The Information Commissioner’s Office (ICO) has fined the Crown Prosecution Service (CPS) £325,000 after the service mislaid DVDs containing recordings of sensitive police interviews.
The DVDs, which were not encrypted, contained interviews with 15 victims of child sex abuse that were to be used at a trial.
The ICO noted that the material included sensitive details about those abused as well as the accused and other parties.
The discs were sent by tracked delivery from a CPS office in Guildford to one in Brighton, with the receiving office located in a shared building. The delivery was made outside of office hours, and discs were left in the reception area, which was accessible to anyone who had access to the building.
They were sent in November 2016, but the loss wasn’t discovered until the following month. The CPS notified the victims in March 2017 and reported the incident to the ICO in April.
The CPS was negligent in failing to ensure the recordings were kept safe, the ICO said. In spite of having been fined £200,000 for a separate breach in November 2015, which also involved victim and witness evidence, the CPS hadn’t taken care to prevent similar breaches from occurring again, the ICO said.
“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information,” said ICO head of enforcement Steve Eckersley.
The CPS said it accepted the ICO’s decision. The service said it had contacted victims’ families to apologise and that there was no indication the material was viewed by an unauthorised person.
“The original version of the data was retained by the police and the defendant pleaded guilty in court,” the CPS said in a statement.
The service said CPS South East had reviewed its systems to prevent similar losses and that a new digital system would allow secure online transfers.
“This includes videoed interviews and will mean we no longer need to rely on sending discs through the mail,” the CPS stated.
The service said it would pay the fine before 13 June, meaning it would be reduced to £260,000.
The introduction into enforcement of the General Data Protection Regulation (GDPR) on 25 May is set to greatly increase the amount of fines that European data protection agencies can impose.
How much do you know about privacy? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…