ICO Fines Police Scotland £66,000 for Mishandling Crime Victim’s Sensitive Data
The UK’s Information Commissioner’s Office (ICO) has fined Police Scotland £66,000 following a series of data protection failures involving a crime victim’s mobile phone. The incident, which occurred during an internal misconduct investigation in 2021, saw officers extract and improperly share highly sensitive personal information from the victim’s device.
During the investigation into an alleged offence involving two Police Scotland employees, officers sought text messages between the victim and the accused. Instead of retrieving only the relevant data, they performed a full download of the phone’s contents, including "special category data" such as health records, religious beliefs, and other protected personal details. The senior investigating officer justified the approach as a means to return the device quickly, but the ICO determined the decision was neither lawful nor proportionate.
The breach worsened when the full dataset, including the victim’s sensitive information, was shared with Police Scotland’s Professional Standards Department (PSD) as part of the misconduct review. In a further error, the officer facing disciplinary action was mistakenly provided with the complete phone extraction, exposing the victim’s data unnecessarily.
The victim filed a complaint with the ICO in September 2022, prompting a formal investigation in May 2023. The ICO found that Police Scotland violated the Data Protection Act 2018 by failing to ensure lawful data collection, adequately safeguard the information, and report the breach within the required 72-hour window.
Information Commissioner John Edwards emphasized the harm caused by poor data protection practices, while the ICO’s head of investigations, Sally-Anne Poole, described the case as a "stark example" of the consequences of such failures. The £66,000 fine was adjusted to avoid disproportionate impact on public services.
Police Scotland acknowledged the shortcomings, with Deputy Chief Constable Alan Speirs stating the force had implemented new measures including additional training, improved oversight, and revised processes to prevent future breaches. The incident highlights the risks of improper data handling, particularly when dealing with sensitive victim information.
Source: https://www.computing.co.uk/news/2026/ico-fines-police-scotland-mishandling-victim-mobile-data
Police Scotland cybersecurity rating report: https://www.rankiteo.com/company/police-scotland
"id": "POL1773319619",
"linkid": "police-scotland",
"type": "Breach",
"date": "9/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1 (crime victim)',
'industry': 'Public Sector',
'location': 'Scotland, UK',
'name': 'Police Scotland',
'type': 'Law Enforcement Agency'}],
'data_breach': {'data_exfiltration': 'Shared with unauthorized parties '
'(Professional Standards Department and '
'accused officer)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Special category data (health '
'records, religious beliefs, '
'personal details)'},
'date_detected': '2022-09-01',
'description': 'The UK’s Information Commissioner’s Office (ICO) has fined '
'Police Scotland £66,000 following a series of data protection '
'failures involving a crime victim’s mobile phone. During an '
'internal misconduct investigation in 2021, officers extracted '
'and improperly shared highly sensitive personal information '
'from the victim’s device, including health records, religious '
'beliefs, and other protected personal details. The breach '
'worsened when the full dataset was shared with multiple '
'departments and even the officer facing disciplinary action.',
'impact': {'brand_reputation_impact': 'Negative impact on public trust',
'data_compromised': 'Special category data (health records, '
'religious beliefs, personal details)',
'financial_loss': '£66,000 (fine imposed)',
'identity_theft_risk': 'High (exposure of sensitive personal data)',
'legal_liabilities': 'Violation of Data Protection Act 2018',
'operational_impact': 'Revised processes and additional training '
'implemented'},
'investigation_status': 'Completed',
'lessons_learned': 'Importance of lawful and proportionate data collection, '
'safeguarding sensitive information, and timely breach '
'reporting.',
'post_incident_analysis': {'corrective_actions': 'Additional training, '
'improved oversight, and '
'revised processes to '
'prevent future breaches.',
'root_causes': 'Improper data extraction, lack of '
'safeguards, and failure to report '
'the breach in a timely manner.'},
'recommendations': 'Implement stricter data handling protocols, enhance '
'training for officers, and ensure compliance with data '
'protection regulations.',
'references': [{'source': 'Information Commissioner’s Office (ICO)'}],
'regulatory_compliance': {'fines_imposed': '£66,000',
'regulations_violated': ['Data Protection Act 2018'],
'regulatory_notifications': 'Breach not reported '
'within 72-hour window'},
'response': {'containment_measures': 'Improved oversight and revised '
'processes',
'remediation_measures': 'Additional training for officers'},
'title': 'ICO Fines Police Scotland £66,000 for Mishandling Crime Victim’s '
'Sensitive Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Improper data handling and lack of safeguards'}