The Information Commissioner’s Office (ICO) has imposed a fine of £66,000 on Police Scotland for failing to properly protect sensitive personal information.
According to the privacy and data protection authority of the United Kingdom, police officers from Police Scotland extracted the entire contents of a person’s mobile phone after he was accused of a crime.
While doing this, there were no safeguards in place to prevent access to irrelevant personal information. As a result, a “substantial volume of highly sensitive information” was collected, which had no bearing on the investigation.
In addition, Police Scotland bundled all this information unredacted into a dossier, which was then shared with a third party who shouldn’t have received it. This proves that appropriate review, redaction, and security procedures were not in place, the ICO concludes.
The British data protection regulator states that Police Scotland failed to implement appropriate organizational and technical measures to ensure data security and limit the sharing of personal information to what was strictly necessary.
Furthermore, Police Scotland neglected to ensure staff handling sensitive information were following clear guidance and procedures, and to report the personal data breach to the ICO within 72 hours.
“At its heart, data protection is about people, and this incident is a stark example of the devastating consequences of poor data protection practices on individuals. Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party,” Sally-Anne Poole, ICO Head of Investigations, said in a statement.
“People should be able to trust that organizations will treat their personal information with care, fairness, and respect. When organizations fail to do so, they can expect enforcement action from us,” she continues.
In assessing the amount of the fine, the ICO considered the seriousness of the incident, the sensitivity of the data that was involved, and the impact on the affected person. The reprimand and penalty notice states that the privacy supervisor decided to cut the amount of the fine by 50% to £66,000.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked