Police Scotland has been fined £66,000 and reprimanded after a serious data protection failure when it shared the entire contents of a female officer’s phone with a colleague she accused of rape.
The incident, which spanned several months in early 2021, stems from an internal officer misconduct investigation.
An Information Commissioner’s Office (ICO) penalty notice redacted many of the details, but the victim in question subsequently waived her right to anonymity in a BBC report.
According to the ICO, the police force obtained the victim’s phone in order to download text messages between her and the “third party” under investigation.
However, the full contents of the device were apparently extracted because it was deemed “relevant and proportionate” to the investigation and “in the interest of returning the device at the earliest opportunity to the data subject.”
While this course of action was found by the ICO to be “excessive and unfair,” the second incident involved an even more egregious error by the force.
The phone data – which reportedly included medical records, intimate photos and friends and family contact details – was erroneously passed to the officer under investigation.
According to the ICO, Police Scotland also failed to notify it of these serious contraventions of the Data Protection Act within the required 72-hour timeframe.
In fact, the victim, a detective constable in the force, told the BBC she was first notified about the incident in June 2022 by the Scottish Police Federation (SPF).
She complained to the ICO later that year that Police Scotland had refused to provide her with a copy of the information it erroneously disclosed. The ICO subsequently began its investigation in May 2023.
Counting the Human Cost
The ICO concluded that Police Scotland had failed to:
- Implement “appropriate organisational and technical measures” to ensure data security
- Minimize the sharing of personal information to what was strictly necessary for the investigation
- Ensure staff handling sensitive information were following clear guidance and procedures
- Report the breach within 72 hours
Head of investigations, Sally-Anne Poole, said the case highlights the “devastating consequences” of poor data protection on individuals.
“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party,” she argued.
“People should be able to trust that organizations will treat their personal information with care, fairness and respect. When organizations fail to do so, they can expect enforcement action from us.”
The victim in the case has reportedly been diagnosed with PTSD.
Another Police Failure
Previous examples of police mishandling of personal data include the Police Service of Northern Ireland (PSNI), which was fined £750,000 after leaking online a spreadsheet containing the personal details of staff, including those conducting surveillance and intelligence.
In another case, the Metropolitan Police escaped with a reprimand after records maintenance failings led to inaccurate information being stored on a key database related to organized crime groups.
The rape investigation at the heart of the Police Scotland case is reportedly still live, and the accused officer has not yet been charged. The ICO said it revised down a penalty of £78,750 in line with its public sector approach.
It noted that the infringements were negligent rather than intentional, and that there were no previous infringements from Police Scotland. It also claimed that the force’s approach to mobile phone data extraction “reflected common practice among police services in the United Kingdom” during the period.