The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Crown Prosecutions Service Prosecuted - And Other GDPR-type Convictions

CPS Prosecuted
23 May 2018

You could hardly make it up but the Crown Prosecutions Service has been fined after losing victim interview videos - PLUS a variety of convictions including a 'serious'  data breach at the University of Greenwich; nuisance calls; and individual thefts of personal information.


CPS Leaves Sensitive (Child Abuse) Videos At Reception Desk

The Crown Prosecution Service (CPS) has been fined £325,000 by the ICO after they lost unencrypted DVDs containing recordings of police interviews. The DVDs contained recordings of interviews with 15 victims of child sex abuse, to be used at trial.

This is the second penalty imposed on the CPS following the loss of sensitive video recordings.


Package left at reception

The DVDs contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator and some identifying information about other parties. The DVDs were sent by tracked delivery between two CPS offices, with the recipient office being in a shared building. The delivery was made outside office hours and the DVDs – which were not in tamper-proof packaging – were left in the reception.

Although the building’s entry doors were locked, anyone with access to the building could access this reception area.



The DVDs were sent in November 2016, but it was not discovered that they were lost until December. The CPS notified the victims in March 2017, and reported the loss to the ICO the following month.

It is not known what has happened to the DVDs.



The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe, and did not take into account the substantial distress that would be caused if the videos were lost. It also found that, despite being fined £200,000 following a separate breach in November 2015 – in which victim and witness video evidence was also lost – the CPS had not ensured that appropriate care was being taken to avoid similar breaches re-occurring.

Steve Eckersley, Head of Enforcement, said: “The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data - a loss in trust could influence victims’ willingness to report serious crimes.

“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.

“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.”

The CPS has self-identified systemic failings and is taking action to remedy them.


The University Of Greenwich Fined £120,000 By Information Commissioner For Serious Security Breach

The University of Greenwich has been fined £120,000 by the Information Commissioner following a serious security breach involving the personal data of nearly 20,000 people – among them students and staff.


It is the first university to have been fined by the Commissioner under the existing data protection legislation (Data Protection Act 1998).

The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

The personal data included contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers.  However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.

Head of Enforcement at the ICO, Steve Eckersley, said: ”Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”



The Commissioner found that the University did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur, ie for ensuring that its systems could not be accessed by attackers.


University of Greenwich - response

After the ICO's prompt payment discount the cost to the university will be £96k. We take this extremely seriously and would like to apologise again to those who may have been affected.

Since 2016, we have taken a number of significant steps to enhance our data protection procedures. These include:

  • Making major investments in new security architecture, tools and technologies.
  • Hiring new dedicated internal experts whose sole focus is information security.
  • Conducting vulnerability testing across the entire organisation every day – the only university, so far as we know, to do so.
  • Making information security training mandatory for all staff.
  • Reforming the system of internal IT governance.
  • Redeveloping a rapid incident response to tackle threats as they arise and quickly learn lessons from incidents.

Taken together, these important steps amount to an unprecedented overhaul of our data protection and security systems, and our stakeholders can have confidence in the enhanced measures we now have in place.


Recruitment Consultant Fined

A former recruitment consultant has been fined for unlawfully taking personal data from his employer when he left his job to set up his own rival business.

Daniel Short left the recruitment company he was working for, VetPro Recruitment, in October 2017 and a short time later set up his own similar company called VetSelect.

Once VetPro became aware of the new company, it began to have concerns about the integrity of the database it used to recruit vets and nurses, which contained the personal data of more than 16,000 people.

VetPro contacted Short to ask if he had downloaded any of the information from the database and Short admitted he had taken some personal data, claiming it was for his own record of achievement.

The matter was reported to the Information Commissioner’s Office and during an investigation it was discovered that Short had stolen the details of 272 individuals from VetPro’s database for commercial gain.

Short pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998 when he appeared at Exeter Magistrates’ Court on Thursday May 21.

He was fined £355 and was ordered to pay costs of £700 as well as a victim surcharge of £35.

Mike Shaw, Criminal Investigations Manager at the ICO, said: “Short thought he could get away with stealing from his old employer to launch his own company. Data Protection laws are there for a reason and the ICO will continue to take action against those who abuse their position.”


Stockport Firms Fined For Nuisance Calls And Spam Texts

The ICO has fined two firms in Stockport for disrupting the public with nuisance marketing.

IAG Nationwide Limited has been fined £100,000 for making more than 69,000 calls to people registered with the Telephone Preference Service (TPS).

Recipients described the calls as 'frightening', 'threatening' and 'aggressive'. IAG also failed to correctly identify itself in the calls, did not give people the chance to opt-out of receiving them and provided misleading information about the nature of the call.

On top of the fine, the company has been issued with an enforcement notice by the ICO, ordering it to stop illegal marketing.

In a separate ICO investigation, Costelloe and Kelly Limited has been issued with a £19,000 fine for sending more than 260,000 spam texts promoting funeral plans.

