Privacy Notice - Crown Prosecution Service (CPS), incorporating the Revenue and Customs Prosecution Office (RCPO)
This Privacy Notice is for anyone who has dealings with the Crown Prosecution Service (CPS) whether in connection with a prosecution or through correspondence. It applies to any personal data we hold about you for any reason.
It sets out the standards you can expect when we hold your personal data, in some cases this incudes your sensitive personal data, as well as other privacy information which we are obliged to provide.
The CPS is the data controller for all data referred to below. The CPS’ Data Protection Officer can be contacted at the following address:
Data Protection Officer, Crown Prosecution Service
102 Petty France
Why we process personal data
We need to handle personal data in order to prosecute criminal cases. The majority of the personal data we hold is passed to us by the police in order that we can determine whether or not to prosecute. In general personal data is held by the CPS about defendants, victims and witnesses in criminal cases.
Categories of personal data processed by the CPS within a criminal case file
The list of data categories that can be found within the prosecution case file can be found at Annex A of this Privacy Notice.
Personal data processed within criminal case files will predominantly contain data relating to the commission, or alleged commission, of an offence. However it is likely that other sensitive categories will also be processed where they relate directly to a criminal case.
The full definition of sensitive personal data is defined in the General Data Protection Regulation (GDPR) as:
‘Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
Within criminal casefiles this is likely to include, but not be limited to, racial or ethnic origin, physical or mental health contained within medical records for example and sexual orientation.
Legal Basis for processing personal data for criminal cases
The processing will fall under the Law Enforcement Directive as the CPS processes data for the purpose of conducting criminal prosecutions. Should you wish to view a more detailed explanation of the legal basis for processing it can be found at Annex B of this Privacy Notice
How we process personal data
This section set out how we look after personal data. We commit to:
- protect it and ensure that nobody has access to it inappropriately;
- make sure we don’t keep it longer than necessary;
Data received from the police may only be disclosed to those classes of persons/organisations noted in the CPS Data Protection Notification:
Please note the Director of Public Prosecutions for the CPS is also the Director of the Revenue and Customs Prosecution Office (RCPO). The RCPO continues to work under their separate data notification number. This charter covers both the CPS and RCPO.
The CPS is required to share information with other parties under various Acts of Parliament and Statutory Instruments including the Criminal Procedure and Investigations Act 1996 and the Criminal Procedure Rules 2010. It is intended that in appropriate circumstances, as part of the ordinary business of the CPS and to meet the requirements of criminal justice, relevant personal data may be disclosed to:
- Solicitors acting for defendants;
- Defendants in person;
- Solicitors acting for third parties;
- Solicitors acting for the CPS;
- The Police;
- Other Law Enforcement agencies;
- Persons/Organisations providing support services for victims and witnesses;
- Victims and witnesses;
- Counsel (barrister) for the defendant;
- Counsel (barrister) for the prosecution;
- Magistrates’ Courts;
- Crown Courts;
- Appeal Courts;
- Probation Service;
- Prison Service;
- Youth Offending Teams;
- Home Office;
- Others with a legitimate interest in the data.
In the rare circumstances where we collect information directly from you, we will:
- make sure you know why we need it;
- ask only for what we need, and not collect too much information or irrelevant information;
- let you know if we share it with other organisations to give you a better service - and seek your consent when necessary.
In dealing with your personal information, we will also:
- value the personal information entrusted to us and make sure we respect that trust;
- abide by the law when it comes to handling personal information;
- consider the privacy risks when we are planning to use or hold personal information in new ways, such as when introducing new systems;
- provide training to staff who handle personal information and respond appropriately if personal information is not used or protected properly.
To ensure we keep your information reliable and up to date, in return, we ask you, where applicable, to:
- give us accurate information;
- tell us as soon as possible if there are any changes to the information we hold about you, such as a new address, telephone number, email address and name change.
