Data protection arrangements should be reviewed in the modern world of social media and cybercrime, a specialist solicitor has said, after it emerged the Crown Prosecution Service delivered unencrypted DVDs to a film studio for 12 years.
The CPS was fined £200,000 by the Information Commissioner’s Office for failing to secure recorded police interviews with victims and witnesses.
Publishing news of the fine on its website, the ICO said two laptops containing videos of police interviews with 43 victims and witnesses were stolen from a private film studio last year.
The videos involved 31 investigations, ‘nearly all of which were ongoing and of a violent or sexual nature’, the ICO said.
Solicitor Peter Wright, chair of the Law Society technology and reference group, said: ‘People forget that video and audio recordings are still personal data under the Data Protection Act and need as much protection as a list of sort codes and account numbers or a set of medical records.
‘Any arrangements that pre-date 2010 should be reviewed to ensure that they comply correctly with the act and how it applies in the modern world of social media, big data, hacking, e-commerce, cybercrime and the cloud, none of which existed when the act first came in.’
The Manchester-based film company used a residential flat as a studio, which had no alarm and ‘insufficient’ security.
The studio was burgled on 11 September last year. The laptops, which were left on a desk, were password protected but not encrypted. The police recovered the laptops eight days later.
‘As far as the commissioner is aware, the laptops had not been accessed by anyone else,’ the ICO statement said.
The CPS reported the incident to the ICO and informed the victims and witnesses involved, the statement said. The ICO received complaints from three affected people.
‘As part of its investigation, the ICO learned that the CPS had been using the same film company since 2002,’ the statement said.
‘The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.
‘The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach on 11 September 2014.’
The CPS said on its website that it was a ‘matter of real regret’ that sensitive information ‘was not held more securely by our external contractor, and that we, as an organisation, failed to ensure that it was’.
It added: ‘It is vital that victims of crime feel confident that breaches like this will not happen and, following a full review after this incident, we have strengthened arrangements for the safe and secure handling of sensitive material.’