CPS fined £200k by ICO for negligent data protection
The Information Commissioner's Office (ICO) has fined the Crown Prosecution Service (CPS) £200,000 for negligent data protection procedures, as it was discovered that the Manchester-based privately held film studio which edits police interviews for criminal proceedings was burgled and two laptops were stolen.
The interviews were with 43 victims and witnesses and involved 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. Some of the interviews related to historical allegations against a high-profile individual.
As part its investigation, the ICO learned that the CPS had been using the same film company since 2002. The film company used a residential flat as a studio, the flat had no alarm and insufficient security. On 11 September 2014 it was burgled and two laptops containing the videos were stolen. The laptops were left on a desk and were password protected but not encrypted.
The police recovered the laptops eight days later and apprehended the burglar. As far as the Commissioner is aware, the laptops had not been accessed by anyone else.
The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.
The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach on 11 September 2014.
Chris McIntosh CEO of ViaSat UK commented: “Of all the organisations you'd hope to be on top of data protection, the CPS should rank highly. Quite frankly, the fact that part of the justice system could be so complacent regarding data security is worrying indeed. As this case shows, a large proportion of threats to data don't just come from shadowy attackers looking to damage organisations. They come from simple human error and a failure to follow best practice. Essentially, organisations should always assume the worst with data security; they should take the approach that they have already been breached, and make detecting breaches and securing data their top priority. This means an all-encompassing approach to protection, of which encryption plays a crucial part. After all, there is always the risk that data will be stolen, but that risk holds much less danger if that data can't be accessed.
“Indeed, there is a strong case for strengthening the data protection act to make encryption of all personal data both mandatory and enforceable, with real punishments for those who fail to follow the guidelines. The EU Data Protection Regulation could go some way to providing this, but what we should really be aiming for is a world where the CPS is punishing organisations for failure to protect data, rather than the other way round.”