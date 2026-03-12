We have issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.

Police Scotland failed to protect a person’s sensitive personal information

Extraction of the entire contents of a person’s mobile phone found to be excessive and unfair

Lack of adequate policies and procedures contributed to the subsequent unlawful disclosure of sensitive personal information to a third party

Our investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.

Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. We determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls.

We concluded that Police Scotland failed to:

implement appropriate organisational and technical measures to ensure data security;

limit personal information sharing to what was strictly necessary;

ensure staff handling sensitive information were following clear guidance and procedures; and

report the personal data breach to the ICO within the legally required 72‑hours timeframe.

Sally-Anne Poole, ICO Head of Investigations, yesterday said:

“At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals. “Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party. “People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”

In assessing the fine amount, we considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. We also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.

