Suella Braverman paid the ultimate price for an information security breach. She stepped down/was pushed from her role as Home Secretary. Six days later she was back. Everything was ok again.
As the facts stood when she resigned on 19 October, it would appear that Ms Braverman wrongly emailed a document containing confidential information from a private email address to another MP who was not entitled to see it and also, unintentionally, to a staffer in Parliament.
Both misdemeanours were clearly in breach of the Ministerial Code, and more than a minor breach. However, other Ministers in recent times have committed similar offences and not paid the same price. The new Prime Minister’s view was that “[Ms Braverman] made an error of judgment, but she recognised that, she raised the matter and she accepted her mistake.”
So how bad was it? Was it right for her to go? Was it ok to bring her back so quickly?
Assessing the damage
Discovering that an employee has sent an email to the wrong recipient is not an uncommon occurrence for most employers and one should not rush to judgment. Mistakes happen. It is a draconian employer that reacts to this sort of situation without first investigating the circumstances. It would be useful to first know the answers to the following key questions:
- why were they using a private email address for business matters, and is this prohibited?
- was sending the email urgent and, if so, did that urgency outweigh the importance of the confidentiality/the policies in place preventing use of private email?
- did they send the email knowing that the intended recipient was not entitled to receive the information?
- was damage caused to the employer, whether financial, reputational, regulatory, security?
- was the employee instructed by their manager or anyone else in authority to send it?
- was the employee aware of the sensitivity of the content and should they have been?
- were they trained in the requirements around sending such information?
- has the employee done this before?
- how did the error come to light, was it self-escalated in a timely fashion?
- has the employee cooperated with the investigation and provided a full and honest account of the sequence of events?
The list of potential questions to consider before reaching a conclusion is substantial. Once they have been addressed, it is at that point possible for the decision maker to make an assessment.
Determining the outcome
The first question should be:
- was this a performance issue or a conduct issue? For example, if the error was due to a lack of awareness of their policy or due to human error, then it would probably be best dealt with as a performance matter. If what happened was due to a behavioural issue such as a knowing disregard for policy or gross negligence, then it should be treated as a disciplinary matter.
The second question should be:
- irrespective of whether it is performance or conduct related, how serious was the breach? Whilst the importance of information security cannot be overstated, as a matter of fairness and facilitating an environment that promotes psychological safety, any response must be proportionate to the circumstances.
Whilst the impact of the error will be a reasonable factor to take into account, if the breach was an unintentional mistake and the individual is appropriately contrite, then a compassionate employer may wish to take action short of the most extreme option.
In the case of our Home Secretary, there may of course have been other factors in play that influenced decisions…