Retention of your personal data
The CPS Retention Schedule is published on the CPS website. This document clearly sets out the length of time we will hold material within Magistrates’ and Crown Court cases. This retention schedule is abided by unless the CPS is subject to a legal requirement to keep the data for longer, for the purposes of a Statutory Inquiry, for example.
How to find out what information we hold about you
Under the Data Protection Act 2018 you have the right to a copy of the information the CPS
holds about you; a request for this information is known as an access request.
Information Access Team
Crown Prosecution Service
102 Petty France
How to exercise other rights available to you under the Data Protection Act 2018
To exercise any other rights available to you please refer to the Data Protection Compliance
Unit at the above postal address.
The email address for the Data Protection Compliance Unit is GDPREnquiries@cps.gov.uk
Making a complaint to the CPS
If you wish to make a complaint about the way your personal data has been handled please put it in writing to:
CPS Data Protection Officer
Head of the Security and Information Assurance Division
Crown Prosecution Service
102 Petty France
London SW1H 9EA
Making a complaint to the Information Commissioner
For independent advice about the Data Protection Act 1998 contact:
Information Commissioner’s Office
Tel: 08456 306060 or 01625 545745
- Defendant details, including ethnicity, next of kin and family details
- Defence firm details - telephone numbers and email, including personal secure email
- Details of Chambers
- Victim/Witness details, including alternative contacts
- Personal data of Police Officers
- Previous conviction data for defendants and witnesses
- Hearing Record Sheets
- Intelligence data
- Particulars of the crime
- Expert Witness details/reports
- Interpreter details
- Exhibits/statements - used and unused material
- MG6 Series - used and unused material - sensitive
- Photographic Evidence
- Domestic abuse check list - additional information outside of statements, can be linked to children’s data and social services
- Charging decisions
- Legal skeleton arguments
- Emails to Counsel
- Records of speaking to witnesses at court, including phone records, audit logs, records of conversations
- Referrals to victim support service
- Victim’s Right to Review - records of conversations, e-mails from victim and/or witness, audio file of full conversation can be placed on CMS (the CPS Case Management System)
- Hearing Results.
Proceeds of Crime cases
- Bank Account details
- Property abroad or other assets
- Restraint Orders
- Receivership Orders
- Confiscation Orders
- Liaison with Her Majesty's Revenue and Customs
- Calculations of monies owed
- Management and enforcement receivers.
- Information supplied by a foreign government, judicial authority, prosecutor, or law enforcement agency for the purposes of extradition, investigation, or prosecution
- Correspondence with Liaison Magistrates and prosecutors.
Special Crime and Counter Terrorism Cases
- Casework involving MPs, police officers or other high profile figures.
Section 35 of the Data Protection Bill (DPB), the first data protection principle, states the following:
1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either-
a) the data subject has given consent to the processing for that purpose, or
b) the processing is necessary for the performance of a task carried out for
that purpose by a competent authority.
The CPS relies upon 35(2)(b) as we do not rely upon consent for process data of this nature.
Section 35(3) states:
In addition, where the processing for any of the law enforcement purposes is
sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
Subsection 5 provides the case we rely upon for the processing of this data:
Section 35(5): The second case is where -
a) the processing is strictly necessary for the law enforcement purpose,
b) the processing meets at least one of the conditions in Schedule 8, and c) at the time when the processing is carried out, the controller has an
appropriate policy document in place (see section 42).
The processing within CMS is strictly necessary for the CPS to effectively conduct criminal prosecutions.
The appropriate condition in schedule 8 of the DPB is:
Statutory etc purposes
1. This condition is met if the processing-
(a) is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and
(b) is necessary for reasons of substantial public interest.
Administration of justice
2. This condition is met if the processing is necessary for the administration of justice.
The CPS considers that an appropriate policy document is in place in the form of:
- The Data Protection Impact Assessment (DPIA) for our internal case management system (CMS);
- The publically available CPS retention schedule;
- This Privacy Notice;
- Publication of the rights available to be exercised by data subjects under the Law Enforcement Directive (LED).