Legal aid contractor fined £60,000
An employment services company working with the Legal Services Commission has been one of the first two organisations fined by the Information Commissioner under new powers to punish breaches of data protection law.
An employment services company working with the Legal Services Commission has been one of the first two organisations fined by the Information Commissioner under new powers to punish breaches of data protection law.
A4e, which employs around 3,250 staff, has contracts with two major legal aid providers in the East Midlands, the community legal advice centres in Leicester and Hull, as well as with a number of other public sector organisations.
In June, one of the company's 1,000 home workers was burgled and a work laptop computer stolen, which contained personal details of 24,000 clients.
Earlier this week the Information Commissioner used powers granted in a 2008 amendment to the Data Protection Act 2000 for the first time to issue a £60,000 fine on A4e. The IC also fined Hertfordshire County Council £100,000 for sending to the wrong client faxes containing details about a child sex abuse case.
The data protection watchdog found that failure to ensure data was properly encrypted was 'a serious contravention' of the Act and was 'likely to cause substantial damage or substantial distress' to the individuals whose details were held on the laptop.
The commissioner said A4e had 'failed to take appropriate technical and organisational measures against the accidental loss of personal data held on the latop computer, such as encrypting the laptop computer and providing the employee with security devices for the laptop computer; for example, a Kensington lock or a cable'.
The data concerned included the nature of the case, such as debt, welfare or employment, the name, postcode, date of birth and gender of the individuals, and whether they were a line parent, care leaver, carer, victim of violence, ex-offender, young offender or gypsy traveller.
Information relating to individuals' ethnicity, disability status, employment status, income level and housing tenure was coded but the codes were available in a separate, unencrypted document on the laptop.
Particularly significant was the fact that 'data subjects have suffered from substantial distress knowing their personal data and sensitive personal data may be disclosed to third parties'¦ exposing them to identity fraud and causing damage to their personal reputations'.
A4e was contacted by about 3,200 individuals in the wake of the theft of the laptop, including 15 letters who threatened to seek compensation.
The company has since said it had started taking preventive action to ensure such breaches would not occur in future.