Police ScotlandPolice Scotland has been fined £66,000 by the UK data watchdog after sharing the entire contents of a rape survivor’s phone with her alleged attacker.
On July 5, 2022, the woman received a letter from a police data protection officer confirming that personal data and images had been shared incorrectly with third parties.
Her phone had been submitted voluntarily as part of an investigation into criminal allegations against a serving police officer.
The data was passed to Police Scotland’s Professional Standards Department (PSD). As part of the procedure, the officer subject to investigation is provided with the investigator’s report and relevant documents prior to a hearing.
On June 14, 2022, all of the woman’s mobile data was provided to the accused officer, his police federation representative and his solicitor.
In a letter seen by STV News, Police Scotland said this was “human error”.
Three days later, the discs were retrieved from the officer. On June 22, 2022, the information was retrieved from the SPF and the solicitor.
One disc contained 39,233 pages of information following the initial download of the phone. One included 697 image files, 17 uncategorised files and 13 video files, the majority of which were not relevant to the investigation.
Only one disc contained messages between the victim and the accused officer.
A review carried out by officers identified 15 images described as intimate which had been incorrectly shared along with the woman’s medical records.
Almost two months following the breach, an email from a Police Scotland data protection officer stated that the PSD National Complaint Assessment and Resolution Unit determined the matter “could be considered under criminal legislation”.
The woman told STV News: “This has left me with significant psychological issues.
“At the time this happened, I had a five-month-old child. I don’t remember a lot about their early years because of the toll this had on me.
“It has been traumatic.”
‘Substantial volume of highly sensitive information’
In the initial letter sent to the woman, Police Scotland determined that the breach “did not meet the statutory notifiable requirements” for the force to report itself to the data watchdog, the Information Commissioner’s Office (ICO).
But, Police Scotland claimed in the letter that it reported the breach to “demonstrate accountability and transparency”.
However, in an email seen by STV News, an ICO lead investigator stated they were not made aware until the affected woman lodged a complaint on September 2, 2022 – three months after the incident.
The ICO confirmed it would investigate the “unlawful disclosure” of data and Police Scotland’s “mobile phone extraction process”.
On Wednesday, March 11, 2026 – three and a half years after it being reported – the ICO said it had issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.
“The ICO’s investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information,” the watchdog said.
“As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.”
The impacted woman believes a full audit should be carried out into the number of data breaches that may not have been reported by Police Scotland.
She said: “People who hand over their phones as part of sensitive enquiries should be aware that the data may be handed into the wrong person’s hands.
“More things need to be in place to ensure this doesn’t happen again. It’s too late for me.”
In a letter this month, chief superintendent Helen Harrison said that processes surrounding personal data had been strengthened, training and support for staff had improved, and oversight had increased to ensure similar incidents don’t happen.
She added: “Police Scotland is committed to learning from this incident and ensuring people’s information is treated with care”.
The Information Commissioner’s Office determined that the complaint “highlighted serious data protection concerns”.
Sally-Anne Poole, ICO head of investigations, said: “At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals.
“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.
“People should be able to trust that organisations will treat their personal information with care, fairness and respect. When organisations fail to do so, they can expect enforcement action from us.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
