ICO fines Serious Fraud Office £180,000 and warns other law enforcement agencies

The ICO has announced today that it has fined the Serious Fraud Office (SFO) £180,000 for wrongly disclosing evidence to witnesses in a bribery investigation. The bribery investigation into senior executives at BAE Systems had been concluded in 2010. In returning evidence to a witness, the SFO had disclosed evidence to one witness of personal data and sensitive personal data about 64 other people.

Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.

The ICO’s investigation found that the SFO’s failure was “very serious” in that it had failed to take enough steps to respect the data security 7th principle of the Data Protection Act likely to lead to “substantial damage” or “substantial distress” as the Monetary Penalty Notice continues that “there is evidence that some of the information may have been disclosed to a national newspaper.” The data controller should have known that a contravention of the Data Protection Act would occur from a failure to manage the process of restoring evidence to the various witnesses.

The monetary penalty notice specifies both aggravating and mitigating factors in determining the size of the fine. The mitigating factors included the points that:

  • The ICO is not aware of similar previous security breaches
  • 98% of the information in bags was recovered with their seals intact
  • The SFO conducted a prompt investigation
  • The SFO made immediate efforts to recover the information from the witness who had been sent the evidence
  • The SFO voluntarily reported the case to the ICO
  • The SFO was co-operative with the ICO
  • The SFO has taken “substantial remedial action.”

Deputy Commissioner and Director of Data Protection, David Smith, commented:

“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.

Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The ICO’s Monetary Penalty Notice