The Crown Prosecution Service has been fined £200,000 after laptops containing videos of police interviews with victims of sex attacks were stolen from a private film studio.
The highly unusual security breach and heavy penalty follow an inquiry by the Information Commissioner’s Office (ICO), which is responsible for enforcing data protection laws.
Interviews with 43 victims and witnesses who were involved in 31 investigations were held on two laptops. They were being edited by a Manchester-based film company so that they could be used in criminal proceedings.
Nearly all of the interviews related to cases of violence or sexual assault. Some were from police investigations into historical allegations against a high-profile individual.
The CPS is increasingly using filmed interviews in trials, partially to spare vulnerable witnesses the gruelling experience of being cross-examined in court. Giving evidence at an earlier stage also gives victims the chance to move on from horrific experiences.
The ICO investigation found the videos had not been kept securely. The film company used a residential flat as a studio, which was burgled in September 2014.
The two laptops, which were left on a desk, were password-protected but not encrypted and the studio had no alarm and insufficient security. The police recovered the laptops eight days later and detained the burglar. It is thought the laptops had not been accessed.
The ICO ruled that the CPS was negligent in failing to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.
The ICO’s head of enforcement, Stephen Eckersley, said: “Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does.
“The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information. The consequences of failing to keep that data safe should have been obvious to them.”
Many of the victims were vulnerable and had already endured distressing interviews with police. In the videos, they talked openly and referred to the names of the offenders.
Eckersley said: “If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”
The CPS itself reported the incident to the ICO and informed the victims and witnesses involved. The ICO received complaints from three affected people.
The CPS had been using the same film company since 2002. Unencrypted DVDs were delivered to the studios using a national courier firm. If the case was urgent, the company would collect the DVD from the CPS personally and take it to the studio using public transport.
The ICO found that this procedure constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach.
A CPS spokesperson said: “It is a matter of real regret that sensitive information was not held more securely by our external contractor, and that we, as an organisation, failed to ensure that it was.
“We are grateful that the material was recovered without being accessed by those who stole the computer equipment but accept that this was fortuitous. It is vital that victims of crime feel confident that breaches like this will not happen and, following a full review after this incident, we have strengthened the arrangements for the safe and secure handling of sensitive material.”