On the PSNI data breach, it’s important to remember there’s an individual somewhere who right now just wants to find the Marianas Trench and dive into it. Their management chain, mindful of their own legal and financial liability for the breach, will be looking to shift as much blame as possible down the tree to the individual.
They’ll point to the annual mandatory training all employees have in information governance, and say it’s therefore entirely the individual employee’s fault that this monumental stuff up took place.
No.
Mandatory annual information governance training does little to actually prevent accidental data breaches from occurring; the purpose of mandatory information governance training isn’t to prevent breaches, it’s so that when a breach happens the organisation can throw their employee to the wolves and say ‘well the employee had their training so it’s not the organisation’s fault the breach happened, it’s the individual’s fault’.
In the ærospace industry, a staff member screws in a bolt, a supervisor watches the bolt being screwed in, and an inspector agrees with the supervisor’s assessment that the bolt was indeed screwed in properly. And every week, there’s a big meeting where everybody shares when in the last week they realised they didn’t screw a bolt in completely. And if anybody seems to be not admitting to very many bolt-screwing deficiencies over a few weeks, the MI people go ‘hang on, this seems ssusssss, nobody is really this good at screwing in bolts — what’s this person hiding’. Humans are fallible, and [...]
Read the rest of Information Governance and the PSNI data breach .
In group Public / Third Sector Digital