The Information Commissioner’s Office (ICO) has fined the Serious Fraud Office £180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case.

The Serious Fraud Office’s investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia. The case was closed in February 2010.

The Serious Fraud Office began returning the evidence documents after the case concluded. Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.

The Serious Fraud Office only began investigating the full circumstances of the breach after details of the errors were requested on 13 June 2013 for a briefing in response to a parliamentary question. An internal investigation was launched shortly afterwards and the ICO was informed of the breach.

The ICO investigation found that the information returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. The information was disclosed by the witness to The Sunday Times, which published a number of articles based on the evidence.

ICO Deputy Commissioner and Director of Data Protection, David Smith, said:

“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.

“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The Serious Fraud Office has recovered 98% of the documents that shouldn’t have been disclosed. The organisation has also taken action to make sure adequate security checks are in place to ensure case files containing personal information are returned to the correct recipient.

Notes to editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
  4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection


If you need more information, please contact the ICO press office on 0303 123 9070.