ICO (UK) - Crown Prosecution Service
From GDPRhub
ICO - Crown Prosecution Service | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | S.40 Data Protection Act 2018 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 18.01.2024 |
Fine: | n/a |
Parties: | Crown Prosecution Service |
National Case Number/Name: | Crown Prosecution Service |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | n/a |
The CPS had insufficient technical and organsational measures to ensure the security of personal data stored on personal USB devices.
English Summary
Facts
The contravention was identified following an investigation into the disclosure of an unencrypted USB device, containing personal data, to an unauthorised third party.
Holding
A contravention of the sixth data protection principle in section 40 DPA 2018 (security of processing).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 (PART 6, SECTION 149) ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE To: The Crown Prosecution Service Of: 102 Petty France, London, SW1H 9EA 1. The Crown Prosecution Service ("CPS") is a “controller” as variously defined in sections 3(6) and 32 of the Data Protection Act 2018 (“DPA 2018”). The CPS prosecutes criminal cases that have been investigated by the police and other investigative organisations in England and Wales. 2. The Information Commissioner (“the Commissioner”) hereby issues CPS with an Enforcement Notice under section 149 DPA 2018. The Notice is in relation to a contravention of the sixth data protection principle set out in section 40 DPA 2018. This Notice would accordingly be issued under section 149(2)(a) DPA 2018. 3. This Notice explains the Commissioner’s decision to take enforcement action. The specific steps that CPS is required to take are set out in Annex 1. 4. The Commissioner has previously served CPS with a Preliminary Enforcement Notice ("the PEN") dated 4 July 2023. CPS provided its written representations ("the Representations") in response to the PEN on 26 th July 2023. The Commissioner has taken into account the entirety of the Representations when deciding to issue 1 this Notice and refers to the Representations below when appropriate. Legal framework for this Notice 5. DPA 2018 contains various enforcement powers in Part 6, which are exercisable by the Commissioner. 6. Section 149 DPA 2018 materially provides: “(1) Where the Commissioner is satisfied that a person has failed, or is failing, as described in subsection (2), (3), (4) or (5), the Commissioner may give the person a written notice (an “enforcement notice”) which requires the person— (a) to take steps specified in the notice, or (b) to refrain from taking steps specified in the notice, or both (and see also sections 150 and 151). (2) The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following— (a) a provision of … Chapter 2 of Part 3 … of this Act (principles of processing); … (6) An enforcement notice given in reliance on subsection (2), (3) or (5) may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure.” 7. Section 150 DPA 2018 materially provides: 2 “(1) An enforcement notice must— (a) state what the person has failed or is failing to do, and (b) give the Commissioner’s reasons for reaching that opinion. (2) In deciding whether to give an enforcement notice in reliance on section 149(2), the Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress. … (4) An enforcement notice may specify the time or times at which, or period or periods within which, a requirement imposed by the notice must be complied with (but see the restrictions in subsections (6) to (8)).” 8. By reason of section 34(3) DPA 2018, the controller shall be responsible for, and to be able to demonstrate compliance with the sixth data protection principle in section 40 DPA 2018. Background th 9. On 18 March 2018 a CPS (" ") copied a CPS case file case concerning historic child abuse from a CPS computer system onto an unencrypted personal USB device. The di this with the intention of passing the device to a colleague who would be dealing with the case. Therefore, the used the USB device for CPS business and for the discharge of his employment duties. As such, at all material times the w as acting on behalf of CPS. 310. The Representations challenged the Commissioner's finding that the used the USB device for CPS business and for the discharge of his employment duties, due to the purportedly contravening the CPS Electronic Media Policy that was in force at the relevant time and because the purportedly acted on his own volition and not in discharge of his employment duties, because there was no requirement for him to provide the case file to his colleague who had similar access rights to the CPS computer system and who would therefore have been able to access it via their own account/device. 11. There is nothing in the Representations that cause the Commissioner to alter his findings in paragraph 9 and not to proceed with this Notice. When initially downloading the material to the portable media device in performing his actions, the accessed the information as part of his role and his actions were not of a nature that break the usual responsibility that a controller has for its employees – the individual was initially seeking to provide information to a colleague for a legitimate business purpose. The Commissioner has considered the CPS Investigation Report written by which supports the Commissioner's findings in this regard. For example, The Investigation Report expressed the finding at paragraph 5.2 that "I do not believe that [the 's] intentions went beyond a desire to share material with another i a manner convenient to himself to help in the presentation and preparation of the case." Furthermore, there is no evidence that the was aware of the CPS’ Electronic Media Policy or trained on it. 12. The Commissioner is not satisfied that there were appropriate technical or organisational measures in place to prevent the from downloading sensitive data to a portable media device, or that 4 there was sufficient awareness of controller’s expectations of the in this regard. As the had been erroneously included in an Active Directory Group, encryption software had not been downloaded to the individual’s device, meaning that data was able to be downloaded to a self-procured USB without protections such as a means of preventing the USB’s ability to access / download material, or by the presence of encryption software. 