Monday, September 08, 2008

Whistleblower suspended over data security email?

Back in May I posted about an email that was circulated at the Department of Work and Pensions. The email revealed that employees were still routinely forwarding secure data together with the related password to access that data in breach of new security guidelines. Specifically it said,
I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.
At the time the story was followed up by The Register and Sky News, and I've just learned this afternoon that apparently, the person responsible for leaking the email has been suspended on full pay whilst the department presumably trawls through their activities and looks for a justification for dismissal.

I guess the whistleblower protections under the Public Interest Disclosure Act 1998 are not quite as strong as they might appear?

1 comment:

Surreptitious Evil said...

The protections are nowhere nere as strong as you might think. The class of people to whom you may make a disclosure are strongly limited ...

You can make your disclosure to your employer (s43.C.1.a) or somebody appointed by them (s43.C.2), to the person whose responsibility it is if not your employer (s43.C.1.b), to one of Gordon's lapdogs (s43.E), or to somebody appointed by the Government to cover things up (s43.G) iff you have reported it before or you know you will be victimised. You are also allowed to ask a lawyer for advice (s43.D).

Nowhere in there is there provision for protecting people who disclose to bloggers, the public or the press. Remember who wrote this law - it wasn't designed for the protection of whistleblowers or to encourage disclosure of material of important or urgent public interest - c.f the Freedom of Information Act.

Large employers and government departments will have a PID scheme with "Manager, first" and "Then an internal scheme" then "Prescribed Person" - all with the aim of bogging any disclosure down in red tape and victimisation (sorry, careful analysis of your loyalty to the organisation at an executive and disciplinary level) before it gets anywhere outside of their control. And the law was written to let them do that.