ICO fines Police Scotland £66,000 for multiple data protection failures

The Information Commissioner’s Office has issued a fine of £66,000 to Police Scotland for excessive collection of a person’s personal data and unlawfully sharing it with third parties.

 

The data protection watchdog said Wednesday that the law enforcement agency collected "excessive" information from a person’s phone after they reported an alleged crime, thereby collecting sensitive personal information, much of which had no bearing on its investigation into the alleged crime.

 

Police Scotland personnel went on to store the content downloaded from the mobile phone into a misconduct disclosure bundle and subsequently shared the data with a third party. ICO said the third party had no business receiving the personal data.

 

"We determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls," it added.

 

The data protection watchdog observed that Police Scotland not only failed to limit personal data collection to what was strictly necessary, it also failed to implement appropriate organisational and technical measures to ensure data security, ensure staff handling sensitive information were following clear guidance and procedures and also failed to report the data breach within the 72-hour window.

 

"Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party," said ICO head of investigations Sally-Anne Poole.

 

"This incident is a stark example of the devastating consequences of poor data protection practices on individuals," she continued. People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us."

 

The information protection watchdog said the fine issued to Police Scotland could have been higher, but it decided to reduce the penalty to avoid disproportionate impact on public services and considering Police Scotland’s status as a public body.

 

In October 2024, ICO also imposed a penalty of £750,000 on Police Service of Northern Ireland for exposing the sensitive personal information of its entire workforce when complying with a Freedom of Information (FoI) request.  

 

The leaked data included current employees’ surnames and initials, ranks, departments, and locations. This sensitive information encompassed even the most delicate areas of the police service, including surveillance and intelligence.