The Crown Prosecution Service (CPS) has been fined £200,000 after three laptops containing unencrypted highly sensitive police interviews with victims and witnesses in 43 cases were stolen.
The laptops were stolen in September 2014 from a private film studio in Manchester that the CPS had commissioned to edit interviews conducted by police forces.
The CPS provided these interviews to the business owner on unencrypted DVDs and CDs, and no work was done to check how they were being stored once handed over.
All the interviews were with victims or witnesses in ongoing cases, almost all of which were of a violent or sexual nature. One case contained potential evidence based on "historical allegations against a high-profile individual".
The laptops were stolen from the residential property where the information was being edited in September 2014. The laptops were password protected, but the video files were not encrypted.
The police recovered the laptops eight days later and arrested the thief. The Information Commissioner’s Office (ICO), which issued the fine, said it is not aware that the laptops or their content had been accessed by anyone else.
Despite this, ICO head of enforcement Stephen Eckersley said that the CPS' attitude was “complacent”, especially as it knew that the information could pose a serious risk to those involved.
“If this information had been misused or disclosed to others the consequences could have resulted in acts of reprisal,” he said.
“Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information."
V3 contacted the CPS for comment on the fine but had received no reply at the time of publication.
The fine of £200,000 is high, but could be reduced to £160,000 if the CPS pays by 1 December.
The penalty is the latest to be handed out to a public authority by the ICO, and numerous councils, NHS Trusts and even central government departments have faced similar fines.
A particularly notable case last year saw the ICO fine its then-sponsor the Ministry of Justice £180,000 after discovering that all 75 prisons in England and Wales had been storing data on hard drives without encryption turned on.
Author's View: So here we are again - another disastrous data loss incident leading to a huge fine for a public organisation.
In fact, this is one of the worst I've seen in six years covering this area. When you consider the nature of the stolen material, and the fact the CPS should be a shining light for data protection, the organisation was clearly blasé in its duties.
The whole case is deeply troubling, from handing over the information on unencrypted DVDs via a courier firm, to failing to check whether the member of the public entrusted with such information was storing it securely.
In fact, the CPS should consider itself lucky to get away with such a small fine considering the seriousness of the error. The ICO perhaps missed a trick here to go big with a record fine of £400,000 or more that may have really hit home to other organisations engaging in similarly lax practices.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance