In April 2010, the Information Commissioner’s Office (ICO) was given radical new powers to fine companies and bodies that breach the rules on data protection, and in November that year public sector contractor A4e took on the dubious mantle of becoming the first – along with Hertfordshire County Council – to be fined.
The privately owned Sheffield-based company, which has an annual turnover of around £150m and employs more than 3,300 staff, runs government and local authority contracts. Its biggest by far is with the Department for Work and Pensions (DWP), which pays A4e to get the long-term unemployed back into work.
It also has a number of contracts outside the DWP, ranging from managing community payback schemes and prisoner training to running vocational centres for unemployed youths and providing legal services. It was here that the breach occurred.
Among other things, A4e’s legal services division runs, in partnership with Sheffield law firm Howells, two community legal advice centres in Hull and Leicester. The contracts to operate the centres were awarded by the two local authorities, and they run until April 2011 in Leicester and October 2011 in Hull. The centres provide free social welfare advice.
“The breach happened at around 10.30pm on 17 June 2010 when there was an opportunistic theft at an employee’s home – a number of personal items were taken as well as an A4e laptop [and an external flash disk],” says Chris Peel, A4e development director for legal services.
Contained on the laptop and disk were details of 24,000 customers of the Hull and Leicester centres, including dates of birth, diversity information and financial settlements. Although password-protected, the information was not encrypted.
“Our first reaction was to work closely with the police to try and understand the nature of the burglary and what we should be doing in regard to telling our customers,” says Peel. ”Following police advice we reported the incident to the ICO and then told all affected customers, our partners and the local authorities.
“With the customers, we wrote to them explaining what had happened and advising what precautions they should take, like being vigilant and keeping an eye on accounts and emails to make sure nothing strange was going on.”
Neither laptop nor disk have been recovered, although A4e is confident the information has not been accessed. Internal systems show that after the theft someone tried to access the information, but failed.
A free telephone helpline was set up, allowing worried customers to contact A4e. Around 13 per cent of those affected called in. A statement was also put out to the press.
Peel says A4e’s data protection policies, which are constantly reviewed and updated, were and are suitably robust, while all IT policies comply with ISO 27001, which deals with security techniques and IT requirements.
At the time of the breach a company-wide encryption programme was underway. The rollout was completed in September 2010, with more than 5,500 devices encrypted in six months. The breach did not speed up the rollout, as it was already being carried out as quickly as possible, but it did highlight how important the programme was. Instead, the breach was attributed to human error.
“The employee should not have had the laptop at her home – it was a breach of our procedures,” says Peel. “We’re a large organisation with a number of delivery sites, and it became clear that while it’s one thing to have policies in place, it’s another to make sure all staff know and understand them. “Every line manager had to confirm that they had sat down with staff and gone through all the policies and procedures, and made clear what their responsibilities were.
“We’ve also rolled out an online data protection course which all employees have to go through, including undertaking formal training and then an exam.”
The course was a bespoke development drawn up for A4e in consultation with external data and security experts.
The ICO fined A4e £60,000. The company decided against appealing, instead paying the penalty immediately.
“We had regular dealings with the ICO throughout the process and took into account its finding that we should have known about the risk,” says Peel. “We took on board what was in its report, which recognised that although nobody suffered as a result of the breach, we could have stopped it happening.”
Ultimately, the breach has served as a company-wide wake-up call about the importance of observing data protection policies and procedures.
“Data protection is now firmly on the agenda, especially how we conduct ourselves within the organisation,” concludes Peel. “It’s part of staff induction and training, and there are now regular updates and interfaces.”