Data Breach Trauma for Detective After Phone Contents Shared
A detective has described the trauma she experienced after Police Scotland shared the contents of her phone with a colleague she had accused of rape.
Detective Constable Lianne Gilbert made allegations of domestic abuse, including serious sexual assault, against another officer in 2020.
However, during a misconduct inquiry two years later, it was revealed that data extracted from her phone—including intimate images and medical records—was disclosed to the accused officer, his lawyer, and his Scottish Police Federation (SPF) representative.
Police Scotland has since been fined £66,000 by the UK Information Commissioner's Office (ICO) for failing to protect the personal information of a victim of an alleged crime.
The ICO stated that the police had "collected a substantial volume of highly sensitive information, much of which had no bearing on the investigation."
Police Scotland has acknowledged the incident, apologised to those involved, and stated it has learned from the event.
Detective Gilbert Speaks Out on Impact
Gilbert, who waived her right to anonymity, told BBC Scotland News:
"It's been absolutely horrific and very, very traumatic.
At the time it happened I had a five-month-old baby. It's really impacted my motherhood journey. At times I still feel quite numb.
I felt relieved to see they had been fined and that it has been dealt with seriously because I'm aware it's not common practice to be fined by a public body.
Although they have apologised it's not an apology I have ever accepted. I don't think it's good enough."
Gilbert, 34, was informed of the data breach in June 2022 when contacted by the SPF and offered support, though she said the caller was unaware that Police Scotland had not informed her directly.
She added:
"I felt completely violated, because my medical records and things would have been on my phone as well."
She further revealed that intimate images and contact details of her friends and family were handed over to the person she had accused of a crime.
The detective expressed distress at the possibility of her alleged rapist deriving "sexual gratification" from the images.
"They've given him those discs, not even in a secure environment. He has been allowed to view them on any device he wants," Gilbert said.
Case Status and PTSD Diagnosis
The officer accused has not been charged with offences against Gilbert, and the case remains active.
Gilbert, who has been diagnosed with post-traumatic stress disorder (PTSD), was initially led to believe Police Scotland had notified the ICO about the breach.
However, upon contacting the ICO months later, she was shocked to learn that the force had never officially reported the incident to the watchdog.
Investigation Findings on Data Handling Failures
The ICO's investigation found that Police Scotland failed to implement sufficient safeguards to prevent access to irrelevant information.
The force included the full, unredacted content in a "misconduct disclosure bundle" and shared it with a third party who should not have received it.
Additionally, Police Scotland did not report the personal data breach to the ICO within the legally required 72-hour timeframe.
ICO Statement on Sensitive Information Exposure
Sally-Anne Poole, ICO head of investigations, said:
"Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help.
Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party."
In determining the fine, the ICO considered the seriousness of the incident, the sensitivity of the data involved, and the impact on the affected individual.
The ICO also took into account Police Scotland's status as a public body and reduced the penalty accordingly to avoid a disproportionate impact on public services.
Police Scotland Response and Reforms
Deputy Chief Constable Alan Speirs stated:
"Police Scotland has taken organisational learning from this incident.
Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future."
