ICO Fines Police Scotland £66,000 for Data Mishandling

ICO News & Blogs

Filed March 11th, 2026

Detected March 11th, 2026

Summary

The ICO has fined Police Scotland £66,000 and issued a reprimand for serious data mishandling. Failures included excessive mobile phone data extraction and unlawful disclosure of sensitive personal information to a third party, violating UK GDPR and the Data Protection Act 2018.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has issued a £66,000 fine and a reprimand to Police Scotland for significant breaches of data protection law. The investigation found that Police Scotland extracted the entire contents of a person's mobile phone without adequate safeguards, leading to the collection of excessive sensitive information. This data was subsequently shared with a third party without proper review or redaction procedures, and Police Scotland also failed to report the personal data breach to the ICO within the required 72-hour timeframe.

This enforcement action highlights critical failures in implementing appropriate organisational and technical measures for data security, limiting data sharing to necessary levels, and ensuring staff followed clear guidance. Regulated entities, particularly public bodies, must review their policies and procedures for handling sensitive personal information, especially during investigations and disclosure processes, to avoid similar penalties and protect individual privacy. Failure to comply with UK GDPR and DPA 2018 can result in substantial fines and reputational damage.

What to do next

Review mobile phone data extraction policies and procedures.
Ensure adequate safeguards are in place to limit collection of irrelevant personal information.
Implement robust review, redaction, and security protocols before sharing personal data with third parties.

Penalties

£66,000 fine and a reprimand

Source document (simplified)

Police Scotland fined £66k and reprimanded following serious data mishandling

Date 11 March 2026
Type News
Police Scotland failed to protect a person’s sensitive personal information
Extraction of the entire contents of a person’s mobile phone found to be excessive and unfair
Lack of adequate policies and procedures contributed to the subsequent unlawful disclosure of sensitive personal information to a third party

We have issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.

Our investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information. As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.

Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it. We determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls.

We concluded that Police Scotland failed to:

implement appropriate organisational and technical measures to ensure data security;
limit personal information sharing to what was strictly necessary;
ensure staff handling sensitive information were following clear guidance and procedures; and
report the personal data breach to the ICO within the legally required 72‑hours timeframe.

“At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals.

“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.

“People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”

Sally-Anne Poole, ICO Head of Investigations In assessing the fine amount, we considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. We also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.

Click to toggle details

Notes to editors

The Information Commissioner’s Office (ICO) work on mobile phone extraction examines relevant data protection rules in some detail and provides key recommendations on how to comply with the law.
The ICO found infringements of Part 3 of the Data Protection Act (DPA 2018) in respect of Police Scotland’s extraction of the entire contents of a person’s mobile phone and, separately, infringements of the UK GDPR in respect of Police Scotland’s subsequent processing and unlawful disclosure of this information in the context of its misconduct investigation.
The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the DPA 2018 and the UK GDPR, the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.