Skip to main content

Accessibility controls

Contrast
Main content area

Privacy Notice - Crown Prosecution Service (CPS)

This Privacy Notice is for anyone who has dealings with the Crown Prosecution Service (CPS) whether in connection with a prosecution or through correspondence. It applies to any personal data we hold about you for any reason.

It sets out the standards you can expect when we hold your personal data, in some cases this incudes your sensitive personal data, as well as other privacy information which we are obliged to provide.

The CPS is the data controller for all data referred to below. The CPS’ Data Protection Officer can be contacted at the following address:

Jackie Ronchetti
Data Protection Officer, Crown Prosecution Service
102 Petty France
Westminster
London
SW1H 9EA

Why we process personal data

We need to handle personal data in order to prosecute criminal cases. The majority of the personal data we hold is passed to us by the police in order that we can determine whether or not to prosecute. In general, personal data is held by the CPS about defendants, victims / witnesses and others involved in the Criminal Justice System within criminal case files.

In certain cases, we process personal data within criminal case files for non-law enforcement purposes such as managing media relations, audit purposes and our work with local Scrutiny Panels to improve casework quality and demonstrate transparency around decision making.

We will only process personal data when it is lawful to do so and where it is necessary and proportionate.

Categories of personal data processed by the CPS within a criminal case file

The list of data categories that can be found within the prosecution case file can be found at Annex A of this Privacy Notice.

Personal data processed within criminal case files will predominantly contain data relating to the commission, or alleged commission, of an offence. However it is likely that other sensitive categories will also be processed where they relate directly to a criminal case. The full definition of sensitive personal data is defined in the UK General Data Protection Regulation (GDPR) as:

‘Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.

Within criminal case files this is likely to include, but not be limited to, racial or ethnic origin, physical or mental health contained within medical records for example and sexual orientation.

Legal Basis for processing personal data for law enforcement purposes

The processing will fall under part 3 of the Data Protection Act 2018 as the CPS processes data for the purpose of conducting criminal prosecutions.

Should you wish to view a more detailed explanation of the legal basis for processing it can be found at Annex B of this Privacy Notice.

Legal Basis for processing personal data within criminal cases for non-law enforcement purposes

Where the CPS processes personal data within criminal case files for non-law enforcement purposes, the processing will fall under the UK GDPR and the Data Protection Act 2018 (DPA 2018). There are a number of requirements listed in the DPA 2018 to ensure this is lawful, and a detailed explanation of how the CPS achieves this can be found at Annex C of this Privacy Notice.

How we process personal data

This section sets out how we look after personal data. We commit to:

  • protect it and ensure that nobody has access to it inappropriately;
  • make sure we don’t keep it longer than necessary;

Data received from the police may only be disclosed to those persons/organisations that are listed within this Privacy Notice, where they have a legitimate need to access it.

The CPS is required to share information with other parties under various Acts of Parliament and Statutory Instruments including the Criminal Procedure and Investigations Act 1996 and the Criminal Procedure Rules. It is intended that in appropriate circumstances, as part of the ordinary business of the CPS and to meet the requirements of criminal justice, relevant personal data may be disclosed to:

  • Solicitors acting for defendants;
  • Defendants in person;
  • Solicitors acting for third parties;
  • Solicitors acting for the CPS;
  • The Police;
  • Other Law Enforcement agencies;
  • Persons/Organisations providing support services for victims and witnesses;
  • Victims and witnesses;
  • Barrister for the defendant;
  • Barrister for the prosecution;
  • Magistrates’ Courts;
  • Crown Courts;
  • High Court;
  • Appeal Courts;
  • Probation Service;
  • Prison Service;
  • Youth Offending Teams;
  • Home Office;
  • Organisations with statutory audit obligations;
  • Others with a legitimate interest in the data;
  • Overseas authorities (in respect of cases where a Mutual Legal Assistance request needs to be made in a case).

In the rare circumstances where we collect information directly from you, we will:

  • make sure you know why we need it;
  • ask only for what we need, and not collect too much information or irrelevant information;
  • Ensure that any sharing of personal information with other organisations is fair and lawful.

In dealing with your personal information, we will also:

  • value the personal information entrusted to us and make sure we respect that trust;
  • abide by the law when it comes to handling personal information;
  • consider the privacy risks when we are planning to use or hold personal information in new ways, such as when introducing new systems;
  • provide training to staff who handle personal information and respond appropriately if personal information is not used or protected properly.

To ensure we keep your information reliable and up to date, in return, we ask you, where applicable, to:

  • give us accurate information;
  • tell us as soon as possible if there are any changes to the information we hold about you, such as a new address, telephone number, email address and name change.

Civil Proceedings

In addition to criminal prosecution, the CPS also has other powers in relation to civil law, notably Civil Recovery under the Proceeds of Crime Act 2002.

We need to handle personal data in order to progress this casework. The safeguards and processes as detailed above apply to this casework. This processing also falls under part 3 of the Data Protection Act 2018.

Part 10 of the Proceeds of Crime Act provides that information obtained for another purpose can be used in Civil Recovery cases and also gives an explicit basis for receiving and passing on information.

Retention of your personal data

The CPS Retention and Disposal Policy is published on the CPS website. This document sets out the length of time we will hold material within criminal cases. The CPS will adhere to this retention and disposal policy unless a legal obligation - for example a Statutory Inquiry - requires us to keep the data for longer.

How to find out what information we hold about you

The DPA 2018 gives you the right to seek a copy of the information the CPS holds about you; such a request for is known as a ‘right of access’ request. Should you wish to exercise this right, please use the following contact information.

