The Crown Prosecution Service has been reprimanded for losing CDs and files which contained evidence for rape and sexual assault cases, the government’s data watchdog has revealed.
In one of the incidents, the CPS lost two unencrypted discs containing video and audio recordings of police interviews of victims of sexual assault.
In another, police lost a hard-copy case file relating to an alleged rape ahead of trial proceedings; and in a third, staff were unable to locate a sexual offences case file.
The reprimands were revealed in a letter from the Information Commissioner's Office, which was sent to the CPS in August but uploaded to the watchdog's website yesterday.
The data involved in each case was sensitive and its loss had the potential to cause "substantial distress to the affected data subjects" , the ICO said.
However, the commissioner added that “it is understood that no actual detriment appears to have been caused to the affected data subjects as a result of these incidents” and “the loss of the data does not appear to have affected any related court proceedings”.
In the first of the three incidents, a wallet containing the sexual-assault evidence files was sent from Lincoln Crown Court to the CPS's East Midlands’ Area Office on 17 December 2019 after a trial was aborted. The unencrypted discs were sent via courier in a lockable case, but were never booked back into the office and are "considered lost".
Then on 25 November 2020, the CPS North East office was unable to locate the case file relating to the alleged rape. Its last recorded location was at Newcastle Crown Court, ready to be returned to CPS offices, 11 months earlier. "Whilst the CPS believe that the file was returned to CPS offices and incorrectly destroyed, there is no record of the file’s return to CPS premises," the ICO said.
And in January 2021, it became apparent a sexual offences case file had been lost after a request was made for the document. Records show the file was sent to the CPS from a redacted location via a tracked delivery service in June 2017, but there was no record of it arriving back at CPS premises.
The ICO also released another reprimand letter sent to the CPS in April, for failing to put measures in place to prevent personal data from being incorrectly deleted after a prisoner’s case record for a sexual assault offence was erroneously erased.
While the commissioner said this data breach did not prevent the prisoner from accessing the information from other sources, it said they had a right to obtain a copy of their personal data from the CPS.
The incidents are the latest in a series of breaches by the CPS. The ICO issued the CPS with a £325,000 fine in 2018 for losing DVDs containing footage of interviews with 15 victims of child sexual abuse.
That followed a £200,000 fine in 2015 after the ICO found officials had delivered unencrypted DVDs of police interviews with dozens of victims and witnesses of sexual and violent crimes to a film studio, which were then stolen.
Loss of files due to ‘lack of suitable logging processes’
The ICO said in each of the recent cases, the CPS did not have a suitable end-to-end logging process to adequately record the movements of the data to, from and within its offices. This contributed to the loss of files and CDs containing personal and special-category data.
The ICO's August letter said that while some logging procedures were in place, "such procedures do not always appear to have been documented at the time of the incidents".
“It is also noted that the policies and guidance in place at the time of the incident do not appear to provide sufficiently clear guidance in respect of the logging and transfer of data involved in these incidents,” it added.
The ICO said the CPS has since “taken remedial steps” including try to locate the lost files and CDs; risk assessments to assess the potential impact on data subjects; and data subjects being notified of the incidents where deemed appropriate. But this was not enough to avoid a reprimand.
The data watchdog said the CPS should take further steps, including ensuring there is an appropriate logging process to record the movement and handling of files, including recording when they are destroyed.
It should also make staff more aware of the logging process and issue guidance explaining how logging should be carried out, the commissioner said. Additionally, the regulator has asked the CPS to make sure it monitors and reviews logs at regular intervals to ensure all files are accounted for.
The ICO only began publishing reprimands recently, to increase transparency and encourage better compliance. It previously only made enforcement notices, fines and summaries of audit reports publicly available. Its new approach aims for fewer and smaller fines but more public reprimands for organisations failing to meet their obligations.
Reprimands set out where legislation has been breached and recommended steps for improving compliance. They also require the organisation to provide the watchdog with updates.
A CPS spokesperson said: “We regret these losses of information and continue to learn from the errors to improve the service we offer to victims and witnesses.
“We have taken on board the recommendations from the ICO and will continue to work closely with them to ensure that we comply with the law."
The CPS said it has introduced extra training and safeguards to reduce the risk of data being handled incorrectly, including mandatory annual GDPR training, recruiting dedicated information and security leads in each CPS area and directorate. It has also updated senior leaders’ performance objectives to add a requirement to ensure full compliance with data security responsibilities.
HMCTS and MoJ ‘fortunate’
The data watchdog also released reprimands to the Ministry of Justice and National Crime Agency.
It has held the MoJ responsible for HM Courts and Tribunals Service’s incorrect recording of guilty and not guilty plea records during the pandemic due to an IT error.
The ICO said “a large number” of data subjects were affected by the incident and HMCTS “could be considered fortunate that no evidence has been provided of actual detriment suffered by data subjects as a result”. While there were complaints, the watchdog said these have been resolved through letters of apology.
However, the ICO added that a majority of data subjects remain unaware of the unauthorised processing of their personal information. It is therefore still possible that a “detrimental impact has been suffered without the data subjects being aware of the cause”.
The commissioner said HMCTS had inadequately trained staff to spot the technical error and also failed to issue clear guidance once it identified the cause of the issue.
HMCTS has since corrected all affected records.
The NCA reprimand was for failing to put suitable policy, process and training in place, which led to a an arrest being wrongly extended by 18 hours.