The Crown Prosecution Service has been fined £200,000 by the data protection watchdog the Information Commissioner’s Office (ICO), after laptops containing videos of police interviews were stolen from a private film studio. The interviews were with 43 victims and witnesses. They involved 31 investigations; nearly all ongoing and of a violent or sexual nature. Some related to historical allegations against a high-profile individual.
The videos were being edited by a Manchester-based film company so that they could be used in criminal proceedings. The ICO found the videos were not kept securely; the film company used a residential flat as a studio. The studio was burgled on September 11, 2014 and two laptops containing the videos were stolen. The laptops, left on a desk, were password-protected but not encrypted and the studio had no alarm and not enough security – for example, the CCTV in the stairwells did not work, according to the ICO.
The police recovered the laptops eight days later and caught the ‘opportunist’ burglar. As far as the ICO knows, the laptops had not been accessed by anyone else. The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.
Head of Enforcement Stephen Eckersley, said: “Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information. The consequences of failing to keep that data safe should have been obvious to them.”
The watchdog made the point that many of the victims were vulnerable and had already endured distressing interviews with police. In the videos, they talked openly and named people (including offenders and the high-profile individual).
Mr Eckersley said: “If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”
The CPS reported the incident to the ICO and told the victims and witnesses involved. The ICO received complaints from three affected people. The ICO learned that the CPS had been using the same film company since 2002. The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport. For the ‘monetary penalty notice’ in full visit the ICO website.
Chris McIntosh, CEO of ViaSat UK, said: “Of all the organisations you’d hope to be on top of data protection, the CPS should rank highly. Quite frankly, the fact that part of the justice system could be so complacent regarding data security is worrying indeed. As this case shows, a large proportion of threats to data don’t just come from shadowy attackers looking to damage organisations. They come from simple human error and a failure to follow best practice. Essentially, organisations should always assume the worst with data security; they should take the approach that they have already been breached, and make detecting breaches and securing data their top priority. This means an all-encompassing approach to protection, of which encryption plays a crucial part. After all, there is always the risk that data will be stolen, but that risk holds much less danger if that data can’t be accessed.
“Indeed, there is a strong case for strengthening the data protection act to make encryption of all personal data both mandatory and enforceable, with real punishments for those who fail to follow the guidelines. The EU Data Protection Regulation could go some way to providing this, but what we should really be aiming for a world where the CPS is punishing organisations for failure to protect data, rather than the other way round.”
