Police Scotland Shared Detective Constable's Phone Images and Records With Alleged Rapist; ICO Fines £66,000

Police Scotland was fined £66,000 after it mistakenly shared the full contents of Detective Constable Lianne Gilbert’s phone with the officer she had accused of rape, his Scottish Police Federation (SPF) representative and his solicitor; the disclosure included intimate images, medical records and contact details and was later described by the force as “human error.”

“- Published A detective has told how she was left traumatised after Police Scotland shared the contents of her phone with a colleague she alleged raped her”

BBC

STV News reported that Police Scotland “has been fined £66,000 by the UK data watchdog after sharing the entire contents of a rape survivor’s phone with her alleged attacker,” and said that “On June 14, 2022, all of DC Gilbert’s mobile data was provided to the accused officer, his police federation representative and his solicitor.”

BBC

Infosecurity Magazine similarly stated that “Police Scotland has been fined £66,000 and reprimanded after a serious data protection failure when it shared the entire contents of a female officer’s phone with a colleague she accused of rape,” and noted that “the phone data – which reportedly included medical records, intimate photos and friends and family contact details – was erroneously passed to the officer under investigation.”

The BBC reported Gilbert “was made aware her data had been breached in June 2022” and that “intimate images, as well as the contact details of her friends and family, were handed over to the person she had accused of a crime.”

The Information Commissioner’s Office (ICO) found multiple failures by Police Scotland, fined the force and criticised its handling of the personal data breach, including a failure to report the breach within the legally required 72-hour timeframe and shortcomings in organisational and technical safeguards.

Infosecurity Magazine quoted the ICO’s conclusion that Police Scotland had failed to “Implement ‘appropriate organisational and technical measures’ to ensure data security” and had not “report[ed] the breach within 72 hours.”

Infosecurity Magazine

The BBC reported the investigation “found Police Scotland did not ensure there were sufficient safeguards in place to prevent access to irrelevant information” and that the force “did not report the personal data breach to the ICO within the legally required 72-hour timeframe.”

STV News made clear the ICO imposed a penalty and that Police Scotland acknowledged the disclosure as “human error.”

The breach had grave personal consequences for DC Gilbert, who described feeling violated, numb and distressed, has been diagnosed with PTSD, and said the force’s apology was inadequate; she was reportedly first notified about the breach by the Scottish Police Federation rather than by Police Scotland itself.

“Police Scotland has been fined £66,000 by the UK data watchdog after sharing the entire contents of a rape survivor’s phone with her alleged attacker”

STV News

The BBC quoted Gilbert: “At times I still feel quite numb. 'I felt relieved to see they had been fined... Although they have apologised its not an apology I have ever accepted. I don't think it's good enough.'”

The BBC also recorded that she “was made aware her data had been breached in June 2022 when she was called by the SPF,” and that she felt “completely violated, because my medical records and things would have been on my phone as well.”

STV News reported that the error “has left me with significant psychological issues,” and Infosecurity noted the victim “subsequently waived her right to anonymity in a BBC report” and that she “complained to the ICO later that year that Police Scotland had refused to provide her with a copy of the information it erroneously disclosed.”

Officials and watchdogs highlighted both organisational failures and remedial steps: the ICO’s head of investigations warned of the “devastating consequences” of poor data protection, Police Scotland said it had learned lessons and taken steps to strengthen processes, and the Scottish government registered public concern.

Infosecurity quoted Sally-Anne Poole: "Head of investigations, Sally-Anne Poole, said the case highlights the 'devastating consequences' of poor data protection on individuals. 'Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help. Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party,' she argued."

BBC

BBC recorded Deputy Chief Constable Alan Speirs saying: "Police Scotland has taken organisational learning from this incident. "Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future."

The BBC also reported First Minister John Swinney apologised to Gilbert, calling her treatment "appalling," and that the ICO “considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person” when setting the fine and reduced it to avoid disproportionate impact on public services, per the BBC.

STV News recorded the force calling the breach “human error.”