13. For the avoidance of doubt, the USB device that the copied the case file to was not provided for their use by CPS. Instead, the USB device was provisioned by the themself and belonged to them. For the purpose of this Enforcement Notice, the provisioning of the USB device by the is referred to as "self-procurement". 14. For the further avoidance of doubt, despite having a policy in place, it was clear in response to the Commissioner’s enquires that the self-procurement of USB devices by CPS staff for use on CPS business was a practice that CPS was aware of but was not rigorously controlled through appropriate technical measures which would have reduced the prospect of a breach of this nature. 15. The Representations challenged the finding referring to the Electronic Media Policy, but there is nothing within the Representations that cause the Commissioner to alter his findings and to proceed with this Notice. The Commissioner refers to the audit that is identified at paragraph 34(IV) below and the information provided by the CPS in response to the Commissioner's investigation. 16. The documents that were copied to the USB device included medical and social care records of the complainant in the case; police records including the incident log and investigation reports; 5 the record of interview of the defendant; witness names and addresses; instructions to the and related case information; and other sensitive documents. These documents contained personal data, including personal data of the highest sensitivity, the processing of which is regulated by Part 3 DPA 2018. The personal data related to approximately ten persons. 17. None of the documents containing the personal data were encrypted when stored on the USB device. 18. The documents were held by CPS for the purposes of the prosecution of a criminal offence or offences, the trial of which took place after the coming into force of DPA 2018 on 25 May 2018 ("the commencement date" for the Act). The processing of at least some of these documents constituted "sensitive processing" within the meaning of section 35 DPA 2018. 19. For the purposes of Part 3 DPA 2018, CPS is a "competent authority" within the meaning of section 30. Part 3 applied to the processing of the personal data within the documents from the commencement date. Prior to the commencement date, the processing was regulated by the Data Protection Act 1998 ("DPA 1998"). 20. The did not hand-over possession of the USB device to their colleague, but instead retained possession of it with the CPS documents stored thereon, until a precise date that is unknown to the Commissioner, but is believed on the balance of probabilities to have been in August 2018, when th e gave possession of the USB device to their , o that the could load onto it a video. 621. The trial of the case to which the documents and personal data related commenced on and concluded later that month with the conviction of the defendant. 22. On 27 November 2018 the s made contact with the about the USB device, having viewed some of the documents. 23. The returned the USB device to the on 28 November 2018. The informed their manager at CPS of the incident on 29 November 2018 and handed-in the USB device. Thereafter, CPS commenced an investigation and reported the incident as a personal data breach to the Commissioner on 4 December 2018. CPS also communicated the fact of the breach to the impacted persons. 24. Following the reporting of the breach, the Commissioner commenced an investigation. The investigation found that: I. The was wrongly included in an Active Directory group of approximately 1,500 persons, which gave him the ability to download a large volume of sensitive personal data to his personal, unencrypted USB device, without appropriate controls being in place. II. Some members of the Active Directory group were able to use USB devices without the forced installation and use of CPS encryption software. III. The CPS did not provide USB devices for its staff to use, but instead allowed a system of self-procurement of these devices by staff. IV. The use of self-procured USB devices was not subject to supervision by CPS or asset management. 7 V. CPS considered that it would be a "considerable exercise" to ascertain how many members of the Active Directory group were included in error, so it could not provide the Commissioner with this information, nor could it confirm how long people had been members of the group for. VI. CPS considered that the management of portable media was "complex", which resulted in a far greater disparity than CPS would have expected between the number of users that had write access to data and the numbers that had licences to use encryption software. Of the approximately 1,500 members of the Active Directory group, only 800 had access to CPS encryption software. Therefore, it seems likely that not every member of the Active Directory group who had the capability to copy or download data to USB drives were able to encrypt such data. 25. The Representations challenged the accuracy of the information now contained in 24.I. above. The Commissioner accepts that due to the approach adopted for the use of gender pronouns in the PEN, there was a potential for it to convey a different meaning to the one intended and the Commissioner's understanding of the evidence. Paragraph 24.I conveys the Commissioner's understanding and there is nothing in the Representations that causes him to alter his findings and not proceed with this Notice. 