The theft of recordings of police interviews with victims of sexual abuse from a Manchester firm has potentially serious data protection implications for the CPS
UPDATE: 22 September – the Manchester Evening News reports that the burglary took place at a flat. No doubt the ICO, and the CPS will want to know whether the storage of hardware by the firm was appropriate to the sensitivity of the data held. END UPDATE
The 7th principle in Schedule One of the Data Protection Act 1998 requires a data controller to have appropriate technical and organisational measures in place to safeguard against loss etc. of personal data. Furthermore, if the data controller is appointing a contractor to process personal data, it should select that contractor on the basis that it has equivalent measures in place, ensure that the contractor only acts on instructions from the data controller and all of this should be evidenced in writing. Failure to comply with this 7th principle is a contravention of the data controller’s obligation under section 4(4), and serious contraventions, of a kind likely to cause substantial damage or substantial distress, can attract enforcement action from the Information Commissioner (ICO), including monetary penalty notices (MPNs), to a maximum of £500,000. Note the “likely” – a near miss, in data security terms, can still lead to an MPN. It is the failure to have appropriate measures in place (or a suitable contract) which is the contravention of the DPA – not the data security incident in itself.
With this in mind, the Crown Prosecution Service (CPS) must be considering its vulnerability to enforcement action by the ICO, following reports of thefts of highly sensitive recordings of video interviews with victims of alleged sexual abuse from a Manchester video editing firm contracted by the CPS. This may be the case even though the stolen material has apparently been recovered. The Mail reports that
The CPS said it was now demanding an ‘urgent explanation’ of the security arrangements that had been in place
but this in itself points towards a possible prior lack of suitable oversight of the contractual arrangements
Keith Vaz, Chair of the Commons Home Affairs Committee, has expressed surprise that a private firm was involved (which shows either a certain naivety, or disingenuity) but has also said that he will be challenging the Head of the CPS about the security breach when she appears before the committee next month. One suspects the ICO will also be challenging her to explain what arrangements were in place to ensure compliance with the DPA.
informationrightsandwrongs 
If there is appropriate security – physical security on the building and technical security on any equipment – this wouldn’t be a breach, and CPS could legitimately say no breach, no need to report. However, ‘appropriate’ measures include measures sufficient to deal with the risk of theft as well as accident, so it’s a high hurdle to clear. Given the sensitivity of the information however, ICO should investigate anyway, just to be sure that the appropriate steps have been taken.
However, the ICO seems incapable of comprehending anything other than a complaint from an affected subject or a ‘breach’ report from the organisation, so they won’t give a toss what I think.