CPS fined £200,000 over loss of "high-profile" crime interviews

The Crown Prosecution Service (CPS) has been fined 200,000 for failing to encrypt police interviews about violent and sexual crimes stored on laptops that were later stolen.

Some of the 43 interviews with victims and witnesses related to historical allegations against "a high-profile individual", said UK data watchdog the Information Commissioner's Office (ICO), which handed down the penalty.

The videos were being edited by a Manchester film company for use in criminal proceedings for 31 investigations, but were being stored on two laptops kept in a residential flat used as the film company's studio.

Those laptops containing the videos were then stolen in a burglary at the studio on 11 September last year, and the ICO said that while the machines had passwords, the data had not been encrypted.

The studio also lacked an alarm and proper security, according to the watchdog.

Stephen Eckersley, head of enforcement at the ICO, blasted the CPS for its lack of security measures around such sensitive data.

He said: "Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information.

"The consequences of failing to keep that data safe should have been obvious to them."

Police managed to recover the laptops eight days later when they caught the burglar, and said no-one but the burglar had had access to them.

However, the ICO ruled the CPS had been negligent in trying to keep the data secure, and had not taken into account victims' "substantial distress" caused by the videos being lost.

Victims had openly named suspected offenders in the videos, and Eckersley said: "If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal."

The CPS reported the incident to the ICO which resulted in a complaint by three people affected by the videos' loss.

In the course of its investigation, the ICO learned that the CPS had been delivering unencrypted videos to the same film company by courier since 2002, while in urgent cases the film company's sole owner would collect the videos in person, taking them to the studio using public transport.

The ICO said this constituted a contravention of the Data Protection Act.

CPS reaction

Following the incident, the CPS immediately terminated its contract with Swan Films, and the organisation has reassessed security arrangements with other contractors to ensure such a breach cannot be repeated, it said.

Several security reviews took place across the CPS, and it also changed its procurement guidance to highlight the importance of information security stipulations in contracts.

A CPS spokesperson said: "It is a matter of real regret that sensitive information was not held more securely by our external contractor, and that we, as an organisation, failed to ensure that it was. We are grateful that the material was recovered without being accessed by those who stole the computer equipment but accept that this was fortuitous.

"It is vital that victims of crime feel confident that breaches like this will not happen and, following a full review after this incident, we have strengthened the arrangements for the safe and secure handling of sensitive material."

Arrangements are in place for the Departmental Security Unit to meet with procurement to discuss new contracts or those up for renewal, the CPS added, while contractors will be subject to reviews of existing arrangements, as well as ad-hoc security checks when the CPDS becomes aware of an issue.