A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.
The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. Ms. Crawford noted that she had left plumbers with the keys and alarm code so that they could install a new boiler in her home while she was away. Upon returning from her holiday on September 3, 2009, she discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police. The breach was only first reported to the ICO on August 30, 2011, however, when the last case relating to information held on the laptop was concluded. No explanation was provided as to why she did not report the matter promptly to the ICO.
The stolen laptop contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. Much of the information would have been public record in the court cases, but was still sensitive information. The laptop was never recovered.
The ICO’s investigation found that although Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.
The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again.