The £200,000 monetary penalty notice ("MPN") awarded by the Information Commissioner's Office ("ICO") on the Crown Prosecution Service ("CPS") reminds data controllers of the need to:
- encrypt and port-control laptops
- ensure that their data processors encrypt and port-control laptops
- otherwise implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data (the "7th DPP")
Since 2002, the CPS had used a third party to edit videos and DVDs of police interviews so that the CPS could use them in criminal proceedings. The data processor uploaded such videos and DVDs to laptops. The laptops were kept in an unsecured studio with no alarm or operational CCTV. The data processor had two unencrypted laptops stolen from their offices. The laptops contained interviews spanning 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. Some of the interviews related to historical allegations against a high-profile individual. The CPS used a national courier to deliver the unencrypted DVDs. If the case was urgent, the supplier would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.
Unencrypted laptops have been a regulatory hotspot since 2010. The ICO's clearly held view is that the cost of implementing encryption technology to devices is minimal compared to the potential harm that may result from un-authorised or improper use of such personal data.
Key points highlighted by the decision include the following regarding the 7th DPP:
- data controllers must have appropriate written contracts with all their data processors. This included an obligation to return or securely destroy the DVDs and videos at the end of the case;
- data controllers should (and must get a guarantee that its data processors shall) encrypt all laptops and implement port control;
- laptops and DVDs must be securely stored when not in use. They should not be left on a desk or in an unlocked cupboard. Interestingly, the MPN does not state that the DVDs also needed to be encrypted. Data controllers merely need a guarantee that their data processor will store the DVDs in a lockable cabinet;
- unencrypted DVDs should be sent by secure courier. Data controllers should not use a national courier. They certainly should not be personally transferred using public transport. The ICO will have no sympathy about a data controller's concern that a secure courier will affect the data controller's profit margin;
- the fact the laptops did not appear to have been accessed by unauthorised third parties was irrelevant;
- data controllers must monitor security measures taken by their data processors. This includes ensuring that their data processor's premises are suitable for the nature of the personal data being processed.