Police Scotland Fined for Sharing Victim’s Data
▼ Summary
– Police Scotland was fined £66,000 for a data protection failure after sharing a female officer’s entire phone contents, including sensitive data, with the colleague she accused of rape.
– The Information Commissioner’s Office found the force’s data extraction was excessive and its subsequent erroneous disclosure of the data was a serious error.
– Police Scotland also failed to report this serious breach of the Data Protection Act within the legally required 72-hour timeframe.
– The ICO stated this failure exposed the victim to further distress and highlighted the devastating consequences of poor data protection practices.
– The penalty was reduced from a higher figure, as the infringements were deemed negligent and reflected common police practice at the time, with the related rape investigation still ongoing.
Police Scotland has been issued a substantial fine and a formal reprimand following a severe data protection breach. The incident involved the force mistakenly sharing the entire contents of a female officer’s mobile phone with a colleague she had accused of rape. This failure occurred during an internal misconduct investigation in early 2021, highlighting critical lapses in how sensitive personal information is handled by law enforcement agencies.
The Information Commissioner’s Office (ICO) detailed that the police obtained the victim’s phone to download text messages relevant to the case. However, investigators extracted the device’s full contents, arguing it was necessary and expedient for returning the phone quickly. The ICO found this action to be excessive and unfair, but a subsequent error proved far more damaging. The complete dataset, reportedly containing medical records, private photographs, and contact details for friends and family, was then erroneously provided to the very officer under investigation.
Compounding these failures, Police Scotland did not report the serious breach to the ICO within the mandatory 72-hour period. The victim, a detective constable, learned of the incident over a year later from the Scottish Police Federation. After Police Scotland refused her request for a copy of the disclosed information, she filed a complaint with the ICO, which launched its own investigation in May 2023.
The regulatory body concluded that the force failed on multiple fronts. It did not implement appropriate organizational and technical measures to ensure data security, did not minimize personal information sharing to only what was strictly necessary, and lacked clear guidance for staff handling sensitive material. Sally-Anne Poole, Head of Investigations at the ICO, stated the case demonstrates the devastating consequences of poor data protection, noting that the victim was exposed to further risk and distress instead of receiving safeguarding support. The officer involved has since been diagnosed with PTSD.
This is not an isolated incident in UK policing. The Police Service of Northern Ireland was previously fined £750,000 for a data leak exposing staff details, including those in covert roles. The Metropolitan Police also received a reprimand for database inaccuracies affecting organized crime records. In the Police Scotland case, the ICO reduced an initial penalty of £78,750 to £66,000, citing its public sector approach. It noted the infringements were negligent rather than deliberate, that the force had no prior history of such breaches, and that its approach to phone data extraction reflected common practice among UK police services at the time. The underlying rape investigation remains active, with no charges yet brought against the accused officer.
(Source: InfoSecurity Magazine)
