No, this isn’t a new multi-million pound blockbuster, but instead a £200,000 error the Crown Prosecution Service probably wishes it had never made.
On the 4th November 2015 the Information Commissioners Office (ICO) issued a £200,000 monetary penalty notice under the Data Protection Act 1998 on the Crown Prosecution Service (CPS) for the lack of effective security and controls around DVD videos of police interviews after they were stolen (while being stored on laptops) from a 3rd party private film studio.
Imagine the scene, it’s the year 2002 and new technologies are coming in, for the recording & editing of films. So you, as a modern and practical Crown Prosecution Service, look for a company that can offer these things quicker, better and cheaper than you can do in-house. So you commission an informal 6 month trial with a guy with a studio based in Manchester. After 6 months he seems to do a good job, he’s no George Lucas but you’ll roll with him beyond the 6 months.
Now as these things do, your ‘video editing man’ changes offices to a new location that, by all accounts, is a little bit lacking in basic things (like security and working CCTV). But no matter, we can’t judge those on where they operate and the service isn’t affected – if anything it’s a nice new shiny studio.
However, on a day in September 2014 (the 11th to be precise) a burglar just happens to wonder past and manages to get into the studio, steals 3 laptops that are currently being worked on by your video editor and runs off with them. The police catch up with ‘him’ 8 days later and as luck would have it, they also recover the laptops. But that’s OK, as it’s only 43 data subjects, you got the laptops back and there is a password on each of the laptops right?
Well unfortunately no, that isn’t OK. And the Information Commissioner agrees. In the ICO’s decision notice he outlines that various things were not in place here that really should have been given the level of sensitivity of the data concerned. Below are extracts from the 5 main areas the ICO cites as the mean breaches of the DPA.
- Unencrypted DVDs containing the videos were delivered to X using a national courier firm. The sole proprietor used public transport to take the DVDs to X premises if a case was urgent.
- The CPS was not aware of any security risks posed by editing videos of police interviews at X premises either in 2002 or 2006.
- The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case.
- The CPS failed to monitor the sole proprietor in relation to any security measures taken by him.
- The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing.
All the usual culprits are there;
- Lack of encryption,
- Lack of secure transfer of data,
- Lack of 3rd party auditing and,
- Lack of 3rd party contract.
But above all what this notice outlines is a fundamental lack of understanding or awareness of what data is being processed here. The DVDs contained information relating to the witness and victims of crimes of a sexual or violent nature. It is reported that at least 1 of the files concerned that was stolen related to a high profile individual. And that’s just on these DVDs. What about all the other DVDs that have entered that studio since 2002?
While there is no evidence in the ICOs decision notice that other losses have occurred, the circumstances around this theft have been in place since 2002. It could be lucky that only one theft has occurred, but then again how we do know that this is indeed the only theft?
I know when these notices come out those of us that have been fighting the good data protection fight for some time will pick apart the incident and indeed say, “If you’d only have done this…” but the points we raise are all valid. This is very much a case of where everything is wrong. Not one aspect of this situation works in the CPS’ favour. Well apart from the fact the laptops were eventually recovered. But as the ICO points out, there is no proof that the DVDs were not accessed as only a password existed on them. So technically that doesn’t really help you either.
To help avoid the loss of any personal data there are a couple of best practice steps that organisations can take.
- Write a standard DPA clause or contract for use by and any all 3rd party suppliers and get it inserted in all contracts but current and future. If the current ones already have one then fine, make sure it’s at the same level or better than your template and go from there.
- If its sensitive personal data and it’s leaving your premises as a basic rule always ensure it is encrypted to a decent standard at all times. There is rarely an acceptable situation where the sending of sensitive personal data on a DVD out of the business that doesn’t have a decent level of encryption on it. If such a scenario does come up, then guard & monitor it and manage & document the risk.
- If you’ve got a 3rd party going anywhere near your sensitive personal data then watch and monitor them closely. They are as much a threat to your information as internal staff, and you wouldn’t (hopefully) leave your internal staff to handle sensitive personal data in any way they see fit so why would you for a 3rd party?
Having worked in the Social Care & legal industries I know how easy it is to become desensitised to the data that you hold and process daily. But always remember and be aware of the sensitivity of the data in your hands. That’s very easier said than done but that principle, once engrained in your thinking, then means you’ll stop and think before commissioning something or sending something that you really shouldn’t have.
Now I’m going to do some jiggery-pokery here, and bear with me on this as it’s not going to be exact but let’s see if we can work out what a fine would be under the new Data Protection Regulation. Now I accept that this is not an exact science as the text is still draft and the exact mechanism for fines is not agreed yet but let’s just imagine.
So, under the current framework the ICO can fine up to £500,000 for such a breach but instead valued the breach at the £200,000 level based on the severity, compensating controls, political nonsense etc. That works out as two fifths or 40% of the full amount he can fine.
Under the GDPR council text, because of the level of failing here in various areas, I believe that this breach would meet the definitions outlined in Article 79a (3a-h). Sections 1 & 2 of Article 79a do outline breaches but article 1 outlines relatively small offences and article 2 only covers some of the breaches outlined here. The limit of such a fine under that section is 1 million Euros or 2% of global annual turnover for the previous year (if an undertaking). If we assume the limit would be 1 million Euros (give the public sector nature of the controller) then let’s apply the same % as the ICO applied here.
40% of 1 million is 400,000 euros. In today’s currency (as of 13th November and according to google) that equates to a fine of £283,556.79 under the GDPR. Not much of an increase when you think about it.
However, if this fine was for an “undertaking” (currently not defined in the GDPR but the link contains the UK definition) the fine value could increase substantially. If we were to take the CPS public finances as an example their turnover for 2014 was £581.9 million pounds. 2% of that is £11,638,000. If we then take 20% of the 11.6 million we end up at a fine of £2,327,600 under the GDPR.
Now the above is not an exact science, as I’ve stated, as the mechanisms for determining fine amount are still to be agreed but those mechanisms will need to be as proportional as possible. By just using the current model (which the ICO seems to defend) the same incident could mean the difference between a fine of just under £300k for a public sector body (not an undertaking) or a fine of £2.3 million for a private sector undertaking.
Seems a little disproportionate does it not?
Scott Sammons an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.