Andy Curry, ICO Enforcement Group Manager, said: “Both these firms showed disregard for both the law and people’s right to privacy when they embarked on their unlawful marketing campaigns.

“We heard about the harassing nature of the calls made by IAG Nationwide, whilst Costelloe and Kelly ploughed ahead with their spam texts despite the fact the content was about funeral plans – a sensitive area which could cause upset to recipients.

“Reports from the public about these firms helped our investigations, leading to action to hold those responsible to account."


Marketing - check what you can and can't do

The ICO has published detailed guidance for companies carrying out marketing – explaining their legal requirements under the Data Protection Act and the Privacy and Electronic Communications Regulations. The guidance covers the circumstances in which organisations are able to carry out marketing over the phone, by text, by email, by post or by fax.


Former Hospital Worker Prosecuted For Accessing Patient Records

A former employee of a Milton Keynes hospital trust has been prosecuted for accessing patient records without authorisation.

Michelle Harrison, of Milton Keynes, accessed the records of 12 patients outside of her role as receptionist/general assistant in the Orthotics Department at Milton Keynes University Hospital NHS Foundation Trust between March 2016 and January 2017. These included the patient records of her ex-partner and a woman who claimed that Ms Harrison had used the information to harass her and had complained to the Trust.

The Trust contacted the Information Commissioner’s Office in March 2017. Harrison pleaded guilty to unlawfully accessing personal data and unlawfully disclosing personal data in breach of s55 of the Data Protection Act 1998 at Milton Keynes Magistrates' Court on Friday April 20.


Defying TPS

Two firms in West Yorkshire have been fined for calling people registered with the Telephone Preference Service.

Bradford based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register. The ICO fined the firm £250,000 because at least 34,000 of these calls were made to TPS subscribers.

In a separate case, Alex Goldthorpe, trading as Approved Green Energy Solutions, was fined £150,000 for making over 300,000 calls to TPS subscribers between April and July 2017.

Andy Curry, ICO Enforcement Group Manager, said: “People register with the TPS for a clear reason – to stop unwanted marketing calls and protect their privacy. It is the first thing any responsible business should check when making live marketing calls."

Both firms bought the information used to make the phone calls from other companies and failed to check it against the TPS register to ensure the phone calls they were making complied with the Privacy and Electronic Communications Regulations (PECR).


Kensington and Chelsea Council fined for identifying owners of unoccupied properties in FOI response.

The Royal Borough of Kensington and Chelsea has been fined £120,000 by the ICO after it unlawfully identified 943 people who owned vacant properties in the borough.

Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information Act 2000. It is believed the journalists wanted to identify potential homes for Grenfell victims.

The University of Greenwich has been fined £120,000 by the Information Commissioner following a serious security breach involving the personal data of nearly 20,000 people – among them students and staff.

Article written by Brian Shillibeer | Published 23 May 2018


Related Articles

Gangsters' Paradise Leads To Jail Terms For Business Phishing Scam

Gangsters who altered business emails to rip-off more than £1 million have gone to jail. Two members of the Nigerian organised crime group who committed the fraud...

 Read Full Article
Is BYOD Creating A GDPR Risk For Your Business?

Does your Bring Your Own Device (BYOD) stance have the potential to create risks relating to data protection or breaches, as a result of staff using a single smartphone...

 Read Full Article
Two Million Fleet Drivers To Revalidate Driving Licence Data Consent

There are over two million drivers who will have to revalidate their driving licence data consent, writes Malcolm Maycock, Chair of the ADLV. Whilst this is a mammoth...

 Read Full Article
Raising The Bar – Consent Under The GDPR

Straight from the horse's mouth, Steve Wood, Deputy Information Commissioner, writes for ThisWeekinFM on the topic of 'consent', how to get it and what to do...

 Read Full Article
Are You Ready For Business Change?

Andrew Carwardine offers 7 Steps to Change & Put Process Back On The Agenda. Thanks to GDPR, processes are back on the agenda but why the wait? Shouldn't we...

 Read Full Article
GDPR - No Confidence In Compliance. Mobile Workers Are Biggest Hazard

Most companies are not confident of being fully compliant ahead of the GDPR deadline with the biggest fear being the loss of data on laptops and other mobile...

 Read Full Article
Human Error Could Cost UK Businesses Up To €20 Million

Over three-quarters of British businesses say that a proportion of inbound mail and communications is incorrectly allocated due to physical handling, creating an...

 Read Full Article
Denial Of Service Costs Escalate

A DNS Threat Report has revealed the cost per attack has increased by 57% to $715,000 for organisations globally. EfficientIP, a specialist in DNS security to ensure...

 Read Full Article
World Education Not Taking Cyber Threat Cost Seriously

The 2019 Global DNS Threat Report has revealed the education sector is one of the most heavily targeted industries for cyber attacks - and yet invests very little to stop...

 Read Full Article
Most Organisations’ Biggest Security Concern Is Users

What Keeps You Up at Night – The 2019 Report looks at over 350 global organisations' security concerns and reveals people are the biggest perceived...

 Read Full Article