UK Crown Prosecution Service records over 1,500 data breaches in 2019/20

The UK Crown Prosecution Service recorded 1,627 data breaches over the entirety of the 2019-20 financial year, up from 1,378 in the previous financial year, according to a new report out this week (8 October).

The data, contained in the annual CPS report and analysed by UK litigation practice Griffin Law, also revealed that 59 incidents were serious enough to be reported to the Information Commissioner’s Office (ICO).

Griffin Law says that the period from January to March saw by far the largest quantity of severe personal data incidents, with 21 data handling incidents leading to loss of ABE and media discs, as well as an additional 18 incidents of unauthorised disclosure of case information, impacting 1,233 people in total.

By comparison, just 11 incidents of unauthorised disclosures of case information affecting 56 people were reported in the period of October to December 2019, 12 data handling incidents and unauthorised disclosures of case information impacted 34 people in January to March, and 23 people were impacted in April to June 2019 by 15 total personal data incidents. According to the CPS this in part reflects better staff training and more incidents being reported.

In total, 1,463 of the total data breaches recorded over the entire financial year, were due to unauthorised disclosure of information, with 78 being considered ‘severe’. A further 143 of the total incidents were due to loss of electronic media and paper, and in 22 of these instances, the data was never recovered. Finally, the final 21 reported cases were due to loss of devices, including laptops, tablets and mobile phones, although only one of these devices was not eventually recovered, and no CPS data was compromised as a result.

Donal Blaney, principal at Griffin Law, said: “The Government’s nonchalance over these persistent threats to the UK’s national cyber security is troubling. In the light of international concerns surrounding hacking and ransoms, not to mention the missing ‘papers’ included in this report from the ICO, can we be sure there aren’t more incidents that go unreported or undetected? These charts reveal very little follow-up action is ever taken and that every faith is placed in the encryption software installed on government-issued devices. To state that, ‘no CPS data has been compromised’ is a very bold claim and one which, in my opinion, requires further clarity.”

A CPS spokesperson told Legal IT Insider: “The CPS handles huge amounts of data files every year and staff are trained to make sure personal data is kept securely in line with national security guidelines.

“Any increase reflects awareness training for all staff which has led to more incidents being reported.”

He added: “In 94 per cent of incidents last year the data was eventually recovered or retained within the criminal justice system. In other cases the material was either encrypted or the loss was caused by non-CPS staff.

“Each incident was followed up to ensure lessons were learned.”