Directors report
Our Board
Non-executive board members
Executive board members
Independent committee members
Senior leadership team
Our senior leaders below are responsible for the day-to-day running and strategic development of CPS. Their work covers all aspects of the organisation, from prosecution policy to communications and from finance to digital services.
Whistleblowing arrangements
It is important the CPS offers a safe and inclusive place to work; where everyone feels comfortable to speak up if they experience or witness anything that concerns them at work. Whistleblowing has a clear legal basis, and a common approach is taken across the Civil Service, including CPS.
All concerns raised under the Whistleblowing (and Raising a Concern) Policy are reported to, or via the Nominated Officer (NO) The primary role of the NO is to support and advise individuals who have concerns, provide reassurance about the protection offered under the whistleblowing policy/procedure, and to be an impartial point of contact for individuals, managers, intermediaries, and investigators as appropriate. They also have responsibility for recording and monitoring concerns to ensure they are appropriately managed, and for assuring that the arrangement in place at the CPS are operating effectively.
In November 2025, an internal whistleblowing health check was undertaken, using the Government People Group assurance tool. Assurance is governed through five key indicators, which are:
- Process for raising a concern (is there a process and is it easily accessed?)
- Leaders role modelling behaviour (do leaders understand their role and enact it?)
- Skilled managers and Nominated Officers (are Nominated Officers identified and active?)
- Issues identified and addressed (method of capturing concerns, data monitored)
- Employee engagement (how confident are employees that concerns will be investigated?)
The health check established that the scope of the policy was in line with the Civil Service model policy and principles and that there was a clear and effective process in place for raising concerns. However, it is accepted that there always remain opportunities to further promote the policy and raise awareness.
During 2025, Speak Out week took place in October and included a blog by the Speak Out Champion (SOC) and drop-in events. In July, the Whistleblower’s Experience Survey was issued to those who had reported a concern to the NO.
Security and information assurance
Data security
The Director General Legal Delivery is our Senior Information Risk Owner. They are a member of the CPS’ Executive Committee and accountable for the security of our data and compliance with key legislation. They also provide advice and guidance to the Information Asset Owners across the CPS. A new Insider Risk Stakeholder Group was established in November 2025 to complement our Information Governance Group. The Audit and Risk Committee receive regular reports on all aspects of security.
Personal data-related incidents
A summary of personal data-related incidents in 2025-26 is set out below.
Personal data incidents reported to the Information Commissioner’s Office (ICO) in 2025-26:
Period
Nature of incident
Nature of data involved
Number of people potentially affected
April to June 2025
None
None
0
None
July to September 2025
Data Handling Loss
Personal data related to casework material
3
Operational Security Notified and Breaches reported to the ICO
October to December 2025 Unauthorised Disclosure
Personal data related to casework material
1
Operational Security Notified and Breaches reported to the ICO
January to March 2026
None
None
0
None
Total personal data incidents in 2025-26:
Category
Total reported in 2025-26
(2024-25)Explanatory note
Data handling losses
71
(50)
In 70 of these incidents the data loss was minor and recovered. One incident was referred to the ICO (details above).
Unauthorised disclosure
2,473
(2,188)
In 2,472 of these incidents the data loss was minor and contained within the criminal justice profession, who are bound to professional standards of data protection.
Risk assessments were undertaken where appropriate, to mitigate or remove any risk. One incident was referred to the ICO (details above).
Lost/ stolen ICT equipment
30
(42)
In all incidents the devices were successfully deactivated. All devices were encrypted to government standards; therefore, no CPS data was compromised.