Contrast
Home
Menu

Data breaches involving the Crown Prosecution Service

|FoI Release

Request and responses

Under the Freedom of Information Act 2000, I kindly request the following information regarding data breaches involving the Crown Prosecution Service (CPS):

The Crown Prosecution Service (CPS) does hold some recorded information falling within the scope of your request and I will address each of your questions below accordingly.

  1. Unredacted Material Received from Police. How many incidents of data breaches have been identified in the last 36 months where unredacted or improperly redacted material was provided to the CPS by police forces?
  2. Specific to Staffordshire Police
    How many of these incidents involved material supplied by Staffordshire Police?
  3. Sensitive Case Categories
    Of the identified data breaches in the last 36 months, how many involved cases under investigation for:
    Sexual offences?
    All other offences?

In response to your questions 1, 2 and 3.

The CPS does not collate such information as the CPS does not have a breach category concerning unredacted or improperly redacted material provided to the CPS from police forces. By way of further explanation such material received by the CPS would not typically qualify as a breach; rather, it would be categorised as a failure to redact material correctly. It would only constitute a breach if the improperly redacted material was subsequently disclosed inappropriately by the CPS.

We do however, in our annual report, publish a summary of personal data-related incidents formally reported to the Information Commissioner’s Office (ICO) and our most recent reports covering the last 36 months can be found here:

Annual Report and Accounts 2023–2024
Annual Report and Accounts 2022–2023 – HC 1461
Annual Report and Accounts 2021–2022

  1. Internal Handling of Sensitive Material
    How many data breaches have occurred within the CPS in the last 36 months regarding sensitive or personal information related to criminal cases?
  2. Referrals to the ICO
    How many data breaches within the CPS have been referred to the ICO in the last 36 months?

In response to questions 4 and 5 and as alluded to in our response to your question 1, this is information publicly available on the CPS website and therefore is exempt and withheld from disclosure under Section 21- ‘Information accessible to applicant by other means’ of the FOIA.

The section 17 Refusal Notice below explains this exemption in further detail albeit we have provided you with the links to that information above.

  1. Procedures for Data Breaches
    What is the CPS’s protocol for identifying, reporting, and rectifying data breaches involving sensitive or unredacted materials?

In accordance with Cabinet Office (CO) requirements for Government Departments, the Data Protection Officer (DPO), supported by the Operational Security Team (OST), ensures an effective system is in place for detecting, reporting, and addressing security breaches. OST maintains a record of all reported incidents and breaches, coordinates responses, offers security guidance, and assists Areas and Security & Information Managers (SIMs) in managing breaches effectively. OST’s breach management process involves documenting the nature, scope, and impact of each incident, collaborating with relevant departments on remedial actions, and monitoring the effectiveness of responses to prevent recurrence.

With the implementation of the General Data Protection Regulation (UK GDPR) in May 2018, integrated into the Data Protection Act 2018 (DPA 2018), all breaches posing a perceived risk must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. To meet this requirement, breaches must first be reported to OST within 24 hours for an initial review and assessment.

  1. Disciplinary Actions
    How many disciplinary actions have been taken within the CPS in the last 36 months in relation to data breaches?

There have been 22 data breaches in the last 36 months (period of 5/12/21 to 5/12/24) which have been managed under the CPS’s Discipline Policy. A breakdown, by year, is below:

YearCases
2021Nil
20228
20234
202410
  1. Audits and Reviews
    Has the CPS conducted any systematic audits or reviews of its data handling practices in the last 36 months? If so, were any specific recommendations made or deficiencies identified?

In terms of ‘systematic audits or reviews’ of our data handling practices, I can confirm that the CPS commissions the Government Internal Audit Agency (GIAA) to conduct function specific audits across various aspects of CPS business.

GIAA has carried out the following audits that fall within scope of your request.

  • Rights of Access Requests (ROAR) – This audit considered ROAR processes and was completed in November 2022. The auditors made 4 recommendations – 1 Medium and 3 Low, all of which were addressed.
  • Freedom of Information (FOI) – This audit sought to test whether robust procedures and controls were in place to ensure those requests are handled appropriately, responses are provided in a timely manner and legislative requirements are met.  The report, released in August 2023. made 6 Low and 1 Medium recommendations, all of which have been addressed.
  • Records Management Audit – This audit sought to identify records management challenges and ensure they are being managed sufficiently by the CPS. The report was published in June 2022 and made 14 recommendations (2 High, 7 Medium and 5 Low); the majority of recommendations were addressed.  A follow-up audit was undertaken in February 2024 and made seven recommendations (5 medium and 2 low); the majority have been addressed.  

You may also find our Information Management Policy of use and this can be accessed here: 
Information Management Policy | The Crown Prosecution Service

  1. Training and Prevention Measures
    What training or preventive measures have been implemented to reduce the risk of data breaches, particularly regarding the handling of sensitive materials provided by police forces?

To mitigate data breach risks, CPS has implemented:

  • Training: - all staff undergo bespoke training tailored to address the specific challenges of handling sensitive data.
  • Annual Data Protection training - all staff complete mandatory Data Protection training to ensure that they are well-versed in data protection principles. This covers breach awareness and the handling of casework material.
  • Continuous education and awareness - enables staff to maintain a high standard of vigilance, all staff are regularly updated on best practices, emerging threats, and policy changes related to data security.
  • The CPS also runs a redaction course. This course supports the Redaction Manual of Guidance. The course includes why redaction is important, redaction roles and responsibilities in order to prevent security breaches and practical exercises of how and what to redact in order to support staff.

Additional Notes:

Please provide data broken down by year, where available, and any further context on how such breaches were resolved or addressed. If any part of this request is unclear or exceeds the cost limit, I kindly request assistance in refining it.

We have addressed your additional notes in our response above.

S17 Notice under the Freedom of Information Act 2000

WITHHOLDING INFORMATION

Section 21 states Information accessible to applicant by other means.

(1)  Information which is reasonably accessible to the applicant otherwise than under section 21 is exempt information.

(2)  For the purposes of subsection (1)—
(a) Information may be reasonably accessible to the applicant even though it is accessible only on payment, and
(b) Information is to be taken to be reasonably accessible to the applicant if it is information which the public authority or any other person is obliged by or under any enactment to communicate (otherwise than by making the information available for inspection) to members of the public on request, whether free of charge or on payment.

(3)  For the purposes of subsection (1), information which is held by a public authority and does not fall within subsection (2) (b) is not to be regarded as reasonably accessible to the applicant merely because the information is available from the public authority itself on request, unless the information is made available in accordance with the authority’s publication scheme and any payment required is specified in, or determined in accordance with, the scheme.

Section 21 is an absolute exemption which means there is no requirement to carry out a public interest test if the requested information is exempt.

Related Pages

Freedom of Information

The Freedom of Information Act (FOIA) gives you rights to access official information held by the Crown Prosecution Service.

Under FOIA, you have a right to request any recorded information held by a public authority, such as a government department, local council or state school.

Continue reading Freedom of Information