£66,000. That is what Police Scotland has been fined for serious failures in the handling of sensitive personal information, exposed by the UK's Information Commissioner's Office this week. But the fine barely scratches the surface of what happened to one victim whose attempt to report a crime triggered a chain of institutional failures.
The case centres on a 2021 incident involving two Police Scotland employees. Police Scotland needed to extract text messages between a woman and the alleged offender as part of its investigation into the incident. Straightforward enough. The problem is what came next.
The Information Commissioner's Office said Police Scotland was "excessive and unfair" in its decision to lift the entire contents from a mobile phone belonging to the individual who reported a crime. Rather than surgically extracting the relevant messages, Police Scotland extracted the entire contents of the person's mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.
What made this worse was what happened next. Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. According to reporting by Scottish newspaper The Courier, this third party was the accused officer, and the internal case was related to an alleged rape, and the victim's intimate images were shared with her alleged abuser.
Where the controls failed
This was not a single error. It was a failure at multiple institutional levels. The ICO determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls. Police Scotland also failed to report itself within the mandatory 72-hour window after becoming aware of its data mishap.
The watchdog's analysis points to systemic weaknesses. Collecting the full contents from digital devices or large-scale information sets without a clearly defined, proportionate investigative need creates unnecessary downstream risk. Police services must ensure requests are specific, limited and justified. Yet this did not happen.
Police Scotland acknowledged the failures. Deputy Chief Constable Alan Speirs told The Register: "Police Scotland has received the Information Commissioner's Office reprimand and penalty notice, and reflected on its findings. We acknowledge the organisation did not meet expectations and regulations relating to data handling in regards to this matter". The force said it has since revised its processes and improved staff training.
The proportionality argument that didn't hold
When challenged by the ICO, the senior investigating officer justified the full phone extraction based on what seemed like practical reasoning. The senior investigating officer justified a full extraction as proportionate to the case and in the interest of returning the device as soon as possible. That is the entire sum of it: returning a phone quickly versus protecting a victim's most sensitive information. The regulator found that logic wanting.
In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. The ICO also considered Police Scotland's status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services. The original penalty could have been higher. This was a reduced fine, calibrated to avoid crippling a major law enforcement agency.
Yet the message is clear. Sally-Anne Poole, ICO Head of Investigations, said: "At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals. Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party".
The broader lesson is one of institutional discipline. Every stage of personal information handling, from collection to disclosure, must be governed by documented procedures. Peer-review mechanisms, senior oversight and audit trails help prevent errors. When any of these elements is absent, the result is what happened here: a victim comes forward to report a crime and ends up exposed to further harm at the hands of the institution meant to protect her.