UK Information Commissioner fines the Serious Fraud Office 180,000 pounds for breach of privacy…
March 31, 2015 |
The UK Information Commissioner’s Monetary Penalty Notice against the Serious Fraud Office highlights both the need to have secure means of handling personal information and the consequences of releasing very sensitive information to the wrong party. The notice also makes clear that actions to mitigate the mistake are important as well, including recovering the mislaid material and self reporting the breach. The breach occurred because of an administrative error by a temporary staff member. The investigation showed that there was a lack of training of the Temp, there was a lack of supervision and the systems were inadequate. That can be said of many organisations in Australia that handle sensitive documents. APP 1 and 11 require the establishment, maintenance and enforcement of proper policies and protocols in the handling of data and proper and ongoing training.
The ICO media release provides:
The Information Commissioner’s Office (ICO) has fined the Serious Fraud Office £180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case.
The Serious Fraud Office’s investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia. The case was closed in February 2010.
The Serious Fraud Office began returning the evidence documents after the case concluded. Between November 2011 and February 2013 the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties. The information included bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.
The Serious Fraud Office only began investigating the full circumstances of the breach after details of the errors were requested on 13 June 2013 for a briefing in response to a parliamentary question. An internal investigation was launched shortly afterwards and the ICO was informed of the breach.
The ICO investigation found that the information returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. The information was disclosed by the witness to The Sunday Times, which published a number of articles based on the evidence.
ICO Deputy Commissioner and Director of Data Protection, David Smith, said:
“Anyone who provides information to a criminal investigation does not take this decision lightly and often does so at considerable risk to themselves. People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure.
“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong. This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”
The Serious Fraud Office has recovered 98% of the documents that shouldn’t have been disclosed. The organisation has also taken action to make sure adequate security checks are in place to ensure case files containing personal information are returned to the correct recipient.
The Monetary Penalty Enforcement Notice relevantly provides, absent numbering and incorporated the ICO’s redactions:
Background
Between 2004 and 2006, the data controller conducted a high profile investigation into serious fraud, bribery and During the course of the investigation, in excess of 11,000 bags of evidential material (‘bags’) was obtained from a number of parties including witnesses, suspects, government departments, foreign governments, corporate banks and individuals. The investigation was concluded in February 2010. The bags then had to be restored to their respective owners.
In 2010, a witness in the investigation (‘witness A’) requested the return of his evidential material. In November 2011, the data controller returned 371 of the bags to witness A. Witness A then informed the data controller that, among other things, some of the information in the bags did not belong to him.
The data controller considered witness A’s concerns at a senior level and was satisfied that witness A was the owner of the material that had been sent to him and that the restoration was correct. Consequently, in May 2012 a decision was made to resume the process of returning material to witness A. Between May and October 2012, a further 1,782 bags were returned to witness A.
The Commissioner understands that the bags that were returned to witness A included documents that had been scanned onto the data controller’s ‘Autonomy’ database. The documents contained confidential personal data relating to approximately 6,000 data subjects, some of whom were in the public eye. The documents also contained sensitive personal data relating to two of the data
In February 2013, a xxxxxx in the investigation (via his accountants) requested the return of his evidential In May 2013, the xxxxxxxxxxxx also requested the return of the same material. The data controller’s review of the property revealed that out of the requested material, four bags had been incorrectly sent to witness A and a further 11 bags could not be found. The xxxxxxx was informed of the position.
On 13 June 2013, the data controller was asked to provide a briefing for a ‘Parliamentary Question’ of whether they had recently lost or returned to the wrong person, any evidence relating to a case. On 17 June 2013, the data controller provided a briefing in relation to the executor’s material that had been sent erroneously to witness
On 18 June 2013, the Departmental Security Officer and Senior Information Risk Owner were notified of the loss and they commenced an investigation.
It was discovered that a temporary worker (‘Temp’) in the ‘xxxxx’ had been given the task of preparing the bags for despatch to witness A. Although he had received some ‘on the job’ training, the Temp was relatively inexperienced in carrying out restorations, not fully supervised and he did not understand what was required of him in such a large and complex restoration.
The Commissioner understands that the Temp removed the bags from the boxes he had correctly retrieved from archive. However, the boxes would not necessarily just contain bags belonging to witness A. The Temp did not then check each bag number against the spreadsheet that identified the owners of each bag before despatch, as required. As a result, the Temp had sent erroneously 407 bags belonging to 64 third parties (including the suspect) to witness A.
Grounds on which the Commissioner proposes to serve a monetary penalty notice
The relevant provision of the Act is the Seventh Data Protection Principle which provides, at Part Iof Schedule 1to the Act, that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Paragraph 9 at Part IIof Schedule 1to the Act provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –
the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
the nature of the data to be protected”.
