The UK’s data protection watchdog has fined Police Scotland £66,000 ($88,000) for what it calls a “serious failure” in handling an alleged victim’s sensitive data.
The Information Commissioner’s Office (ICO) said that Police Scotland, the UK’s second-largest police force, was “excessive and unfair” in its decision to lift the entire contents from a mobile phone belonging to an individual who reported a crime.
Police Scotland needed to extract the text messages between the individual, a woman, and the alleged offender, a man, as part of its investigation into a 2021 incident, which involved two Police Scotland employees.
However, according to the ICO’s reprimand and penalty notice [PDF], the senior investigating officer justified a full extraction as proportionate to the case and in the interest of returning the device as soon as possible.
This led to the police acquiring a “substantial volume” of highly-sensitive information from the victim, including a collection of special category data, the type of which was redacted from official documents.
Special category data is a broad term that covers matters including religion, ethnic origin, political leanings, genetic and biometric data, health, sex life, and sexual orientation.
Given that the case involved two police staff, the matter was sent to the force’s professional standards department (PSD) for review. The PSD received all documents relating to the case, including the full dump gathered by the complete phone data extraction.
The PSD determined that the police staffer accused of the undisclosed offense may have committed gross misconduct and referred the individual to a follow-up hearing.
As part of this, the accused police employee was sent a copy of the documents from the PSD’s review, mistakenly including the alleged victim’s phone data in full and all the special category data that came with it.
In September 2022, the alleged victim complained to the ICO about the incident and that Police Scotland did not provide her with the details about what information was wrongly shared as part of the misconduct hearing.
The ICO told Police Scotland it was investigating the force in May 2023. Police Scotland responded by saying it had revised its processes and made efforts to prevent the same error from recurring.
The information commissioner, John Edwards, ultimately decided that Police Scotland had infringed the Data Protection Act 2018 by failing to ensure the bulk data collection was lawful and the data processing was adequate.
These failings, per sections 35 and 37 of the DPA 2018, were the two that led to the fine, although the ICO’s investigation also threw up a bevy of other issues related to its technical measures and data processing.
Police Scotland also failed to report itself within the mandatory 72-hour window after becoming aware of its data mishap.
The ICO said the fine was determined after balancing the seriousness of the case and the willingness to avoid damaging public services.
Sally-Anne Poole, ICO Head of Investigations, said: “At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals.
“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.
“People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organizations fail to do so, they can expect enforcement action from us.”
Alan Speirs, deputy chief constable, told The Register: “Police Scotland has received the Information Commissioner’s Office reprimand and penalty notice, and reflected on its findings. We acknowledge the organisation did not meet expectations and regulations relating to data handling in regards to this matter. We have also apologised to those involved in this matter.
“Police Scotland has taken organizational learning from this incident. Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future.”
The Register asked both the ICO and Police Scotland for additional information about the nature of the criminal investigation and gross misconduct cases that were central to the fine.
The ICO declined to comment further.
A Police Scotland spokesperson offered very little in a follow-up statement: “A report outlining enquiries already undertaken and seeking further instruction has been submitted to the Crown Office and Procurator Fiscal Service.”
Scottish news publication The Courier reported that the internal case was related to an alleged rape, and the victim’s intimate images were shared with her alleged abuser. ®