Information Commissioner fines CPS £200k over lost laptop

The Crown Prosecution Service has been fined £200,000 by the ICO after unencrypted laptops containing videos of police interviews were stolen from a private film studio.

The interviews were with 43 victims and witnesses involved in 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. Some of the interviews related to historical allegations against a high-profile individual.

The videos were in the possession of a Manchester-based film company for editing ahead of their use in criminal proceedings. The company used a residential flat as a studio, which was burgled on 11 September 2014 and two laptops containing the videos were stolen. The laptops had been left on a desk and although they were password protected, they were not encrypted and the studio had no alarm and insufficient security. The laptops were recovered by the police eight days later and the suspected burglar arrested. As far as the Commissioner is aware, the laptops had not been accessed by anyone else.

The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.

Head of Enforcement Stephen Eckersley said: “Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information. The consequences of failing to keep that data safe should have been obvious to them.”

Many of the victims were vulnerable and had already endured distressing interviews with police. In the videos, they talked openly and referred to the names of the offenders. Eckersley added: “If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”

The CPS reported the incident to the ICO and informed the victims and witnesses involved. The ICO received complaints from three affected people.

As part its investigation, the ICO learned that the CPS had been using the same film company since 2002. The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.

The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach on 11 September 2014.

A copy of the ICO's penalty notice can be found here.