The Serious Fraud Office (SFO) has been fined £180,000 by the Information Commissioner’s Office (ICO) after evidence from a high profile criminal investigation was returned to the wrong person.
The investigation related to allegations that senior executives at defense contractor BAE Systems had accepted bribes as part of an arms deal with Saudi Arabia.
Although the case closed in February 2010, the SFO then began sending back all the evidence collected to the rightful owners.
Around 20% of the 2000 evidence bags sent contained information on third parties, according to the ICO.
This included highly sensitive info such as bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.
The Serious Fraud Office only began an investigation into what had gone wrong after a question was asked in parliament in June 2013.
To make matters worse, the witness in question had been sent the wrong evidence by a temporary worker who had no direct supervision and little training.
The evidence in question apparently related to 64 other people in the case.
The witness passed on the evidence to The Sunday Times, which ran several stories based on it.
“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure,” said deputy commissioner, David Smith.
“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organization.”
Although the SFO has now retrieved 98% of the evidence that shouldn’t have been disclosed, Smith claimed law enforcement agencies everywhere should see the stiff £180,000 penalty as a warning “that their legal obligations to look after people’s information continue even after their investigation has concluded.”
Intralinks director, Todd Partridge, argued that to prevent this kind of issue happening in future, organizations need to focus on both the human and technical aspects.
“The first is to attempt to eliminate human error altogether, through training, procedures and protocols. It would appear that this is one line being taken by the SFO, and this is commendable, but humans will always make mistakes, so it’s not enough on its own,” he added.
“A second approach is to implement systems that enable a company to deal with errors. With technology advances and the development of the cloud, companies can now share and – more importantly – ‘unshare’ documents, shutting off access to them at the flick of a switch.”