The Information Commissioner’s Office (ICO) issued the fine and reprimand after finding that a series of data protection failures resulted in the excessive collection, handling and unlawful disclosure of sensitive personal information.

The data protection authority says the case highlights key data protection practices that all police services and criminal justice organisations should take note of, particularly around data minimisation, secure handling of digital evidence, governance controls, and staff training.

The ICO’s investigation found that Police Scotland extracted the entire contents of a person’s mobile phone after they reported an alleged crime, without ensuring there were sufficient safeguards to prevent access to irrelevant personal information.

As a result, officers collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation.

Police Scotland subsequently included the full unredacted content into a misconduct disclosure bundle and shared it with a third party who should not have received it.

The ICO determined that appropriate review, redaction and security procedures were not in place, and that staff were neither adequately guided nor supported by effective organisational controls.

The ICO also found that Police Scotland did not notify this personal data breach within the legally required 72‑hours period.

Sally-Anne Poole, head of investigations at the ICO, said: “Police services handle large volumes of highly sensitive personal information every day. When processes are poorly designed or insufficiently supervised, the risk of excessive collection, unnecessary retention and inappropriate disclosure of data increases significantly.

“This should be a stark reminder of how disproportionate levels of data collection, whether from mobile phones or other sources, can lead to serious and lasting effects on people whose data is mishandled.

“Police bodies and criminal justice organisations play a crucial role in safeguarding people’s personal information. We’ve published investigation reports on mobile phone extraction, and I urge all policing services to revisit them and act on our key recommendations to ensure full compliance with the law.”

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. The ICO also considered Police Scotland’s status as a public body and reduced the penalty accordingly to avoid disproportionate impact on public services.