ICO fines Police Scotland £66k for excessive mobile phone data download

The Information Commissioner's Office (ICO) has issued a £66,000 monetary penalty and a formal reprimand to Police Scotland following serious failures in the management of sensitive personal information. An investigation was launched after the force extracted the entire contents of a mobile phone belonging to an individual who had reported an alleged crime. The ICO found that officers collected a substantial volume of highly sensitive data without sufficient safeguards to exclude irrelevant information from the case.

The personal data breach was further exacerbated when the force included the unredacted contents of the phone download in a misconduct disclosure bundle, which was subsequently shared with an unauthorised third party. The ICO determined that the force lacked appropriate review and redaction procedures, and that staff were not supported by effective organisational controls or clear guidance.

The investigation concluded that Police Scotland failed to implement appropriate organisational and technical measures, did not limit data sharing to what was strictly necessary, and failed to report the personal data breach within the legally required 72-hour timeframe. The violations contravene Articles 32(1), 5(1)(f), 25, 5(1)(c) and 33(1) of the UK General Data Protection Regulation (GDPR). As a result, the ICO issued £132,000 monetary penalty, which was subsequently reduced by 50% to £66,000 under the public sector approach to enforcement. 

Furthermore, the ICO issued a formal reprimand for infringements under Sections 35 and 37 of Part 3 of the Data Protection Act 2018 (DPA18). These violations concern the lawful and fair bulk downloading of personal data on mobile phones, and ensuring that the processing of the downloaded data was adequate, relevant and not excessive in relation to the purposes for which it was processed.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.