Police Scotland Fined for Serious Data Protection Breach
In a significant enforcement action, Police Scotland has been penalized £66,000 and reprimanded following a grave data protection failure. The incident involved the unauthorized sharing of a female officer’s entire phone contents with a colleague she had accused of rape. This alarming event unfolded as part of an internal investigation into officer misconduct, sparking questions about data security within the police force.
The breach occurred during early 2021, and an investigation by the Information Commissioner’s Office (ICO) revealed critical shortfalls in Police Scotland’s adherence to the data protection regulations. The ICO opted to redact many details regarding the penalty notice, but the victim, who is a detective constable, eventually chose to forego her right to anonymity and provided an account to the BBC.
According to the ICO’s findings, the police force initially obtained the victim’s phone for the specific purpose of extracting relevant text messages exchanged with a "third party" who was under investigation. However, in what was deemed an excessive and unfair measure, the police extracted the full contents of the device. This action was justified by the force on the grounds that it was “relevant and proportionate” to the investigation and aimed at returning the device to the victim as swiftly as possible.
In a further investigation revealing an even more serious error, the ICO reported that sensitive data from the victim’s phone— including medical records, intimate photographs, and personal contact details of friends and family—was mistakenly passed to the officer under scrutiny. The failures didn’t end there; Police Scotland also neglected to alert the ICO about these serious breaches of the Data Protection Act within the mandated 72-hour period.
It was not until June 2022 that the victim learned of the incident, being informed by the Scottish Police Federation (SPF). In response to the mishandling of her data, the victim filed a complaint with the ICO later that year after the police force refused her request for a copy of the erroneously disclosed information. Following this, the ICO initiated its investigation in May 2023.
The Human Cost of Data Mishandling
The ICO’s investigation concluded that Police Scotland had failed in several critical areas concerning data protection. These failures included:
- The implementation of “appropriate organizational and technical measures” to secure sensitive data.
- Minimizing the sharing of personal information, allowing only what was strictly necessary for the investigation.
- Providing clear guidelines for staff handling sensitive information.
- Promptly reporting the breach within the 72-hour timeframe stipulated by law.
Sally-Anne Poole, head of investigations at the ICO, underscored the profound consequences that arise from inadequate data protection measures. She noted that Police Scotland had a duty to safeguard the personal information of individuals who sought assistance, emphasizing that the release of such sensitive data only added to the victim’s distress.
“People should be able to trust that organizations will treat their personal information with care, fairness, and respect,” Poole stated. “When organizations fail to do so, they can expect enforcement action from us.” The fallout from the breach has been severe for the victim, who has since been diagnosed with post-traumatic stress disorder (PTSD).
A Pattern of Police Data Misconduct
This incident is not isolated; it adds to a troubling pattern of police forces mishandling personal data. In a similar case, the Police Service of Northern Ireland (PSNI) faced a £750,000 fine after inadvertently publishing a spreadsheet online that contained the personal details of staff engaged in surveillance and intelligence. Moreover, the Metropolitan Police received a reprimand for record-keeping failures that resulted in inaccurate data being maintained on a crucial database related to organized crime.
The underlying rape investigation at the center of the Police Scotland case remains ongoing, and the officer accused has yet to be charged. The ICO adjusted the initial proposed penalty of £78,750 to £66,000 to reflect its public sector policy, stating that the breaches were negligent rather than intentional and acknowledging a lack of prior infringements from Police Scotland. Furthermore, the ICO noted that the police’s methods of mobile phone data extraction mirrored practices commonly employed by police services across the UK during that time.
As the issue of data protection continues to loom large within the ranks of law enforcement, these incidents serve as a stark reminder of the critical need for robust systems to protect sensitive information and maintain public trust in the authorities meant to serve and protect.