The Information Commissioner’s Office (“ICO”) has issued a monetary penalty notice on the Crown Prosecution Service (“CPS”) following an incident in late 2016. In this instance, the fine being imposed on the CPS is to be £325,000, if paid at the latest, or £260,000 if paid by 13 June 2018. A result of the 20% early payment reduction.
On the 18 November 2016, the CPS received a package of fifteen unencrypted DVDs from Surrey Police, each containing Achieving Best Evidence (“ABE”) interviews with victims of child sexual abuse. These interviews were intended to be used in the trial of the perpetrator.
By virtue of their nature, these interviews contained intimate sensitive personal data and sensitive personal data relating to the victims in the trial. They also contained a great deal of sensitive personal data of the defendant in the trial. Peripheral to this information was some identification information pertaining to persons accompanying the victims to the interviews and the interviewing officers.
On that very same day, the DVDs were sent by tracked DX delivery, in a single box, to the CPS’ office in Brighton. Here, it was hoped that a specialist unit would carry out a further review of the evidence.
The DX tracking information for this box states that the package was delivered to the Brighton office of the CPS on 21 November 2016, with no CPS staff in the building at the time. Whilst the entry doors to the shared building are locked and require a card and PIN code for access, DX has a code to enable it to complete early morning deliveries.
Once an early morning delivery has been completed, the packages are left in an unsecured area in reception. This is because, once in the shared building, the CPS offices and reception areas can be accessed by anyone.
Subsequently, the package delivered by DX, containing the recorded interviews, has gone missing. The discs were not encrypted, as CPS states that this was not normal practice for ABE material, so anyone can access them. There is no requirement of a password.
Further, the absence of the package was only brought to the attention of the CPS on 1 December 2016. This is when the CPS employee expecting the package returned from annual leave. It is unknown what has happened to the discs.
By means of self-reporting, the ICO became aware of the data loss on 11 April 2017, when the CPS informed the office themselves. The ensuing investigation has, reportedly, uncovered a number of systemic and procedural issues within the relevant CPS offices involved.
The reason the CPS is burdened with the duty of managing the data it holds in accordance with law, is because it is a data controller, as defined in section 1(1) of the Data Protection Act 1998 (“DPA”).
According to section 4 (4) of the DPA, any data controller, subject to section 27(1), must comply with the data protection principles relating to all personal data in which he or she is the data controller.
The relevant data protection principles breached in the above stated case is the seventh one outlined in Part 1, Schedule 1 of the DPA:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
As a consequence of the CPS’ blatant breach, the ICO has served on them a monetary penalty notice in accordance with section 55A(1) of the DPA. This essentially means that the ICO is satisfied that there has been a serious contravention of section 4(4) of the DPA, of the kind likely to cause substantial damage or substantial distress.
In this particular case, the ICO has concluded that the CPS failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data in contravention of the Seventh Data Protection Principle.
Whilst the ICO has concluded that a contravention occurred, it has decided that the breach was not a deliberate breach. Instead, it has stated that the contravention was negligent, as the CPS knew or ought to have known that there was a risk that such a contravention as that described would occur.
In addition, the ICO has made it clear that the CPS ought to reasonably have known that the videos containing the ABE interviews would be vulnerable to a security breach in the absence of appropriate security measures.
Pay the Piper
As punishment for this contravention of data protection legislation, the CPS has been fined the sum of £325,000, to be paid no later than 14 June 2018. The penalty itself is not kept by the ICO, but is instead paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England.
If the Commissioner receives full payment of the penalty by 13 June 2018, the ICO will reduce the monetary penalty by 20% to £260,000. However, should the CPS wish to appeal the penalty, then they will lose the option of the early payment reduction.
To avoid finding yourself contravening data protection legislation, contact Backhouse Jones. Their informed practitioners will assist you in ensuring that you don’t find yourself on the wrong end of a staggering fine, such as the one faced by the CPS.