The unencrypted discs, containing sensitive video interviews, went missing in the publicly accessible area of a CPS office in Brighton
The Information Commissioner’s Office (ICO) has fined the Crown Prosecution Service (CPS) £325,000 after the service mislaid DVDs containing recordings of sensitive police interviews.
The DVDs, which were not encrypted, contained interviews with 15 victims of child sex abuse that were to be used at a trial.
The ICO noted that the material included sensitive details about those abused as well as the accused and other parties.
The discs were sent by tracked delivery from a CPS office in Guildford to one in Brighton, with the receiving office located in a shared building. The delivery was made outside of office hours, and discs were left in the reception area, which was accessible to anyone who had access to the building.
They were sent in November 2016, but the loss wasn’t discovered until the following month. The CPS notified the victims in March 2017 and reported the incident to the ICO in April.
The CPS was negligent in failing to ensure the recordings were kept safe, the ICO said. In spite of having been fined £200,000 for a separate breach in November 2015, which also involved victim and witness evidence, the CPS hadn’t taken care to prevent similar breaches from occurring again, the ICO said.
“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information,” said ICO head of enforcement Steve Eckersley.
The CPS said it accepted the ICO’s decision. The service said it had contacted victims’ families to apologise and that there was no indication the material was viewed by an unauthorised person.
“The original version of the data was retained by the police and the defendant pleaded guilty in court,” the CPS said in a statement.
The service said CPS South East had reviewed its systems to prevent similar losses and that a new digital system would allow secure online transfers.
“This includes videoed interviews and will mean we no longer need to rely on sending discs through the mail,” the CPS stated.
The service said it would pay the fine before 13 June, meaning it would be reduced to £260,000.
The introduction into enforcement of the General Data Protection Regulation (GDPR) on 25 May is set to greatly increase the amount of fines that European data protection agencies can impose.
How much do you know about privacy? Try our quiz!