CPS admits to 'inadvertent' disclosure of tuition fee protestors' data

Out-Law News | 28 Sep 2012 | 2:36 pm | 3 min. read

The Crown Prosecution Service (CPS) has apologised to hundreds of people after it "inadvertently disclosed" their names, dates of birth and other personal data in a document as part of its response to a freedom of information (FOI) request.

A member of the public had asked the CPS to provide figures for the cost and resources used in investigating cases stemming from the Metropolitan Police's Operation Malone, which related to the demonstrations against student tuition fees in England, according to a report by The Register news website. However, in response the CPS sent the requester a spreadsheet which contained the names of 299 people who had been arrested during Operation Malone as well as the subsequent Operations Brontide, the report said.

Of those listed, 116 people had been released without charge, a number of others had been charged but later acquitted and 44 individuals were under the age of 18. The details of the solicitors representing some of those who had been named was also disclosed, along with comments made in relation to the individuals, including on medical issues, according to The Register's report.

The report contained an extract from the letter the CPS has said it has sent out to those who had been listed on the spreadsheet.

"I am writing to inform you that some of your personal data has been inadvertently disclosed in error," the CPS said in its letter, according to The Register. "The information disclosed includes your full name, date of birth, the Police Unique Reference Number (URN), the offence with which you were charged, the first appearance date at court and the nature of the next hearing [where applicable] ... I understand that you may find the contents of this letter upsetting."

In a statement sent to Out-Law.com a CPS spokesperson said: "Since becoming aware of this breach on 13 September 2012, the CPS has written and apologised to those whose details appeared on the document".

"The individual to whom the information was disclosed has also been contacted and advised that the information was provided in error and requested that it be destroyed. The CPS Chief Operating Officer has commissioned a review of this incident and the systems and controls we have in place which failed on this occasion, to be conducted by a senior and experienced prosecutor from another CPS Division. The findings will be acted upon as a matter of priority to ensure that such an error does not recur," the spokesperson added.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), told Out-Law.com that it was "currently making enquiries" into the case.

"The public expects their personal data to be properly looked after by organisations," Simon Entwistle, the ICO’s director of operations, added, according to The Register's report. "Where it looks like this hasn’t happened, the Information Commissioner’s Office will investigate, with powers to issue monetary penalties up to £500,000 where appropriate."

Data protection law expert Victoria Diggines of Pinsent Masons, the law firm behind Out-Law.com, said that the ICO could impose a substantial civil monetary penalty notice on the CPS.

"The ICO has already demonstrated its willingness to heavily fine public bodies,” Diggines said. "Whether the ICO decides to impose a fine in this case, and what the ultimate amount of that fine will be, will be determined through an assessment of a number of factors."

"These include the seriousness of the breach, the cause of the breach, whether the CPS should or could have prevented the breach, the sensitivity of the personal data in question, the volume of personal data, the risk of and seriousness of harm or distress to the affected individuals and the steps the CPS has taken since the breach," she said.

"The ICO has already demonstrated its willingness to heavily fine public bodies in cases where large volumes of sensitive personal data was stolen and sold on the internet, and in other cases where particularly sensitive information about child abuse cases were inadvertently sent to the wrong address," Diggines said.  

Under the Data Protection Act organisations in control of personal data are required to take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The Act requires extra care around the handling of sensitive personal data, such as medical information or information that details "the commission or alleged commission" of any offence by a person, or information that details "any proceedings for any offence committed or alleged to have been committed" by a person, "the disposal of such proceedings or the sentence of any court in such proceedings".