UK data watchdog fines Police Scotland for excessive phone data extraction and subsequent disclosure of sensitive victim information to accused officer during misconduct proceedings.
The UK's data protection watchdog has fined Police Scotland £66,000 ($88,000) for what it calls a "serious failure" in handling an alleged victim's sensitive data during a criminal investigation that spiraled into a gross misconduct case.
The Information Commissioner's Office (ICO) said the force was "excessive and unfair" in its decision to extract the entire contents of a mobile phone belonging to a woman who reported a crime in 2021. Police Scotland needed text messages between the victim and the alleged offender as part of its investigation, but instead conducted a full data extraction that captured a "substantial volume" of highly sensitive information.
The case involved two Police Scotland employees and was referred to the force's professional standards department (PSD) for review. As part of the misconduct proceedings, the accused officer was mistakenly sent a complete copy of the victim's phone data, including special category information that covers matters such as health, sexual orientation, and biometric data.
Special category data is subject to additional protections under UK data protection law, and the ICO found that Police Scotland failed to ensure the bulk data collection was lawful and the data processing was adequate. These failures, under sections 35 and 37 of the Data Protection Act 2018, formed the basis of the fine.
The ICO's investigation also revealed that Police Scotland failed to report the data breach within the mandatory 72-hour window after becoming aware of the mishap. The force had responded to the ICO's initial inquiry by stating it had revised its processes to prevent similar errors, but the regulator determined that the severity of the breach warranted financial penalties.
Information Commissioner John Edwards said the incident demonstrated the "devastating consequences of poor data protection practices on individuals." Sally-Anne Poole, ICO Head of Investigations, emphasized that "people should be able to trust that organisations will treat their personal information with care, fairness and respect."
Police Scotland acknowledged the findings and said it had taken "organizational learning" from the incident. Deputy Chief Constable Alan Speirs told The Register that the force had already strengthened its processes for handling personal data, improved staff training, and increased oversight to reduce the risk of similar incidents.
Scottish news publication The Courier reported that the internal case was related to an alleged rape, and the victim's intimate images were shared with her alleged abuser during the misconduct proceedings. The force has submitted a report to the Crown Office and Procurator Fiscal Service seeking further instruction on the matter.
The fine represents a significant enforcement action against a major UK police force and underscores the importance of proportionate data collection and secure handling of sensitive information, particularly in cases involving vulnerable individuals who have reported crimes.
The ICO's decision sends a clear message that even public authorities must adhere to strict data protection standards, and failures to safeguard personal information can result in substantial financial penalties and reputational damage.
Comments
Please log in or register to join the discussion