The Crown Prosecution Service deals with and handles some of the most sensitive and important data that any organisation, whether public or private, would be expected to hold. With this in mind, it is deeply troubling to find out that the UK CPS has recorded over 1600 data breaches over the last year – an 18% increase from the previous year.
This is not the first time the CPS have abdicated their responsibilities with regards to data protection; in 2018 they were fined £325,000 by the ICO for losing recordings of highly sensitive police interviews with 15 victims of child sexual abuse. Similarly, they were fined £200,000 in 2015 following the theft of sensitive video interviews of violent and sexual crimes were stolen.
The vast majority of the data breach incidents over the last year were related to authorised disclosure – which indicates that there was some form of human error that was responsible. Most of these were classed as very minor and were retained within the criminal justice system. Nevertheless; 78 of these incidents were described as ‘severe’. 143 of the total incidents were due to loss of electronic media and paper – in 22 of these incidents, the data was never recovered.
The CPS oversees incredibly sensitive and important data including confidential case files, witness statements; and the personal details of victims, criminal and witnesses. It is therefore reasonable to expect the highest possible standard of data protection from the body. A data breach incident in the CPS can put people’s safety at risk. The fact that 59 of the incidents that occurred over the last year were deemed as severe enough to be reported to the ICO suggests that the CPS needs to urgently consider and implement changes to the way they handle personal information to reduce/minimise the risk of breaches.
What can be done to improve?
- As the vast majority of data breaches were likely as a result of human error – there needs to be a significant increase and improvement in staff training on GDPR and data protection to ensure that breaches as a result of human error are reduced as much as possible.
- Using secure address systems (either email or postal) to try and ensure correspondence is sent to the correct address/recipient.
- Taking more time/giving more attention to matters where one or more party has an anonymity need and ensuring this need is complied with.
Has the CPS breached or disclosed your personal data to a third party without your knowledge or consent or without any legal need to do so? If you would like to discuss any data breach incident further, do not hesitate to contact one of our team.