‘Key data protection lessons’ for police after ICO reprimands and fines Police Scotland
The Information Commissioner’s Office (ICO) has issued a £66,000 fine and a reprimand to Police Scotland following a series of data protection failures that resulted in the excessive collection, handling and unlawful disclosure of sensitive personal information.
The ICO says the case highlights “key data protection practices” that all police services and criminal justice organisations should take note of, particularly around data minimisation, secure handling of digital evidence, governance controls, and staff training. It emphasised that these lessons apply across the sector and should be acted upon without delay.
The ICO’s investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.
Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. The ICO determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls.
The ICO also found that Police Scotland did not notify this personal data breach within the legally required 72‑hours period.
Sally-Anne Poole, Head of Investigations at the ICO said: “Police services handle large volumes of highly sensitive personal information every day. When processes are poorly designed or insufficiently supervised, the risk of excessive collection, unnecessary retention and inappropriate disclosure of data increases significantly.
“This should be a stark reminder of how disproportionate levels of data collection, whether from mobile phones or other sources, can lead to serious and lasting effects on people whose data is mishandled.
“Police bodies and criminal justice organisations play a crucial role in safeguarding people’s personal information. We’ve published investigation reports on mobile phone extraction, and I urge all policing services to revisit them and act on our key recommendations to ensure full compliance with the law.”
In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. The ICO also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.
The ICO has highlighted key lessons on mobile phone extraction and data protection obligations
Prioritise data minimisation from the outset
Collecting the full contents from digital devices or large‑scale information sets without a clearly defined, proportionate investigative need creates unnecessary downstream risk. Police services must ensure requests are specific, limited and justified.
Strengthen governance and oversight
Every stage of personal information handling, from collection to disclosure, must be governed by documented procedures. Peer‑review mechanisms, senior oversight and audit trails help prevent errors.
Implement robust redaction and review processes
Before disclosing personal information in any setting, police services must ensure that only relevant information is shared. Staff must understand what ‘relevant’ means in practice and be supported by appropriate training and tools.
Secure digital evidence appropriately
Unencrypted devices, discs or drives present an unacceptable risk. Technical safeguards, such as encryption, password protection and restricted access, should be consistently applied.