CPS Fined £325K for Losing Police Interview Videos

The Crown Prosecution Service (CPS) has been fined £325,000 by the UK’s privacy watchdog after losing DVDs containing recordings of police interviews with child sex abuse victims.

The DVDs contained recordings of interviews with 15 victims set to be used at trial, according to the Information Commissioner’s Office (ICO).

They contained intimate details of the case including information about the alleged perpetrator.

It is not known what happened to the DVDs in question. They were sent by tracked delivery between two CPS offices, with the second office in a shared building. The entry doors are said to have been locked but this still gave access to the DVDs to anyone in the building as they were not in tamper-proof packaging and were simply left in reception.

The CPS did not discover until a month later that the DVDs had been lost.

This is the second time the CPS has been fined by the ICO for losing sensitive video evidence, with the first incident occurring in November 2015 and resulting in a £200,000 penalty.

ICO head of enforcement, Steve Eckersley, said the CPS must take urgent action to prove it can be trusted with highly sensitive information like this.

“The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data - a loss in trust could influence victims’ willingness to report serious crimes,” he added in a statement.

“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.”

The incident highlights the fact that employee negligence and poor process is often to blame for data breaches, rather than malicious third-party cyber-attackers.

ICO stats released this week revealed that human error was by far the biggest factor in incidents reported in the financial year 2017-18.

The latest incident does not bode well for the CPS given the GDPR takes effect from next week. Any further losses of this kind could result in significantly higher fines.

What’s Hot on Infosecurity Magazine?