Public and Commercial Services Union

DWP/BB/015/09

Supporting information security

The DWP raised awareness that "the department has made key human resources (HR) policies even clearer in relation to information security" on its intranet "headlines news" on 20 January 2009. The key policies this applies to include the disciplinary policy and procedures and the standards of behaviour.

Disciplinary policy, procedures and standards of behaviour have been revised following detailed consultation with the departmental trade union side.

The key message to staff is that breaches of DWP information security and associated HR policies or procedures, such as the standards of behaviour, “will be treated extremely seriously as serious or gross misconduct”.

Disciplinary policy changes

Changes to the disciplinary policy, from 19 January 2009, include additional examples of serious and gross misconduct under policy paragraphs 13.2 and 13.3.

The additional examples of serious misconduct under policy paragraph 13.2 are:

• Failure to lock customer employee or other sensitive information or data away securely after use in line with local business guidelines.
• Putting customer, employee or other sensitive official information or data at risk by failing on more than one occasion to protect passwords and/or smartcards.
• Reckless disregard for the handling, use or disclosure of information.
• Failure to notify the loss of equipment, documents or information/data as a matter of urgency to the line manager or failure to immediately notify the police - where the loss may have been in public or external to DWP.

The additional examples of gross misconduct under policy paragraph 13.3 are:

• Failure to use encrypted laptops memory sticks or other forms of removable media for storing any official data, electronic versions of documents or information relating to the department.
• Deliberate sharing of smartcards, passwords or other access control devices that provides access to customer, employee or other sensitive information.
• Unauthorised disclosure of departmental information or data or unauthorised representation of the department on non DWP on-line communities or social networking sites e.g blogs or chat rooms.

A “policy scenario matrix” has also been included under discipline tools. These examples do not replace DWP policy and procedures which must be followed in all cases.

Standards of behaviour changes

Changes to the standards of behaviour from 19 January 2009 expand standards on:

• Official information and access to data (policy paras 9 – 12)
• Disclosure of official information (policy paras 13 – 18)
• Participating on-line on the internet – social networking – blogging (policy paras 19 – 22)
• Data provided to the DWP (policy paras 23 – 24)
• Computer systems (policy para 25)

There are hypertext links to other associated policies and procedures under standards of behaviour policy 14, including :

• Confidentiality
• Protective markings
• Handling official information, and
• Disclosure of information

The link to the electronic media policy is provided under policy para 25.

Safeguards for members

PCS was particularly concerned that the issue of proportionality was properly addressed. A key safeguard for members is introduced, when considering breaches of information security, under disciplinary procedures paragraph 16.1. Managers are told they must:

Make a decision on whether there is a ‘case’ to answer e.g. whether disciplinary action would be a proportionate response to the incident. Managers must contact their HRBP team in all cases for advice and support on this issue.

This is introduced to help safeguard against petty offences being unreasonably pursued. Disciplinary policy para. 16.2 also helps to support a reasonable application of the disciplinary procedures. Whilst all breaches of information security fall under serious, or gross, misconduct this paragraph confirms:

The level of misconduct depends on the nature of the offence and the potential harm from disclosure. The intent, mitigation and actual harm is relevant in terms of deciding the penalty. Managers should seek advice from their HRBP team to ensure the penalty is proportionate.

PCS advice for branches and members

Circular DWP/MB/027/08 provides guidance for members on their individual rights and procedural fairness when formal disciplinary action is initiated.

Circular DWP/BB/118/08 provides guidance on changes to disciplinary policy and the decision makers guide from September 2008 including:

• Informal disciplinary action
• Penalties for misconduct
• Repeated offences, and
• Proportionality and justification

Evidence of problems with the application of HR policies should be sent by branches to PCS DWP group office. Such evidence will support our case for further improvements.