Posted on 12.11.15 by Christian Mancier
The Information Commissioner’s Office (ICO) has fined the Crown Prosecution Service (CPS) £200,000 for failing to keep recorded police interviews with victims and witnesses secure.
The background to the case is that the CPS used a Manchester based film company to edit videos of interviews so they could be used in criminal proceedings. The film company concerned used a residential flat as a studio and this flat was broken into with the thief stealing two laptops which were password protected but not encrypted. The flat had no alarm and insufficient security.
The laptops stolen housed interviews with 43 victims and witnesses covering 31 investigations, nearly all of which were on-going and of a violent or sexual nature. The laptops were recovered 8 days later and it is believed no-one other than the thief accessed them.
As part of the investigation it was discovered that the CPS had used the film company concerned since 2002. They would regularly deliver unencrypted DVDs to the company using a national courier firm or the sole proprietor of the film company would personally collect the unencrypted DVDs from the CPS and return to the film studio using public transport.
The ICO ruled that the CPS was negligent as it had failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost. This was especially disconcerting since many of the victims were vulnerable and had already endured distressing interviews with the police in which they had openly talked about the names of the offenders.
This case highlights the fact that where an organisation (known as the “Data Controller”) controls personal information relating to individuals and passes this information on to a sub-contractor or third party (known as a “Data Processor”), then the Data Controller remains liable for the actions of the Data Processor. Common examples of this practice include organisations using third parties for payroll, direct marketing/mailings or market research, sub-contract arrangements, IT or cloud based services to name a few.
As a result the Data Controller has a responsibility to ensure that the Data Processor holds data in a secure way that complies with the requirements of the Data Protection Act. This may involve conducting due diligence on the Data Processor to check they are compliant and monitoring this compliance on an on-going basis. In addition the Data Controller should insist the Data Processor signs up to a “data processing” agreement where the Data Processor agrees to abide by the Data Protection Act in respect of the data it processes for the Data Controller. Such an agreement also gives certain other contractual assurances to the Data Controller over what it will and will not do with the data it is handling and processing.
For further advice on Data Protection compliance and the implications for your business, please get in touch with Christian Mancier, Corporate/Commercial Partner (and Gorvins Data Protection Officer) via firstname.lastname@example.org. If you prefer to give Christian a call you can do on 0343 507 5151.