04 November 2015
The Information Commissioner’s Office fined the Crown Prosecution Service £200,000 today in relation to a breach of the seventh principle of the Data Protection Act 1998.
The CPS had been using a small contactor to convert police interview footage into a format which was playable in court. The contractor, who remains nameless in the Monetary Penalty Notice (we enquire why that anonymity should be granted, but that is for another day…) was sent unencrypted DVDs by the CPS. It appears that he downloaded the videos onto laptops which were password protected but which were also not encrypted. Two laptops were stolen when the offices were broken into and these contained the video footage of interviews with 43 victims and witnesses in 31 criminal cases, most of which were still ongoing. Some of the videos contained historic allegations made against a high profile individual.
The laptops were recovered and they had not been accessed by the burglar.
However the potential was there for extremely sensitive material to be further disseminated, causing distress and damage to the individuals involved. And surely the wider issue is the public losing trust in the system dealing with their reports of crimes and the risk that some victims may not come forward at all fearing that their testimony will not be held in confidence.
The CPS as the data controller here was responsible for the actions of the contractor which were not compliant with the DPA. But are there not questions here for the police and why these DVDs are not encrypted in the first place? Not for the first time we ask ourselves why the CPS is using unencrypted DVDs to store highly sensitive information? Why the CPS had to send these out to a small contractor in order to have them processed for court and why their procurement system did not address the obvious DPA concerns? It seems fair to assume that there are systemic failures beyond the loss of these 43 videos that are being addressed by the CPS.
On a similar note, the ICO imposed an undertaking recently on a Scottish law firm who had collected an unencrypted DVD containing CCTV footage of an alleged crime from the Scottish prosecution service – the Procurator Fiscal’s office. The firm of solicitors agreed to take certain steps in relation to DPA training and encryption. I wonder if the Procurator Fiscals’ service was given similar advice which will seem all the more important given the fine issued to the CPS today?
'CPS fined £200,000 for failing to keep recorded police interviews with victims and witnesses secure':-
Contact Paul Motion, Laura Irvine or Lindsay Urquhart on T: 0131 222 2939 or email us at firstname.lastname@example.org