On 30 March 2015, the UK’s Information Commissioner’s Office (“ICO”) announced that it has fined the Serious Fraud Office (“SFO”) £180,000 after sensitive evidence relating to 64 people involved in the BAE Systems (“BAE”) bribery investigation was accidently sent to the wrong witness, and subsequently leaked to the press.

The SFO’s corruption and bribery investigation concerned a BAE arms deal with Saudi Arabia. The allegations were that a BAE executive received payments, including two properties worth over £6 million, as part of BAE’s sale of tens of billions of pounds’ worth of arms to Saudi Arabia, from the 1980s to 2006. The case was closed in February 2010 on the grounds of public interest and concerns that relations with Saudi Arabia were being harmed.

After the bribery investigation concluded, the SFO began returning the evidentiary documentation to third parties involved in the case. Numerous bags containing sensitive personal data about third parties – including bank statements, hospital invoices, DVLA documents, and passport details – were sent to the wrong witness between November 2011 and February 2013. The witness then disclosed the confidential personal data to The Sunday Times, which published multiple articles based on this evidence.

The ICO found that the confidential evidence was wrongly sent to the witness by “a temporary worker who had received minimal training and had no direct supervision.”

ICO Deputy Commissioner David Smith, reporting on the fine for the data breach, said:

"Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded."

The ICO took into account various mitigating steps taken by the SFO in determining the extent of the fine, including that: 

  1. the SFO made immediate efforts to recover the information from the witness, 
  2. 98% of the information in bags was recovered with their seals intact, 
  3. the SFO voluntarily reported the case to the ICO, and 
  4. the ICO is not aware of similar previous security breach.