A senior lawyer has been found in breach of the Data Protection Act for failing to encrypt a laptop containing sensitive client information which was stolen from her home.
Ruth Crawford QC, a Scottish advocate, was working on eight court cases when her home was burgled in 2009 while she was away on holiday.
Crawford was not fined for the breach as the event took place before the Information Commissioner was given the powers to impose financial penalties.
However, the data protection watchdog said the decision should “act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too”.
The decision also makes it unambiguous that a lawyer holding personal client information is to be regarded as a ‘data controller’ under the Act, who has a duty to comply with the data protection principles in relation to all personal data.
The burglars stole Crawford’s laptop, which contained information about the cases, including details relating to the physical and mental health of individuals involved in two of these cases.
The event was only reported to the Information Commissioner on 30 August 2011 when the last case relating to information held on the laptop – which has not been recovered – was concluded.
Most of the information compromised, regarded as “sensitive information” under the Act, would have been released as court evidence.
The ICO accepted that Crawford had some physical security measures in place at the time of the theft but that she “failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted”.
The QC has signed undertakings that include encrypting all portable and mobile devices containing client data to be encrypted by the end of the year and locking away personal information stored at her home.
Ken Macdonald, assistant commissioner for Scotland, sought to reassure the profession, saying any information reported to the ICO would not be disclosed unless there was specific legal authority for the commissioner to do so.
But he said it was “vital that adequate security measures are in place to keep information secure” and that “all breaches should be reported to our office as soon as practically possible”.