Brian Sims
Editor

HID Global | July 2025 | Skyscraper
HID Global | July 2025 | Skyscraper

Police Scotland fined £66,000 by ICO following “serious data mishandling”

Posted to News on Saturday, March 14, 2026 Share:

THE INFORMATION Commissioner’s Office (ICO) has issued a £66,000 fine and a reprimand to Police Scotland for “serious failures” in the handling of sensitive personal information.

An investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards in place to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.

Police Scotland subsequently included the full unredacted content within a misconduct disclosure bundle and shared it with a third party who should not have received it. The ICO determined that appropriate review, redaction and security procedures were not in place and that staff were neither adequately guided nor supported by effective organisational controls.

The ICO concluded that Police Scotland failed to: 

*implement appropriate organisational and technical measures to ensure data security 

*limit personal information sharing to what was strictly necessary

*ensure members of staff handling sensitive information were following clear guidance and procedures

*report the personal data breach to the ICO within the legally required 72‑hour timeframe

Devastating consequences

Sally-Anne Poole, the ICO’s head of investigations, commented: “At its heart, data protection is about people. This incident is a stark example of the devastating consequences of poor data protection practices on individuals.”  

Poole continued: “Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed that person to further risk and distress by disclosing highly sensitive information to a third party.”  

Further, Poole noted: “People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected individual. The ICO also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.

*Further information is available online at www.ico.org.uk

Company Info

Western Business Media Limited

Dorset House
64 High Street
East Grinstead
RH19 3DE
UNITED KINGDOM

More from Western Business Media Limited
Related Topics
Data Protection
ICO
Information Commissioner's Office
Police Scotland
Related Articles
Latest Webinars
The Move to Mobile: Navigating the Digital Access Revolution
PSTN Switch-Off and AddSecure’s Critical Communication Solutions
Redefining City Security with Artificial Intelligence
‘The Power of the Cloud’: Streamlining Security Management
The Power of the Cloud: How Cloud Technology Streamlined Security Management
Related Resources
Security Matters Podcast – Episode 37 now live to view
Security Matters Podcast – Episode 36 now live to view
UK bolsters national security with Foreign Influence Registration Scheme.
Latest News
Police Scotland fined £66,000 by ICO following “serious data mishandling”
AI advances “have made scams more convincing” reports Barclays
Corps Security awarded Corporate Ready certification

Login / Sign up