The £200,000 monetary penalty notice (“MPN“) awarded by the Information Commissioner’s Office (“ICO“) on the Crown Prosecution Service (“CPS“) reminds data controllers of the need to:
Since 2002, the CPS had used a third party to edit videos and DVDs of police interviews so that the CPS could use them in criminal proceedings. The data processor uploaded such videos and DVDs to laptops. The laptops were kept in an unsecured studio with no alarm or operational CCTV. The data processor had two unencrypted laptops stolen from their offices. The laptops contained interviews spanning 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. Some of the interviews related to historical allegations against a high-profile individual. The CPS used a national courier to deliver the unencrypted DVDs. If the case was urgent, the supplier would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.
Unencrypted laptops have been a regulatory hotspot since 2010. The ICO’s clearly held view is that the cost of implementing encryption technology to devices is minimal compared to the potential harm that may result from un-authorised or improper use of such personal data.
Key points highlighted by the decision include the following regarding the 7th DPP:
Nathaniel Lane is a Solicitor and Of Counsel in Michelmores’ Technology, Media & Communications team. Nathaniel has an ISEB Certificate in Data Protection.
For more information please contact Nathaniel at email@example.com or on 0207 788 6313 or Tom Torkar at firstname.lastname@example.org or on 01392 687626.