POLICE Scotland has been fined £66,000 and reprimanded after a serious data protection failure in which the entire contents of a female officer’s phone were shared with a colleague she accused of rape. The incident spanned several months in early 2021 and stemmed from an internal misconduct investigation; the victim was first notified in June 2022 and later complained that Police Scotland had refused to provide a copy of the information it had disclosed.
According to the Information Commissioner’s Office (ICO) penalty notice, the force obtained the victim’s phone to download text messages between her and the third party under investigation, but the full contents were then extracted and shared because they were deemed relevant and proportionate to the investigation. The ICO found the actions excessive and unfair, and noted that Police Scotland failed to notify the ICO within the required 72-hour timeframe.
The ICO also concluded that the infringements were negligent rather than intentional, with no previous infringements by Police Scotland, and that the force’s approach to mobile data extraction reflected common practice at the time.