Police Scotland fined £66,000 for unlawful disclosure of sensitive mobile phone data

Police Scotland has been fined £66,000 after serious failures in safeguarding sensitive personal information led to the unlawful disclosure of data belonging to a person who had reported an alleged crime.

The penalty was imposed by the Information Commissioner’s Office, the United Kingdom’s independent regulator responsible for enforcing data protection and information rights laws. The regulator also issued a formal reprimand after an investigation found that officers extracted the entire contents of the individual’s mobile phone without sufficient safeguards to prevent access to irrelevant personal information.

The investigation determined that the full extraction resulted in the collection of a substantial volume of highly sensitive data, much of which had no connection to the alleged crime under investigation. Authorities later included the complete, unredacted contents of the phone in a misconduct disclosure bundle and shared it with a third party who should not have received the information.

Officials concluded that Police Scotland lacked appropriate review, redaction, and security procedures to prevent the disclosure. Staff handling sensitive data were not supported by clear guidance or effective organizational controls, allowing the information to be shared without proper oversight.

The regulator found multiple failures in how the data was handled. Police Scotland did not implement adequate technical and organizational safeguards to ensure the security of personal information. Officers also failed to restrict data sharing to material strictly necessary for the investigation. Staff members responsible for processing sensitive information lacked clear procedures, and the personal data breach was not reported to regulators within the legally required 72-hour period.

Sally-Anne Poole, head of investigations at the Information Commissioner’s Office, said the case illustrates the serious consequences of poor data protection practices. She said the incident exposed a person who had sought help from law enforcement to additional risk and distress after highly sensitive personal information was disclosed to an unauthorized third party.

The regulator assessed the penalty after considering the seriousness of the incident, the sensitivity of the data involved, and the impact on the affected individual. Authorities also took into account Police Scotland’s role as a public body and reduced the financial penalty to avoid a disproportionate impact on public services.

The investigation identified violations of Part 3 of the Data Protection Act 2018 related to the extraction of the phone’s full contents. Additional breaches of the UK General Data Protection Regulation were found in connection with the subsequent processing and disclosure of the information during the misconduct investigation.