Serious Fraud Office fined £180,000 for “astounding” lapse

File this one under ‘I for Irony’: that bastion of law and order, the Serious Fraud Office (SFO), has been fined £180,000 by the Information Commissioner’s Office (ICO) following the accidental disclosure of evidence to a witness in a serious fraud, bribery and corruption case.

A statement from the ICO explains that, following an investigation in to “allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia”, which was closed in February 2010, the SFO “began returning evidence documents”.

Unfortunately, many documents – over 400 evidence bagsful, in fact – were mistakenly sent to a witness, who then disclosed the information to the Sunday Times, which published several articles based on the material they contained. These bags contained the personal information of third parties, including “bank statements… hospital invoices, DVLA documents and passport details.”

ICO deputy commissioner and director of data protection David Smith said:

“People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.

“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong.”

An investigation by the ICO found that the evidence had been sent by “a temporary worker who had received minimal training and had no direct supervision.”

The SFO has since recovered 98% of the documents.

Data Protection Act

All organisations in the UK that hold or process personal data must comply with the requirements of the Data Protection Act (DPA) 1998. The ICO can issue fines of up to £500,000 for noncompliance.

IT Governance provides a wide range of DPA products and services, including our Data Protection Act Consultancy service, DPA Foundation training course, Privacy Impact Assessment (PIA) Workshop, DPA Staff Awareness E-learning Course and Data Protection Act Compliance Toolkit.

For more information about any of these, or to find out more about your obligations under the DPA, please visit our main website >>