Force extracted and shared the entire contents of a crime complainant’s phone in a way that “exposed them to further risk and distress”, according to watchdog the Information Commissioner’s Office
Data watchdog the Information Commissioner’s Office has fined Police Scotland £66,000 for failing to protect the sensitive personal information of someone who reported a crime – and unlawfully disclosing that data to a third party.
The ICO said Police Scotland had extracted the entire contents of a mobile phone belonging to the complainant in a way that was “excessive and unfair”.
It added that a lack of adequate policies and procedures at the force had contributed to the subsequent wrongful disclosure of sensitive personal information.
The ICO said its investigations had determined that “appropriate review, redaction and security procedures were not in place” at Police Scotland, and that staff were “neither adequately guided nor supported by effective organisational controls”.
The data breach is understood to relate to an allegation of rape made by one serving Police Scotland officer against a colleague.
Related content
- Data watchdog accuses Scottish Government of ‘unjustified delays and a wall of silence’
- Scottish Government facing legal proceedings from data watchdog
- New working arrangement with ICO could help government ‘rebuild public trust’
According to the ICO, Police Scotland extracted the entire contents of the complainant’s mobile phone without ensuring there were sufficient safeguards to prevent access to irrelevant personal information.
It said that, as a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation. Police Scotland subsequently included the full unredacted content of the phone into a misconduct disclosure bundle and shared it with a third party who should not have received it.
Sally-Anne Poole, head of investigations at the ICO, said the data breach was a “stark example” of the devastating consequences that poor data-protection practices could have on individuals.
“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help,” she said. “Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party. People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”
The ICO investigation concluded that Police Scotland had failed to implement appropriate organisational and technical measures to ensure data security; limit personal information sharing to what was strictly necessary; and ensure staff handling sensitive information were following clear guidance and procedures.
The watchdog said the force had also failed to report the data breach to the ICO within the legally-required timeframe of 72 hours.
It said Police Scotland had infringed the Data Protection Act 2018 in relation to the extraction of the entire contents of the complainant’s mobile phone and had infringed the UK General Data Protection Regulation in respect of the processing and unlawful disclosure of the extracted data.
The ICO said the £66,000 fine reflected the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. However, the watchdog added that the fine had been reduced from a higher level because of Police Scotland’s status as a public body. The ICO’s policy in relation to fines aims to avoid “disproportionate impact on public services”.
Police Scotland deputy chief constable Alan Speirs said the force had received the watchdog’s reprimand and penalty notice, and “reflected” on its findings.
“We acknowledge the organisation did not meet expectations and regulations relating to data handling in regards to this matter. We have also apologised to those involved in this matter,” he said. “Police Scotland has taken organisational learning from this incident. Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future.”
