Data Protection - are reviews needed after breach?
There are calls for data protection arrangements to be reviewed after it emerged the Crown Prosecution Service (CPS) delivered unencrypted DVDs to a film studio for 12 years.
The CPS was fined £200,000 by the Information Commissioner’s Office (ICO) for failing to secure the recorded police interviews with victims and witnesses – the majority of which were ongoing investigations, and of a violent or sexual nature.
The private studio was burgled in September last year and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password protected but not encrypted and the studio had no alarm and insufficient security. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/11/cps-fined-200-000-for-failing-to-keep-recorded-police-interviews-with-victims-and-witnesses-secure/
According to the Law Society Gazette, Solicitor Peter Wright, chair of the Law Society Technology and Reference Group has now called for any arrangements that pre-date 2010 to be reviewed. This is to ensure that they comply correctly with the Data Protection Act and how it applies in the modern world of social media, big data, hacking, e-commerce, cybercrime and the cloud - none of which existed when the act first came in http://www.lawgazette.co.uk/law/cps-fine-sparks-call-for-data-protection-rethink/5052004.fullarticle
The Data Protection Act controls how personal information is to be used by organisations, businesses or the Government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- Not transferred outside the European Economic Area without adequate protection.
There is stronger legal protection for more sensitive information, such as:
Although the laptops were recovered, ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost. The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.
The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach.