WIREDGOV

We have issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.  

• Police Scotland failed to protect a person’s sensitive personal information 
• Extraction of the entire contents of a person’s mobile phone found to be excessive and unfair 
• Lack of adequate policies and procedures contributed to the subsequent unlawful disclosure of sensitive personal information to a third party 

Our investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation. 

Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. We determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls. 

We concluded that Police Scotland failed to: 

• implement appropriate organisational and technical measures to ensure data security; 
• limit personal information sharing to what was strictly necessary; 
• ensure staff handling sensitive information were following clear guidance and procedures; and 
• report the personal data breach to the ICO within the legally required 72‑hours timeframe.

Sally-Anne Poole, ICO Head of Investigations, yesterday said:

“At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals.  

“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.  

“People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.” 

In assessing the fine amount, we considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. We also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.

Notes to Editors

1. The Information Commissioner’s Office (ICO) work on mobile phone extraction examines relevant data protection rules in some detail and provides key recommendations on how to comply with the law.
2. The ICO found infringements of Part 3 of the Data Protection Act (DPA 2018) in respect of Police Scotland’s extraction of the entire contents of a person’s mobile phone and, separately, infringements of the UK GDPR in respect of Police Scotland’s subsequent processing and unlawful disclosure of this information in the context of its misconduct investigation.
3. The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.  
4. The ICO has specific responsibilities set out in the DPA 2018 and the UK GDPR, the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.   
5. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.    
6. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.