The ICO imposed the penalty after two laptops containing filmed police interviews were stolen from a residence in Manchester. Although the computers were password protected the ICO said the sensitive data was not encrypted and the flat had insufficient physical security.

The ICO probe revealed the CPS had used the same film company (the data processor) as a previous data breach when editors were using unsecured couriers to ferry DVDs which were not encrypted. The CPS said it had strengthened arrangements to prevent further incidents.

The moral of the story – a data controller (in this case the CPS) are liable for the security of personal data even when the data is being handled by a subcontractor (like a data destruction or document storage company).