‘Serious’ CPS errors led to data security breaches

Blunders made by Crown Prosecution Service (CPS) staff included sharing a victim’s unredacted medical notes and pictures of a victim’s injuries which included their date of birth on a hospital wrist band, disclosing the address of a member of the public who reported an incident and the personal details of other witnesses, according to a watchdog.

In other incidents, staff sent the wrong set of previous convictions for a defendant to defence teams or the court.

Victims’ Commissioner for England and Wales Dame Vera Baird branded the findings “alarming” and urged the Director of Public Prosecutions to “work with some urgency to redress this situation and restore victims’ trust in the CPS”.

Her Majesty’s Crown Prosecution Service Inspectorate (HMCPSI) examined 700 cases between February and July in 14 parts of the country to see how effectively they are handled by the CPS before the first hearing in the magistrates’ courts.

Inspectors found that 98 of those cases contained a security beach, according to a report of the findings.

The CPS was able to prevent further breaches in 10 of those cases.

HMCPSI head of inspection Anthony Rogers said: “In preparing a case for prosecution the CPS must process sensitive information effectively if it is to protect victims and witnesses.

“That information may vary from the name of a shop that has been targeted for theft, to the names and addresses of rape victims.

“In most cases it does this well, although the findings of this report highlight a level of security breaches that must give rise to serious concern.”

He said the public needs to be “confident that their information and personal data is being handled safely and correctly when they provide evidence to assist an investigation or support a prosecution”, adding: “It’s clear there is much the CPS needs to do to earn that confidence.”

The body needs to make sure it has the right systems in place for dealing with casework and continue working with police on how information is handled, he said.

Dame Vera told the PA news agency: “These are alarming findings.

“The CPS has a clear duty to victims, witnesses and the wider public to make sure documents are processed securely and in line with data security requirements. This is evidently not happening.

“These breaches include personal, intimate details of some of the most vulnerable people. These individuals entrusted the CPS with their personal information and have been sorely let down.”

The report’s finding that there “appears to be a culture of defeated acceptance that no matter what training, processes and systems are introduced, there will always be breaches, with data that should have been redacted being sent out, because of what is received from the police”, was “rubbing salt in the wound”, she added.

Criminal casefiles are made by police as part of investigations and then sent electronically to the CPS.

Previously police have identified sensitive information that should not be disclosed in the files before passing them on but this no longer happens to the same extent, leaving the CPS “struggling to manage the additional burden”, the report said.

Inspectors also raised that in some areas, CPS policy allowed staff to make up to five breaches before needing more training.

Although the CPS has worked hard to improve security, roll out training and be more efficient, the findings “show that there is still much to do”, inspectors said.

The report added that there was a “clear culture” in the CPS that staff knew they had to look out for security breaches and redact material but there was a “lack of consistent national guidance to help staff determine what does and does not need to be redacted from casefile material”.

Staff said the guidance in place was complex and difficult to understand.

A CPS spokesman said: “The CPS takes the management of sensitive data extremely seriously and accepts all of the report’s recommendations.

“We are in the process of producing national guidance to make sure our approach is rigorous and consistent and we are working closely with police colleagues to make sure redaction processes are in place.

“Further staff training will also take place on reducing data breach incidents and making sure personal data is securely handled in line with national security guidelines.”