On 4 November 2015 the ICO announced that the Crown Prosecution Service (‘CPS’) been fined £200,000.
The CPS is responsible for prosecuting criminal cases investigated by the police in England and Wales.
The facts leading to this fine are that the CPS was using another party (’X’) to edit videos of police interviews, for use in criminal proceedings. To do this, the CPS normally delivered (unencrypted) DVDs containing the videos to X, using a courier firm.
A burglar gained access to the premises occupied by X and stole several laptops that belonged to X, two of which had on them videos of police interviews with 43 victims and witnesses involved in 31 cases. The laptops, , were password protected but not encrypted. The police subsequently recovered the laptops, (which appeared not to have been accessed).
The ICO concluded that the CPS had failed take sufficient security measures because:
- Unencrypted DVDs were delivered to X by courier (and on some occasions were collected by X using public transport)
- The CPS had not obtained a guarantee that X would store the DVDs securely and return or securely destroy them
- The CPS failed to monitor the security measures taken by X
- There was no adequate legal contract in place between the CPS and X governing this arrangement
According to the ICO, the CPS should have:
- Delivered the DVDs by secure courier
- Inspected the premises of X the ensure they were suitable
- Obtained a guarantee from X that the DVDs would be stored in a lockable cabinet and that any laptops containing videos were encrypted
- Made provision for the return or destruction/erasure of the DVDs/videos when X no longer need to work on them.
This substantial fine reflects the serious nature of this breach of the Data Protection Act and shows how careful organisations need to be when passing on personal data to another party.
Consideration must be given as to how personal data will be transported between the parties, the circumstances in which it will be held by the other party and what will happen to that data when the other party no longer needs it. All of these things could and should be contained in a written contract.
Perhaps above all, organisations passing personal data onto others should understand that they can be liable for the security failures of the receiving party.