Contact

Information Access Team
Crown Prosecution Service
102 Petty France
Westminster
London
SW1H 9EA

IAT@cps.gov.uk

How to exercise other rights available to you under the Data Protection Act 2018

The Act also gives you various other rights:

  • Rectification - i.e. correction of inaccurate personal date;
  • Erasure - i.e. removal of personal data;
  • Restriction of processing - i.e. limit the further processing of data we hold;
  • Right of data portability - i.e. to receive the personal data we hold and have it transferred to another Data Controller;
  • Object - i.e. to object to us using personal data about you
  • Automated decision making - i.e. not to be subject to a decision based solely on automated processing.

To exercise any of these  rights please contact the Data Protection Compliance Team at the above postal address or by email: GDPREnquiries@cps.gov.uk

Making a complaint to the CPS

If you wish to make a complaint about the way your personal data has been handled please put it in writing to:

Jackie Ronchetti
CPS Data Protection Officer
Head of the Security and Information Assurance Division
Crown Prosecution Service
102 Petty France
Westminster
London SW1H 9EA

DataProtectionOfficer@cps.gov.uk

Making a complaint to the Information Commissioner

For independent advice about the Data Protection Act 2018, contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 08456 306060 or 01625 545745

Annex A - Data Categories

  • Defendant details, including ethnicity, next of kin and family details
  • Defence firm details - telephone numbers and email, including personal secure email
  • Details of Chambers
  • Victim/Witness details, including alternative contacts
  • Personal data of Police Officers
  • Previous conviction data for defendants and witnesses
  • Hearing Record Sheets
  • Intelligence data
  • Particulars of the crime
  • Expert Witness details/reports
  • Interpreter details
  • Exhibits/statements - used and unused material
  • MG6 Series - used and unused material - sensitive
  • Photographic Evidence
  • Domestic abuse check list - additional information outside of statements, can be linked to children’s data and social services
  • Charging decisions
  • Legal skeleton arguments
  • Emails to Counsel
  • Records of speaking to witnesses at court, including phone records, audit logs, records of conversations
  • Referrals to victim support service
  • Victim’s Right to Review - records of conversations, e-mails from victim and/or witness, audio file of full conversation can be placed on CMS (the CPS Case Management System)
  • Hearing Results.

Proceeds of Crime cases

  • Bank Account details
  • Property abroad or other assets
  • Restraint Orders
  • Receivership Orders
  • Confiscation Orders
  • Compliance Orders
  • Liaison with His Majesty's Revenue and Customs
  • Liaison with Department of Work and Pensions
    Liaison with pension providers (and others)
  • Calculations of monies owed and monies available
  • Management and enforcement receivers
  • Civil recovery.

International Cooperation and Extradition Cases

  • Information supplied by a foreign government, judicial authority, prosecutor, or law enforcement agency for the purposes of extradition, investigation, or prosecution and asset recovery proceedings
  • Correspondence with Liaison Magistrates and prosecutors.

Special Crime and Counter Terrorism Cases

  • Casework involving MPs, police officers or other high profile figures.

Annex B - Detailed explanation of the legal basis for processing

Section 35 of the Data Protection Act (2018), the first data protection principle, states the following:

1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.

2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either-
a)   the data subject has given consent to the processing for that purpose, or
b)   the processing is necessary for the performance of a task carried out for
that purpose by a competent authority.

The CPS relies upon 35(2)(b) as we do not rely upon consent for process data of this nature. Section 35(3) states:

In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).

Subsection 5 provides the case we rely upon for the processing of this data:

Section 35(5): The second case is where -

  1. the processing is strictly necessary for the law enforcement purpose,
  2. the processing meets at least one of the conditions in Schedule 8, and
  3. at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

The processing within CMS is strictly necessary for the CPS to effectively conduct criminal prosecutions.

The relevant conditions in schedule 8 of the Data Protection Act 2018 are:

(i) For statutory purposes where the CPS is processing data through exercising powers under the Prosecution of Offences Act 1985, Proceeds of Crime Act 2002 (to conduct cases that involve the proceeds of crime) or any other relevant law, and where case teams ensure processing is necessary for reasons of substantial public interest
(ii) For the Administration of Justice
(iii) For the Safeguarding of children and of individuals at risk where the CPS is processing data of victims, witnesses or other individuals connected to in prosecutions who are under 18 or are considered vulnerable or at risk. The CPS case teams will ensure that processing is necessary for the CPS to effectively conduct prosecutions and fulfil our statutory function,, and handle consent in line with the  Victims’ Code of Practice.
(iv) For Archiving purposes where data is contained within files that meet the criteria of ‘long term interest’ defined by the CPS Retention Schedule and will therefore be transferred to The National Archives (TNA) under the Public Records Act 1958. The CPS will make decisions as to the archiving of data under the guidance of the Keeper of Public Records.

The CPS considers that an appropriate policy document is in place and is able to provide this to the ICO upon request.

Annex C - Processing law enforcement data for a non-law enforcement purpose

Article 6 subsection 1 of the UK GDPR sets out the following lawful bases we rely upon for processing personal data for this purpose:

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual, particularly where the individual is a child.

Where the CPS relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of individuals and has concluded that they are not.

In addition, where the processing for any of the non-law enforcement purposes is sensitive processing, the CPS processes data under the following article 9(2) conditions of the UK GDPR:

  • Where we have your explicit consent this will be appropriately documented, and you will be able to ‘opt out’ at any time.
  • Where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Where processing is necessary for reasons of substantial public interest

In order for the CPS to process special category data for reasons of substantial public interest, the processing must meet one of the conditions set out in Part 2, Schedule 1.

The condition(s) the CPS relies on in Schedule 1 will depend on the context of the data processing concerned.

Archiving, Research and Statistics

In order for the CPS to process special category data in reliance upon this Article 9 condition, the processing must meet one of the conditions set out in Part 1, Schedule 1. This applies where the CPS transfers material to The National Archives.

Scroll to top