The Information Commissioner’s Office (ICO) has issued a monetary penalty notice against the Serious Fraud Office £180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case.
The SFO’s investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia. The case was closed in February 2010.
The SFO began returning the evidence documents after the case concluded. Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.
The SFO began investigating the full circumstances of the breach only after details of the errors were requested on 13 June 2013 for a briefing in response to a parliamentary question. An internal investigation was launched shortly afterwards and the ICO was informed of the breach.
The ICO investigation found that the information returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. The information was disclosed by the witness to The Sunday Times, which published a number of articles based on the evidence.
ICO Deputy Commissioner and Director of Data Protection, David Smith, said:
‘Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure. Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.’
The SFO has recovered 98% of the documents that shouldn’t have been disclosed. The organisation has also taken action to make sure adequate security checks are in place to ensure case files containing personal information are returned to the correct recipient.
The full text of the monetary penalty notice is here.