In deciding to issue this Monetary Penalty Notice, the Commissioner has considered the facts of the case and the deliberations of those within his office who have recommended this course of In particular, he has considered whether the criteria for the imposition of a monetary penalty have been met; whether, given the particular circumstances of this case and the underlying objective in imposing a monetary penalty, the imposition of such a penalty is justified; and whether the amount of the proposed penalty is proportionate.
Serious (SSSA (l)(a))
In particular, the data controller failed to take appropriate organisational measures against the accidental loss of personal data contained in the
Such measures might have included:
Engaging an experienced Temp who had received sufficient training to carry out such a large and complex restoration;
Providing the Temp with appropriate management supervision to check the quality of his work; and
Using a system of work that was user friendly with a documented
The Commissioner considers that the contravention is very serious because there has been an underlying failure by the data controller to put appropriate (or any) security measures in place for what was a large and complex restoration. This is unacceptable in view of the nature of the information contained in the bags which should have been afforded the highest levels of security.
Likely to cause substantial damage or substantial distress (S55A (1)(b)
The Commissioner is satisfied that the contravention is of a kind likely to cause substantial
The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential personal data (in two cases sensitive) has been disclosed to an unauthorised third party. Such information includes the fact that an individual has been involved in an investigation into serious fraud, bribery or corruption.
Further, the data subjects would be likely to be distressed by justifiable concerns that their data may be further disseminated even if those concerns do not actually There is evidence that some of the information may have been disclosed to a national newspaper and possibly disseminated overseas.
Therefore, not only was the contravention of a kind likely to cause substantial distress, but there is evidence to suggest that it may in fact have done so
The Commissioner is satisfied that there has been a serious contravention of the Seventh Data Protection Principle.
Knew or ought to have known that there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or distress (S55A (3)(a)(i) and (ii)).
The Commissioner is satisfied that section 55A(3) of the Act applies in that the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the
The Commissioner has taken this view because the data controller should have been aware of the risks associated with such a large and complex In particular, the data controller was used to handling confidential personal data (sometimes sensitive) during an investigation and then restoring it to the relevant owners on its conclusion. At the time of the security breach, the data controller was storing approximately 47,000 bags of evidential material in archive and was aware that the system of work for restoring the bags was antiquated and required a certain level of understanding.
The data controller should also have been aware that there was a risk that the contravention would occur when witness A reported his concerns after the first
In the circumstances, the data controller knew or ought to have known that there was a risk that the contravention would occur unless reasonable steps were taken to prevent the contravention, such as those outlined
Further, it should have been obvious to the data controller who was aware of the nature and amount of the personal data stored in archive that such a contravention would be of a kind likely to cause substantial distress to the data
Aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty
Effect of the contravention
Some of the information may have been disclosed to a national newspaper and possibly disseminated
Behavioural issues
The data controller should have been aware that there was a risk that the contravention would occur when witness A reported his concerns after the first
Impact on the data controller
The data controller is an independent government department so liability to pay a monetary penalty will not fall on any
The data controller has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial
Mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty
Nature of the contravention
No previous similar security breach that the Commissioner is aware
Effect of the contravention
98°/o of the information was recovered by the data
The seals of the bags containing the data were still
Behavioural issues
A full investigation was carried out as soon as the data controller became aware of the security
The data controller made immediate attempts to recover the information from witness
Voluntarily reported to the Commissioner’s
The data controller has been co-operative with the Commissioner’s
The data controller has taken substantial remedial
Impact on the data controller
Significant impact on reputation of data controller as a result of this security breach
Other considerations
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act and this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal
Notice of Intent
A notice of intent dated 24 February 2015 was served on the data The Commissioner received written representations from the data controller in response to the notice of intent in a letter dated 10 March 2015. The Commissioner has considered those representations when deciding whether to serve a monetary penalty notice. In particular, the Commissioner has taken the following steps:
- reconsidered the amount of the monetary penalty generally, and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
- ensured that the monetary penalty is within the prescribed limit of £ 500,000; and
- ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty notice will not impose undue financial hardship on an otherwise responsible data
Amount of the monetary penalty
The Commissioner considers that the contravention of the Seventh Data Protection Principle is very serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty in the sum of £180,000 (one hundred and eighty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.In reaching this decision, the Commissioner considered other cases of a similar nature in which a monetary penalty had been imposed, and the facts and aggravating and mitigating features referred to above
[…] UK Information Commissioner fines the Serious Fraud Office 180,000 pounds for breach of privacy… […]