Independent assessors of the Crown Prosecution Service (CPS) have discovered that prosecutors in England and Wales are routinely guilty of data breaches.
Her Majesty’s Crown Prosecution Service Inspectorate (HMCPSI) inspects the Crown Prosecution Service. It provides independently assessed evidence to help drive improvement and build public confidence in the prosecution process. However, according to a new HMCPSI report, of 700 cases reviewed between February and July 2020, 98 contained security breaches. HMCPSI described many of these breaches as “serious”.
Mistakes by CPS staff included:
- sharing a victim’s unredacted medical notes
- sharing pictures of a victim’s injuries which included their date of birth on a hospital wristband
- disclosing the address of a member of the public who reported an incident
- disclosing the personal details of other witnesses
- Sending the wrong set of previous convictions for a defendant to defence teams or the court.
The inspection focused on the controls the CPS has in place to make sure that case information is managed securely and appropriately. In total, of the cases examined, 14% contained a security breach. In most cases (61%) the breach was the result of unauthorised disclosure of information included in the body of a witness statement. Given the level of violations identified, the report also noted that it is “somewhat surprising that there is no formal quality check or assurance process to support the identification and logging of breaches”.
A serious breach of trust
These breaches could seriously endanger the public and lead to significant levels of distress. HMCPSI head of inspection Anthony Rogers said that the findings “highlight a level of security breaches that must give rise to serious concern.”
Likewise, Dame Vera Baird, the Victims’ Commissioner for England and Wales has described the findings as “alarming”. She said:
“The CPS has a clear duty to victims, witnesses and the wider public to make sure documents are processed securely and in line with data security requirements. This is evidently not happening.
“These breaches include personal, intimate details of some of the most vulnerable people. These individuals entrusted the CPS with their personal information and have been sorely let down.”
A culture of data breaches?
In its report, HMCPSI did acknowledge the burden placed on CPS staff to ensure personal data is robustly protected. And the report stated that CPS staff knew they had to look out for security breaches and redact sensitive material.
Nevertheless, HMCPSI found there to be a “lack of consistent national guidance to help staff determine what does and does not need to be redacted from casefile material”. Furthermore, employees told inspectors that the guidance in place was complex and difficult to understand. Moreover, in some areas, CPS policy allowed staff to make up to five breaches before wanting more training.
Responding to the report, a CPS spokesperson said:
“The CPS takes the management of sensitive data extremely seriously and accepts all of the report’s recommendations.
“We are in the process of producing national guidance to make sure our approach is rigorous and consistent and we are working closely with police colleagues to make sure redaction processes are in place.
“Further staff training will also take place on reducing data breach incidents and making sure personal data is securely handled in line with national security guidelines.”
What can you do if your data was put at risk by the CPS?
The criminal justice system handles a lot of sensitive personal data and it is vital that this is robustly protected, and that everyone working within the sector knows how to handle this information securely. However, all too often, this is not happening.
If you have been a victim of a Crown Prosecution Service data breach, Keller Lenkner UK can help you to make a compensation claim.