ICO fines Serious Fraud Office £180,000 for sending evidence to a witness

ICO's deputy commissioner says it is "astounding" that the SFO got this wrong

The Information Commissioner's Office (ICO) has fined the Serious Fraud Office (SFO) £180,000 for sending a witness evidence relating to 64 other people in a fraud, bribery and corruption investigation.

The investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6m, as part of an arms deal with Saudi Arabia. The case was closed in February 2010, and the SFO began returning evidence documents soon after.

The witness in question was sent over 2,000 evidence bags between November 2011 and February 2013, and more than a fifth of these bags (407) contained information about third parties. This included information such as bank statements which showed payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and sensitive data such as passport details.

It was only after details of the errors were requested in June 2013 for a briefing in response to a parliamentary question that the SFO began investigating the full circumstances of the breach. It launched an internal investigation and notified the ICO of the mistake.

The ICO found that the evidence had been prepared by a temporary worker at the SFO who had received minimal training and no direct supervision.

"Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves," said ICO deputy commissioner and director of data protection David Smith.

"People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure," he added.

Smith added that considering how high-profile the case was, and how sensitive the data returned to witnesses potentially was, it was "astounding" that the SFO got this wrong.

"This was an easily preventable breach that does not reflect well on the organisation," he said.

Todd Partridge, director of product marketing at Intralinks, added that the SFO's reputation may have been "severely tarnished by what could be considered a minor mistake - something as simple as documents being sent to the wrong person".