The Crown Prosecution Service must implement appropriate measures to prevent the use of USB devices for the storage, transportation and processing of personal data, the Information Commissioner’s Office has ordered.

However the CPS said it is considering appealing an enforcement notice issued over the copying of a case file concerning historical child abuse onto an unencrypted personal USB device.

In a redacted enforcement notice, the ICO said someone at the CPS had copied the case file from an internal system onto a USB device to pass on to a colleague dealing with the case. The ICO said the incident constituted a personal data breach and the CPS failed to ‘implement appropriate technical and organisational measures for the security of personal data’.

It said it was ‘not satisfied that there were appropriate technical or organisational measures in place’ to prevent the anonymous individual from downloading sensitive data to the USB or ‘that there was sufficient awareness of controller’s expectations of the in this regard’.

It added that staff using their own USB devices for CPS business was a practice that the organisation was aware of but ‘was not rigorously controlled through appropriate technical measures which would have reduced the prospect of a breach of this nature’.

Documents copied included medical and social care records of the complainant in the case; police records including the incident log and investigation reports; the record of interview of the defendant; witness names and addresses, and other sensitive documents.

The ICO said the documents contained personal data ‘of the highest sensitivity’.

The enforcement notice also orders the organisation to limit the use of USB devices and ensure their use complies with data protection procedures. 

A CPS spokesperson said: 'We have considered the Information Commissioners Office’s assessment of this incident from 2018 and have advised them that we are considering appealing their decision.'

 

Topics