Police Scotland fined £66,000 for mishandling sensitive personal data

The investigation centred on the force’s extraction of the 'entire' contents of an individual’s mobile phone after they reported an alleged crime. According to the ICO, Police Scotland failed to put in place adequate safeguards to limit access to information irrelevant to the inquiry. As a result, officers collected “a substantial volume of highly sensitive information,” much of which had no bearing on the matter under investigation.

The situation was further exacerbated when the unredacted phone data was later included in a misconduct disclosure bundle and shared with a third party who should not have received it. The ICO said the disclosure occurred because “appropriate review, redaction and security procedures were not in place,” and staff lacked the necessary guidance and organisational controls to handle such data safely.

The complainant is a police detective, Det Con Lianne Gilbert, who made a complaint of domestic abuse, including serious sexual assault, against another officer in 2020 and has since waived her right to anonymity. In the course of a misconduct inquiry into the allegations two years later, data - including intimate images and medical records - taken from her phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative.

Gilbert told BBC Scotland that she was only made aware that her data had been breached in June 2022 when she was called by the Scottish Police Federation offering support. "It's been absolutely horrific and very, very traumatic" she told the BBC. "At the time it happened I had a five-month-old baby. It's really impacted my motherhood journey. At times I still feel quite numb. I felt relieved to see they had been fined and that it has been dealt with seriously because I'm aware its not common practice to fine a public body. Although they have apologised its not an apology I have ever accepted. I don't think it's good enough."

The detective believed that Police Scotland had notified the ICO over the incident but when she later contacted the watchdog some months later, she learned that the breach had never been officially notified to the ICO.

The regulator concluded that Police Scotland had failed to:

• Implement appropriate organisational and technical measures to ensure data security
• Limit the sharing of personal information to what was strictly necessary
• Ensure staff handling sensitive information followed clear guidance and procedures
• Report the data breach within the legally required 72‑hour period

Sally-Anne Poole, the ICO’s Head of Investigations, described the incident as a stark example of the “devastating consequences of poor data protection practices.”

“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help,” she said. “Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.”

Poole added that people should be able to trust organisations - especially law enforcement - to treat their data “with care, fairness and respect,” warning that failure to do so will result in enforcement action.

The ICO said it took into account the seriousness of the breach, the sensitivity of the data involved and the impact on the affected individual when calculating the £66,000penalty. The regulator also applied a reduction to the fine to avoid causing disproportionate harm to public services, given Police Scotland’s status as a public body.

Deputy Chief Constable Alan Speirs of Police Scotland apologised for incident, saying: "Police Scotland has taken organisational learning from this incident.

"Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future."