Crown Prosecution Service fined £200,000 for losing unencrypted laptops holding video interviews with victims
Despite containing videos with victims of violent and sexual crimes, laptops were not encrypted, ICO investigation finds
The Crown Prosecution Service (CPS) has been fined £200,000 by the Information Commissioner's Office (ICO) after laptops containing videos of police interviews were stolen from the private film studio tasked with editing them.
It comes shortly after the ICO warned Edinburgh Council that it needs to drastically improve its data security practices after unencrypted data was leaked.
In total, the CPS laptops contained videos with 43 victims and witnesses involved in 31 investigations, nearly all of which were ongoing and concerned crimes of a violent or sexual nature. Some of the interviews even related to what's been dubbed "historical allegations against a high-profile individual".
The videos were being kept on behalf of the CPS by a Manchester-based film company, but following the theft of the laptops containing the data, an ICO investigation found that the videos were not kept securely.
Two laptops were stolen from the residential flat that the company used as its studio in September 2014. The laptops were left on a desk, weren't encrypted and the studio didn't have an alarm.
Despite the laptops eventually being returned, the ICO has ruled that the CPS was "negligent" when it failed to ensure the videos were kept safe and properly secured, especially given the distress that would be caused if they were lost.
"Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information," said ICO head of enforcement Stephen Eckersley.
"The consequences of failing to keep that data safe should have been obvious to them," he added.
The ICO also pointed out the videos contained information about vulnerable people that could have been misused
As part of its investigation, the ICO discovered the CPS delivered unencrypted DVDs to the studio using a national courier firm, and therefore was in breach of the Data Protection Act.
Chris McIntosh, CEO of secure technology and communications provider ViaSat UK, said the case demonstrates that organisations need to be at the top of their game when it comes to data protection.
"Of all the organisations you'd hope to be on top of data protection, the CPS should rank highly. Quite frankly, the fact that part of the justice system could be so complacent regarding data security is worrying indeed," he said.
"As this case shows, a large proportion of threats to data don't just come from shadowy attackers looking to damage organisations. They come from simple human error and a failure to follow best practice," McIntosh continued.
The answer, he argued, is that organisations "should always assume the worst with data security" and take the appropriate action as a result, such as ensuring files are kept encrypted.
"They should take the approach that they have already been breached, and make detecting breaches and securing data their top priority. This means an all-encompassing approach to protection, of which encryption plays a crucial part," said McIntosh.
"After all, there is always the risk that data will be stolen, but that risk holds much less danger if that data can't be accessed," he added.
Luke Brown, vice president and general manager at Digital Guardian, also criticised the lack of encryption on the CPS laptops, especially when it is so readily available to use.
"Numerous affordable technologies exist that can easily protect data in the event of laptop theft or misplacement, making it concerning that there aren't already stringent policies in place regarding its use at the CPS," he said.