UK ICO Fines Police Scotland for Excessive Mobile Phone Extraction and Unlawful Disclosure
The UK Information Commissioner’s Office (ICO) fined Police Scotland £66,000 and issued a reprimand after finding “serious” data protection failures tied to the handling of an alleged victim’s mobile phone data. Investigators extracted the entire contents of the phone when only specific communications were needed for a criminal inquiry, resulting in the collection of a substantial volume of highly sensitive “special category” data unrelated to the investigation.
The ICO found that the unredacted full extraction was later mishandled during internal processes: the complete phone dump was included in a professional standards/misconduct disclosure bundle and shared with a third party who should not have received it, exposing sensitive victim information. Reporting emphasized the case as a governance and controls failure around data minimisation, secure handling of digital evidence, and staff training within policing and criminal justice organizations.
Related Entities
Organizations
Sources
Related Stories
UK Data Protection Incidents and Enforcement Actions
A UK local authority disclosed personal data during its complaints-handling process after forwarding complaints to a councillor with **all complainants’ identifying details** included, despite some complainants opting to withhold their names. The information reportedly exposed included sensitive contact details (e.g., home addresses, email addresses, phone numbers) that would not normally be shared with the subject of a complaint, raising a **data protection breach** and governance concerns around how complaint records are processed and redacted. Separately, the UK **Information Commissioner’s Office (ICO)** won a court battle in its long-running attempt to uphold a **£500,000 fine** against **DSG Retail** (owner of *Currys PC World* and *Dixons Travel*) tied to a major 2017 breach in which malware was installed on **5,390 point-of-sale tills** and remained undetected for **nine months**. The incident involved theft of **5.6 million payment card numbers and expiry dates** (without cardholder names) and personal data relating to roughly **14 million individuals**; a central legal dispute is whether the payment card data alone constitutes **personal data** under the applicable pre-GDPR regime. A third item argues for using **tax incentives** (modeled on green-energy policy) to drive “security by design” and improve cybersecurity outcomes, but it is a policy opinion piece rather than reporting on a specific incident or enforcement action.
3 weeks ago
UK Regulators Fine Online Platforms for Failing to Implement Effective Age Assurance
UK regulators issued major penalties against online services for inadequate **age assurance** controls intended to protect children. The Information Commissioner’s Office (**ICO**) fined **Reddit £14.47 million** for unlawfully processing children’s data, alleging that despite a stated under-13 prohibition, Reddit did not introduce an age assurance mechanism until **July 2025** and had not completed a required **data protection impact assessment (DPIA)** before **January 2025**. The ICO said these failures potentially exposed minors to inappropriate content and left under-13 users’ personal data collected and used without a lawful basis; Reddit said it intends to appeal. Separately, communications regulator **Ofcom** fined porn operator **8579 LLC £1.35 million** under the UK **Online Safety Act** for failing to deploy “highly effective” age checks (e.g., photo ID matching or credit card checks) to prevent minors from accessing adult content. Ofcom also imposed an additional **£50,000** penalty for allegedly ignoring information requests and warned of an ongoing **£1,000/day** penalty until compliant age verification is implemented, amid broader concerns from civil liberties groups about the privacy and cybersecurity risks of stringent age-verification regimes.
3 weeks ago
Dutch Police Data Exposure After Mistakenly Sharing Confidential Files With a Civilian
Dutch police arrested a **40-year-old man from Ridderkerk** after he obtained **confidential police documents** due to a police error and then allegedly attempted to leverage possession of the files for something in return. According to police, the man was taken into custody on Thursday evening, his home was searched, and data storage devices were seized to recover the documents and prevent further dissemination; authorities also reported the incident as a **data breach** and said the investigation is ongoing. Reporting indicates the incident began when the man contacted police in connection with a separate matter and was sent a link intended for **uploading** images; instead, an officer mistakenly sent a **download link**, granting access to sensitive materials the recipient was not meant to see. While the man reportedly did not exploit a technical vulnerability or “break in” in a traditional sense, police said he was instructed to stop and delete the material and refused unless he “received something in return,” prompting the arrest and evidence seizure to contain the exposure.
4 weeks ago