Crown Prosecution Service hit with £325k fine for losing DVDs with ‘most intimate details’ of abuse victims
After ICO punishment, CPS claims new digital evidence-transfer system will mean such a breach can never happen again
After losing unencrypted DVDs containing footage of interviews with 15 victims of child sexual abuse, the Crown Prosecution Service has been hit with a £325,000 fine from the Information Commissioner’s Office.
In response to the punishment, the CPS said that it is rolling out a digital system for transferring evidence to ensure it never again needs to rely on sending sensitive information through the post.
The lost discs “contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties”, the ICO said.
In November 2016 they were sent from one CPS office to another via tracked delivery.
The office where they were received was shared by CPS with other organisations. The DVDs, which were “not in tamper-proof packaging”, were sent outside office hours, and were left in the building’s shared reception area, according to the ICO.
- ICO slams police force for ‘cavalier’ attitude to data after unencrypted interview footage goes missing
- Interview: The Crown Prosecution Service's digital transformation chief on his 'user-centric' mission
- Why cloud is no longer ‘a dirty word in policing’
Having gone missing, their loss was not discovered for a month. Victims were not told until March 2017, and the ICO was informed in April.
It is still not known what happened to the DVDs.
The ICO pointed out that the CPS suffered a data breach in which video evidence was lost – for which it was fined £200,000 about a year before this incident took place. Despite which, the CPS failed to make sure that “appropriate care was being taken to avoid similar breaches”.
Steve Eckersley, head of enforcement at the ICO, said: “The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data – a loss in trust could influence victims’ willingness to report serious crimes. The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.
He added: “The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.”
A spokesperson for the CPS said that the service is currently implementing a digital system “that allows the secure online transfer of material between the CPS and the police”, including sending video interviews. The introduction of this system “will mean we no longer need to rely on sending discs through the mail”, they said.
“We accept the ICO’s decision that we breached the Data Protection Act and last year contacted victims’ families to explain what had happened and apologise. We also offered to meet families face-to-face,” the CPS spokesperson added.
“There is no indication the material was viewed by any unauthorised person. CPS South East have completely reviewed their systems and processes for the receipt and handling of video interviews to ensure that this situation cannot arise again. The original version of the data was retained by the police, and the defendant pleaded guilty in court. He was given a six-year prison sentence in March 2017.”
CPS said that it will pay the fine before 13 June – which means that it will be reduced to £260,000.
Coronavirus could be a boon for cybercriminals, but could also be an ideal time for organisations to tune up their security, writes Henry Asson of the PublicTechnology events series
NCSC sets up reporting hub and asks public to shop suspected fraudsters
Health department says ‘all large-scale operations’ experience similar challenges
Vast majority of staff in most departments are performing their duties from home