SuppliedPolice Scotland has been fined £66,000 by the UK data watchdog after sharing the entire contents of a rape survivor’s phone with her alleged attacker.
On July 5, 2022, detective constable Lianne Gilbert received a letter from a police data protection officer confirming that personal data and images had been shared incorrectly with third parties.
Her phone had been submitted voluntarily as part of an investigation into criminal allegations against a serving police officer.
The data was passed to Police Scotland’s Professional Standards Department (PSD). As part of the procedure, the officer subject to investigation is provided with the investigator’s report and relevant documents prior to a hearing.
On June 14, 2022, all of DC Gilbert’s mobile data was provided to the accused officer, his police federation representative and his solicitor.
In a letter seen by STV News, Police Scotland said this was “human error”.
Three days later, the discs were retrieved from the officer. On June 22, 2022, the information was retrieved from the SPF and the solicitor.
One disc contained 39,233 pages of information following the initial download of the phone. One included 697 image files, 17 uncategorised files and 13 video files, the majority of which were not relevant to the investigation.
Only one disc contained messages between the victim and the accused officer.
A review carried out by officers identified 15 images described as intimate which had been incorrectly shared along with DC Gilbert’s medical records.
Almost two months following the breach, an email from a Police Scotland data protection officer stated that the PSD National Complaint Assessment and Resolution Unit determined the matter “could be considered under criminal legislation”.
DC Gilbert told STV News: “This has left me with significant psychological issues.
“At the time this happened, I had a five-month-old child. I don’t remember a lot about their early years because of the toll this had on me.
“It has been traumatic.”
‘Substantial volume of highly sensitive information’
In the initial letter sent to DC Gilbert, Police Scotland determined that the breach “did not meet the statutory notifiable requirements” for the force to report itself to the data watchdog, the Information Commissioner’s Office (ICO).
But, Police Scotland claimed in the letter that it reported the breach to “demonstrate accountability and transparency”.
However, in an email seen by STV News, an ICO lead investigator stated they were not made aware until DC Gilbert lodged a complaint on September 2, 2022 – three months after the incident.
The ICO confirmed it would investigate the “unlawful disclosure” of data and Police Scotland’s “mobile phone extraction process”.
On Wednesday, March 11, 2026 – three and a half years after it being reported – the ICO said it had issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.
“The ICO’s investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information,” the watchdog said.
“As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.”
DC Gilbert believes a full audit should be carried out into the number of data breaches that may not have been reported by Police Scotland.
She said: “People who hand over their phones as part of sensitive enquiries should be aware that the data may be handed into the wrong person’s hands.
“More things need to be in place to ensure this doesn’t happen again. It’s too late for me.”
In a letter this month, chief superintendent Helen Harrison said that processes surrounding personal data had been strengthened, training and support for staff had improved, and oversight had increased to ensure similar incidents don’t happen.
She added: “Police Scotland is committed to learning from this incident and ensuring people’s information is treated with care”.
The Information Commissioner’s Office determined that the complaint “highlighted serious data protection concerns”.
Sally-Anne Poole, ICO head of investigations, said: “At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals.
“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.
“People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”
On the ICO ruling – Deputy Chief Constable Alan Speirs said: “Police Scotland has received the Information Commissioner’s Office reprimand and penalty notice, and reflected on its findings.
“We acknowledge the organisation did not meet expectations and regulations relating to data handling in regards to this matter. We have also apologised to those involved in this matter.
“Police Scotland has taken organisational learning from this incident. Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future.”
A Police Scotland spokesperson said: “This data breach occurred as a result of human error in the preparation of a pack relating to an internal investigation.
“Police Scotland reported the breach to the ICO in June 2022.
“We acknowledge there was a delay in the reporting process and have implemented processes to minimise the risk of this occurring again in the future.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