26. The Representations also challenged the Commissioner's findings now contained in paragraph 24.III, adopting the challenge made to paragraph 14. As such, there is nothing in the Representations to cause the Commissioner to alter his findings and not proceed with this Notice. 827. The Representations also challenged the Commissioner's findings in paragraph 24.IV, adopting the challenge made to paragraph 14. The Representations also claimed that the CPS understood the importance of maintaining a comprehensive records of all approved use of USBs. However, during the course of the investigation, the CPS was asked about whether it maintained an asset register for USB devices. In response, the CPS stated that "USBs are not held on the register" and that "Asset Registers do not include USB devices". The CPS also stated, in response to a question about self-procured USBs, that "due to this limited usage and only being available should other methods not be suitable, it is not appropriate per se to include them on an asset register, as they are immediately, after use, sent outside the organisation". As such, there is nothing in the Representations to cause the Commissioner to alter his findings and not to proceed with this. The contravention 28. The Commissioner has concluded that the retention of the documents on the USB device by the between 25 May 2018 and August 2018, followed by the passing of possession of the USB device with the documents stored thereon to the 's followed by the viewing of some of the contents on the device by the constituted a personal data breach within the meaning of section 33 DPA 2018. 29. Furthermore, the Commissioner is of the view that the sixth data protection principle in section 40 DPA 2018 was contravened, due to a failure of CPS to implement appropriate technical and organisational measures for the security of personal data. 30. Section 40 materially provides: 9 "The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage)." 31. Moreover, the Commissioner notes the requirements of section 66(1) DPA 2018, which materially provides: "(1) Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data." 32. The Commissioner is of the view that section 40 was contravened, for the following reasons: I. CPS did not implement appropriate technical and organisational measures for the management of the Active Directory group, in that the was included in the Active Directory group in error, with the result that they had permission to access and write personal data that they were not entitled to. Furthermore, CPS was unable to provide an account of the extent of this problem, with the result that the Commissioner considers it likely that other persons were wrongly given access and write permissions to which they were not entitled, or did not need. II. CPS did not implement appropriate technical and organisational measures for the provisioning and use of 10 portable media storage devices, in that due to it being aware of the use of self-procured USBs and due to its failure to implement appropriate countermeasures to manage the risks involved in their use it allowed the to self-procure and use USB devices for the storage and transportation of highly sensitive personal data in a manner that was free of any form of formal asset control by CPS, including registration of assets and recording of their use. To all intents and purposes, the processing of the data on the 's USB device was wholly ungoverned and free of supervision by CPS and had it not been for the responsible conduct of the CPS would have remained unaware of the fact that a personal data breach had occurred. In light of the foregoing, CPS did not implement appropriate technical and organisational measures to prevent, detect or respond to a personal data breach. III. CPS did not implement appropriate technical and organisational measures for the encryption of highly sensitive personal data that were stored on the USB device. 33. The Commissioner is also of the view that CPS' position that it would be a "considerable exercise" to ascertain how many members of the Active Directory group were included in error and its position that the management of portable media was "complex", which resulted in a far greater disparity between the number of users that had write access to data and the numbers that had licences to use encryption software than CPS would have expected, is further evidence of a failure to implement appropriate technical and organisational measures for the security of personal data. Issue of the Notice 1134. The Commissioner considers that the contravention of DPA 2018 is a significant one that warrants enforcement action. His reasons for this conclusion include the following. I. The personal data that were put at risk were of the highest sensitivity. II. Due to the absence of appropriate technical and organisational measures, the personal data breach would have gone undetected but for the actions of a member of the public. III. The measures that should have been adopted for asset control and encryption are basic controls for the use of portable storage media. IV. CPS has rejected both the Commissioner's 2019 Audit recommendation that it should procure portable media such as USB drives for use by its staff, instead of allowing self- procurement by staff, and the recommendation that records should be kept of their distribution, ownership and use. V. Without enforcement action, the risks to personal data arising from the self-procurement of USB devices by CPS personnel, which are illuminated by the personal data breach, will be unremedied. VI. The contravention was longstanding and pre-dated the commencement date of DPA 2018. VII. Since this incident, the CPS has reported further incidents to the ICO involving the loss of portable storage devices. The ICO therefore consider there to be an on-going issue with the use of such devices which needs to be addressed. 