By Jess Pembroke, Director of Information Law Services
When the ICO fined Police Scotland £66,000 in December 2025, it was easy to focus on the public sector penalty. However, the notice reveals organisations often overlook the real-world effects of poor data handling these decisions affect actual people in deeply personal ways. The victim chose to speak out in the national media:
“It’s been absolutely horrific and very, very traumatic. “At the time it happened I had a five-month-old baby. It’s really impacted my motherhood journey. At times I still feel quite numb. “I felt relieved to see they had been fined and that it has been dealt with seriously because I’m aware its not common practice to be fined by a public body. “Although they have apologised its not an apology I have ever accepted. I don’t think it’s good enough.”[1]
What happened in this case:
The ICO found serious failings in two separate stages of Police Scotland’s handling of an employee’s personal data:
An excessive mobile phone extraction
Police Scotland obtained the data subject’s phone to extract text messages. Instead, they downloaded the entire device, over 39,000 pages, including deeply sensitive and irrelevant material.
This relates to excessive “just in case” data collection that the ICO has covered in relation to Police forces a number of times[2].
A wrongful disclosure to the officer accused of misconduct
The Professional Standards Department handed six discs of unredacted, unencrypted data to the officer accused of misconduct including material that had nothing to do with the case.
So, is the ICO fining the public sector again?
Not in a wholesale, but this case could mark a tightening of the public‑sector approach.
The ICO has always said it will fine public bodies in “exceptional cases”. But for years, what counted as “exceptional” had become almost mythical.
If a public authority repeatedly mishandles highly sensitive data, lacks basic governance, and exposes individuals to real harm, the ICO will fine even under the revised approach.
Why this matters for the wider public sector
Because the issues the ICO identified unclear processes, excessive data gathering, lack of minimisation, no consistent redaction, staff uncertainty about disclosure rules, delayed breach reporting are not policing‑specific. They’re the exact same governance gaps that crop up across local authorities, health, education, housing, social care, regulators, and arms‑length bodies.
If your organisation works with sensitive or high‑risk data, this is the moment to ask:
- Do our processes actually work in practice?
- Would our staff know what to disclose, redact, or report?
- Are we confident in our breach decisions?
- Would the ICO see “individual lapses” or “systemic failings”?
Our Information Security & Data Breach Management course covers:
- Technical and organisational measures
- Assess breach severity
- How and when to notify the ICO and/or data subject
- Improve staff confidence so decisions are made correctly in relation to breach reporting
Find out more or book a place (next running 7 May, 9:30am-1pm):
https://naomikorn.com/courses/information-security-data-breach-management/
Public authorities shouldn’t panic but they should absolutely pay attention.
The ICO is still taking a supportive approach. But when governance weaknesses repeatedly put people at risk, fines are now firmly back on the table.
[1] My phone contents were shared with the police colleague I accused of rape – BBC News
[2] Investigation report: Mobile phone data extraction by police forces in England and Wales | ICO