The Serious Fraud Office (SFO) has been fined £180,000 after thousands of confidential documents from an investigation into defence giant BAE Systems were sent to the wrong person.
The UK’s privacy regulator, the Information Commissioner’s Office (ICO), took action against the anti-fraud unit after evidence relating to 64 people was mistakenly sent to a witness in the case.
It is the first time the SFO has been fined by the watchdog, who said the public would be “quite rightly shocked” that information from such a high-profile case was not kept secure.
The documents related to the SFO’s investigation into allegations that senior executives at BAE Systems had received payments, including two properties worth more than £6 million, as part of an arms deal with Saudi Arabia.
After the case was closed in February 2010, the SFO sent more than 2,000 bags of evidence to “Witness A” between November 2011 and February 2013.
It was later discovered that a “relatively inexperienced” temporary worker, who was not fully supervised, had mistakenly sent 407 of the bags belonging to 64 people to the witness, the ICO said.
They included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details, the regulator added.
The SFO only began investigating the full circumstances of the breach after details of the errors were requested in response to a parliamentary question in June 2013.
The confidential material was later found in a storage facility which was also being used as a cannabis farm in east London, the then-shadow attorney general Emily Thornberry said at the time.
ICO Deputy Commissioner David Smith said: “People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.
“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong.
“This was an easily preventable breach that does not reflect well on the organisation.”
The SFO had gathered more than 11,000 bags of evidence during its investigation into BAE from witnesses and suspects, Government departments, foreign governments and corporate banks, the ICO said.
The documents returned to Witness A included “confidential personal data” relating to 6,000 subjects, some of whom were in the public eye, and “sensitive personal data” relating to two subjects, according to the watchdog.
Witness A contacted the SFO to say he had wrongly received some evidence in November 2011 but despite considering his concerns at a “senior level”, the SFO continued to return material to him in May 2012, the regulator added.
It said there had been a “serious contravention” of data protection laws because the SFO failed to put any appropriate security measures in place for the “large and complex” job of returning the documents.
“This is unacceptable in view of the nature of the information contained in the bags which should have been afforded the highest levels of security,” the ICO said.
The breach was likely to have caused “substantial distress,” the regulator added, because there was evidence that some of the information was disclosed to a national newspaper and “possibly disseminated overseas”.
The SFO has since recovered 98% of the documents that should not have been disclosed. The organisation has also taken action to make sure adequate security checks are in place to ensure case files containing personal information are returned to the correct recipient, the ICO said.