Scottish Government’s lawyer Ruth Crawford QC breached Data Protection Act over theft of her unsecured laptop full of patient’s personal details

RUTH CRAWFORD QC, an Advocate from the Axiom Advocates stable who works for the Scottish Government has been slapped on the wrist by the Information Commissioner’s office after her unencrypted laptop was stolen while she was away on holiday. Ms Crawford regularly advises & represents the the Scottish Government in litigation and also works for local authorities and other public bodies.

The incident of the stolen laptop which was full of the details of patients involved in medical cases was DELIBERATELY NOT reported to the ICO's office until all the cases had finished, causing the ICO to issue an assurance to the legal profession that all data breaches reported to its office would not be disclosed and that all such breaches should be reported immediately (According to some, delays in reporting potential crimes sound fishy - Ed).

The laptop was never recovered however it has been claimed “most of the information compromised would already have been released as evidence in court papers” which would probably rank as a world first for a case where counsel for either side spilled the lot in court! (Do people still fall for these kinds of explanations ? – Ed)

The ICO reports :

Advocate’s legal files lost after unencrypted laptop theft

A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop was stolen from the home of Ruth Crawford QC whose clients include the Scottish Government and NHS Scotland in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.”

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

The undertaking by Ms Crawford QC, issued after a deal was apparently struck for the ICO not to issue a fine or use its powers, states :

The Information Commissioner (the ‘Commissioner’) was informed on 30 August 2011 of the theft, in summer 2009, of an unencrypted laptop from the study of the data controller’s home. The laptop, which was not encrypted, contained sensitive personal data relating to a number of individuals who were involved in cases on which the data controller was instructed to act. It is likely that much of the data compromised by this incident would have already been in the public domain.

The theft occurred while the data controller was on holiday, having left plumbers to fit a new boiler at her home. The data controller provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house. Upon returning from holiday on 3 September 2009, the data controller discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police.

The Commissioner has noted that physical security measures were in place at the time of the incident, but that there was insufficient technical security employed on the laptop to protect the data.

The Commissioner has considered the data controller’s compliance with the provisions of the Act in the light of this matter. The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act. The Commissioner has also considered the fact that some of the data stolen in this incident consisted of information as to the physical or mental health or condition of the data subjects. Personal data containing such information is defined as ‘sensitive personal data’ under section 2(e) of the Act.

Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follows:

The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:

(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;

(2) If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;

(3) The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable, and take all appropriate steps to comply with these at all times;

(4) The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.