35. The Representations challenged the information that is now contained in paragraph 34.III, by repeating the Representations made in challenge to paragraph 24.IV. As such, they do not cause 12 the Commissioner to alter his findings and not proceed with this Notice. 36. The Representations challenged the information that is now contained in paragraph 34.IV, by stating the rationale for the rejection of the Audit recommendations. The Commissioner relies on that rationale in support of his findings and so the Representations do not cause him to alter them and not proceed with this Notice. 37. The Representations challenged the information in the PEN that is contained in paragraph 34.V, by repeating the Representations made in challenge to paragraph 14. As such, they do not cause the Commissioner to alter his findings and not proceed with this Notice. 38. The Commissioner therefore requires CPS to take the steps set out in Annex 1. 39. The Commissioner considered, as he is required to do under section 150(2) DPA 2018 when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner considers that there was clear potential for distress to have been suffered by the impacted data subjects, due to the overall context of the case and the nature of the data involved. 40. Moreover, CPS has also recognised that the personal data breach may have caused significant emotional distress to those data subjects. 1341. However, the Commissioner considers that compliance with the provisions of DPA 2018 referred to above to be a matter of central importance to data protection law. Even if a failure to comply has not, or is not likely, to cause any person damage or distress, the issue of this Enforcement Notice to compel compliance would nonetheless be an appropriate exercise of the Commissioner’s enforcement powers. 42. The Commissioner has considered whether it is practicable for CPS to comply with the requirements of Annex 1. In this regard the Commissioner notes that the requirements are basic ones for the procurement, use and tracking of portable data storage media and they are proportionate to the facts in issue in this case. 43. Having regard to the significant nature of the contravention, the scale of the personal data being processed and the context in which it is processed, the Commissioner considers that this Enforcement Notice is a proportionate regulatory step to bring CPS into compliance. 44. The Commissioner has also had regard to the desirability of promoting economic growth, and the potential impact his Notice might have. The Commissioner considers the proposed enforcement action is unlikely to have an impact on any measure of economic activity or growth in the UK. Terms of the Notice 45. The Commissioner therefore exercises his powers under section 149 DPA 2018 to serve an Enforcement Notice requiring CPS to take specified steps to comply with the DPA 2018. The terms of the proposed Notice are set out in Annex 1 of this Notice. 14 Consequences of failing to comply with an Enforcement Notice. 46. If a person fails to comply with an Enforcement Notice the Commissioner may serve a penalty notice on that person under section 155(1)(b) DPA requiring payment of an amount up to £17,500,000 or 4% of an undertaking’s total annual worldwide turnover whichever is the higher. Right of appeal 47. By virtue of section 162(l)(c) DPA there is a right of appeal against this Notice to the First-tier Tribunal (Information Rights). If an appeal is brought against this Notice, it need not be complied with pending determination or withdrawal of that appeal. Information about the appeals process may be obtained from: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ Telephone: 0203 936 8963 Email: grc@justice.gov.uk 48. Any Notice of Appeal should be served on the Tribunal within 28 calendar days of the date on which this Notice is sent. 15Dated the 20th day of December 2023 Signed: Anthony Luhman Director PACE Projects and Temporary Director of Investigations Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 16ANNEX 1 TERMS OF THE ENFORCEMENT NOTICE By no later than 3 months of issue of the notice CPS shall take the following steps: 1. Implement appropriate technical and organisational measures to prohibit and prevent the use by CPS personnel of self-procured USB portable storage devices for the storage, transportation and related processing of personal data of which CPS is the controller. 2. Implement appropriate technical and organisational measures to provision the use of CPS-procured USB portable storage devices by CPS personnel for the storage, transportation and related processing of personal data of which CPS is the controller. 3. Implement appropriate technical and organisational measures for the purposes of asset management of CPS-procured USB portable storage devices, including the registration of the procurement of these assets, requests for use of these assets, distribution of these assets, sharing of these assets with third parties, such as law enforcement agencies and the courts, and the timely return of these assets. 4. Implement appropriate technical and organisational measures to ensure that the use of CPS-procured USB portable storage devices complies with CPS policies and procedures for data protection, including security principles and the implementation of measures such as device or file encryption. 5. Implement appropriate technical and organisational measures to limit the use of CPS-procured USB portable storage devices, taking account of the overall risks of their use, the context of processing and the presence of available alternatives to their use such as 17secure file transfer using the Egress solution or related solutions approved by the National Cyber Security Centre. 18