A4e receives landmark £60k fine for losing legal clients’ personal data
Security: lack of encryption warranted penalty
A company that runs two law centres has become one of the first two organisations ever to be fined for data protection breaches, after personal details of 24,000 clients were lost when an unencrypted laptop was stolen.
A4e, a ‘social purpose’ company that jointly manages the Hull and Leicester community legal advice centres, was fined £60,000 by the Information Commissioner. The reason given was that access to the data, which was stolen in June, could have caused “substantial distress” and reasonable steps were not taken to prevent its loss.
The laptop had been issued to an employee so that they could work at home. It contained sensitive personal information when it was stolen from the employee’s house. An unsuccessful attempt to access the data was made shortly after the theft.
A4e manages the two centres in partnership with Howells Solicitors. Each is funded jointly by the local authority and Legal Services Commission. There is no suggestion that the law firm was involved in the breach.
Since April 2010 the commissioner has had powers to issue monetary penalties of up to £500,000 for serious breaches of the Data Protection Act.
Christopher Graham, the Information Commissioner, said the penalties sent out a strong message to all organisations handling personal information: “The laptop theft… warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data.”
A4e’s newly-appointed chief executive, Andrew Dutton, said it was the first such incident suffered by the company and pointed out that it had made a voluntary report to the commissioner when the theft occurred. No customer had reported any financial or other loss.
He added: “This incident occurred as a result of a breach of our security procedures. It also came at time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.”
Tags: data protection
Leave a comment
* Denotes required field