breach happened, it’s the individual’s fault’.
In the ærospace industry, a staff member screws in a bolt, a supervisor watches the bolt being screwed in, and an inspector agrees with the supervisor’s assessment that the bolt was indeed screwed in properly. And every week, there’s a big meeting where everybody shares when in the last week they realised they didn’t screw a bolt in completely. And if anybody seems to be not admitting to very many bolt-screwing deficiencies over a few weeks, the MI people go ‘hang on, this seems ssusssss, nobody is really this good at screwing in bolts — what’s this person hiding’. Humans are fallible, and because they’re fallible they’re expected to be honest about their fallibilities when lives are at stake.
These kinds of data breaches are happening too often — not because people are incompetent, but because people are fallible. The ærospace industry has people checking the work, and people checking the checking of the work, so that if a plane falls out of the sky it’s not the fault of one person who stuffed up who can be blamed, it’s a result of a systemic failure. It’s about time organisations with responsibility for personal data accepted the same fact — that humans are fallible, and that no amount of training will stop a highly competent individual accidentally making a stupid catastrophic mistake. This breach didn’t happen because one individual was incompetent and who therefore needs punishing, it happened because of a systemic failing in how data is managed and publicised in the organisation — one person shouldn’t have been able to attach the wrong file to the web page and click Publish in order to fulfill the FOI request, the publication of that data should have by default involved a check, and a check of the check.