ACCforum: ICO fines Serious Fraud Office £180,000 and warns other law enforcement agencies - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

ICO fines Serious Fraud Office £180,000 and warns other law enforcement agencies UK Privacy news

#1 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 13 April 2015 - 02:54 PM

ICO fines Serious Fraud Office £180,000 and warns other law enforcement agencies
30/03/2015
Tags:

ICO
fines
Serious Fraud Office



http://www.privacyla...ement-agencies/

The ICO has announced today that it has fined the Serious Fraud Office (SFO) £180,000 for wrongly disclosing evidence to witnesses in a bribery investigation. The bribery investigation into senior executives at BAE Systems had been concluded in 2010. In returning evidence to a witness, the SFO had disclosed evidence to one witness of personal data and sensitive personal data about 64 other people.

Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.

The ICO’s investigation found that the SFO’s failure was “very serious” in that it had failed to take enough steps to respect the data security 7th principle of the Data Protection Act likely to lead to “substantial damage” or “substantial distress” as the Monetary Penalty Notice continues that “there is evidence that some of the information may have been disclosed to a national newspaper.” The data controller should have known that a contravention of the Data Protection Act would occur from a failure to manage the process of restoring evidence to the various witnesses.

The monetary penalty notice specifies both aggravating and mitigating factors in determining the size of the fine. The mitigating factors included the points that:

1. the ICO is not aware of similar previous security breaches
2. 98% of the information in bags was recovered with their seals intact
3. the SFO conducted a prompt investigation
4. the SFO made immediate efforts to recover the information from the witness who had been sent the evidence
5. the SFO voluntarily reported the case to the ICO
6. the SFO was co-operative with the ICO
7. the SFO has taken “substantial remedial action.”

Deputy Commissioner and Director of Data Protection, David Smith, commented:

“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.

Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The ICO’s Monetary Penalty Notice is at https://ico.org.uk/a...s-fraud-office/
0

#2 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 13 April 2015 - 02:56 PM

Serious Fraud Office fined after evidence from BAE Systems ‘bribery’ investigation wrongly disclosed

Date
30 March 2015
Type
News


https://ico.org.uk/a...d-office-fined/



The Information Commissioner’s Office (ICO) has fined the Serious Fraud Office £180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case.

The Serious Fraud Office’s investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia. The case was closed in February 2010.

The Serious Fraud Office began returning the evidence documents after the case concluded. Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.

The Serious Fraud Office only began investigating the full circumstances of the breach after details of the errors were requested on 13 June 2013 for a briefing in response to a parliamentary question. An internal investigation was launched shortly afterwards and the ICO was informed of the breach.

The ICO investigation found that the information returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. The information was disclosed by the witness to The Sunday Times, which published a number of articles based on the evidence.

ICO Deputy Commissioner and Director of Data Protection, David Smith, said:

“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.

“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The Serious Fraud Office has recovered 98% of the documents that shouldn’t have been disclosed. The organisation has also taken action to make sure adequate security checks are in place to ensure case files containing personal information are returned to the correct recipient.
Notes to editors

The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Secure
Not transferred to other countries without adequate protection
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users