Inspection of the CPS reveals security breaches

A report from Her Majesty’s Crown Prosecution Service Inspectorate (HMCPSI) has found that the Crown Prosecution Service (CPS) is responsible for a significant number of data security breaches.

Inspectors examined 700 cases to see how effectively the CPS handles cases before the first hearing in the magistrates’ courts. Inspectors found that 98 of those cases contained a security beach. However, the CPS was able to prevent a further breach in 10 of those cases.

All criminal case files are generated by the police as a result of their investigation. The files are then digitally transmitted to the CPS. In the past, the police have taken responsibility for identifying sensitive information that should not be disclosed before transferring the files to the CPS. This is no longer happening to the same extent and the CPS is struggling to manage the additional burden.

The breaches included a range of serious errors. Some of these involved CPS staff sending the wrong set of previous convictions to the defence or the court. In some, the case summary contained an unauthorised disclosure such as the address of a member of the public who called in the incident. Other breaches included the sharing of witnesses’ personal details; a victim’s unredacted medical notes; and photographs of a victim’s injuries which included their date of birth on a hospital wrist band.

Inspectors also found that in some Areas local policy stated that staff could make up to five breaches before undergoing further training.

Inspectors noted that the CPS has worked hard to digitalise its internal and external processes to help ensure efficiency and increase security, and measures have been put in place to improve training and understanding among all staff in handling case files. But the findings show that there is still much to do.

The inspection revealed a clear culture in the CPS that staff were aware of the need to look out for security breaches and redact material. However, there is a lack of consistent national guidance to help staff determine what does and does not need to be redacted from case file material. Staff also informed inspectors that they often found the guidance complex and difficult to navigate, and some guidance did not directly relate to the specifics of their role.

Commenting on the report, HMCPSI Head of Inspection Anthony Rogers, said:

“In preparing a case for prosecution the CPS must process sensitive information effectively if it is to protect victims and witnesses. That information may vary from the name of a shop that has been targeted for theft, to the names and addresses of rape victims. In most cases it does this well, although the findings of this report highlight a level of security breaches that must give rise to serious concern.

“The public needs to be confident that their information and personal data is being handled safely and correctly when they provide evidence to assist an investigation or support a prosecution. It’s clear there is much the CPS needs to do to earn that confidence.

“The CPS must look at whether it has the right processes and systems in place to manage casework information and will need to continue working with the police about handling casework.”

Note to editors

1. HMCPSI inspects prosecution services, providing evidence to make the prosecution process better and more accountable. We have a statutory duty to inspect the work of the Crown Prosecution Service.
2. The full inspection report can be found here: Information management report (344 kB)
   3. Inspection took place between February and July 2020.
3. Inspectors examined a file sample of cases from across the 14 CPS Areas
4. Inspectors also held virtual interviews and meetings with CPS Areas.