01254 828 300 
The Information Commissioner’s Office (“ICO”) has issued a monetary penalty notice on the Crown Prosecution Service (“CPS”) following an incident in late 2016. In this instance, the fine being imposed on the CPS is to be £325,000, if paid at the latest, or £260,000 if paid by 13 June 2018. A result of the 20% early payment reduction.
Facts
On the 18 November 2016, the CPS received a package of fifteen unencrypted DVDs from Surrey Police, each containing Achieving Best Evidence (“ABE”) interviews with victims of child sexual abuse. These interviews were intended to be used in the trial of the perpetrator.
By virtue of their nature, these interviews contained intimate sensitive personal data and sensitive personal data relating to the victims in the trial. They also contained a great deal of sensitive personal data of the defendant in the trial. Peripheral to this information was some identification information pertaining to persons accompanying the victims to the interviews and the interviewing officers.
On that very same day, the DVDs were sent by tracked DX delivery, in a single box, to the CPS’ office in Brighton. Here, it was hoped that a specialist unit would carry out a further review of the evidence.
The DX tracking information for this box states that the package was delivered to the Brighton office of the CPS on 21 November 2016, with no CPS staff in the building at the time. Whilst the entry doors to the shared building are locked and require a card and PIN code for access, DX has a code to enable it to complete early morning deliveries.
Once an early morning delivery has been completed, the packages are left in an unsecured area in reception. This is because, once in the shared building, the CPS offices and reception areas can be accessed by anyone.
Subsequently, the package delivered by DX, containing the recorded interviews, has gone missing. The discs were not encrypted, as CPS states that this was not normal practice for ABE material, so anyone can access them. There is no requirement of a password.
Further, the absence of the package was only brought to the attention of the CPS on 1 December 2016. This is when the CPS employee expecting the package returned from annual leave. It is unknown what has happened to the discs.
By means of self-reporting, the ICO became aware of the data loss on 11 April 2017, when the CPS informed the office themselves. The ensuing investigation has, reportedly, uncovered a number of systemic and procedural issues within the relevant CPS offices involved.