A data breach which saw the entire contents of a rape survivor’s phone shared with her alleged attacker was just one of more than 4,700 incidents that Police Scotland decided were not serious enough to report to the information watchdog.
Last month, the Information Commissioner’s Office fined the force £66,000 after it wrongfully handed six unencrypted discs of detective constable Lianne Gilbert’s mobile phone data to her alleged rapist, his police federation representative and his solicitor in 2022.
In a letter, a police data officer said that the breach “did not meet the statutory notifiable requirements” for Police Scotland to report itself to the Information Commissioner (ICO).
4,733 incidents determined not to reach the threshold for reporting to the information watchdog since 2019
FOI disclosure from Police Scotland
However, to “demonstrate accountability and transparency”, the officer said the breach would be reported.
A Freedom of Information request by STV News has revealed that 4,733 other incidents were also determined not to reach the threshold for reporting to the information watchdog over the last six years.
In 2020/21 alone, there were 1,587 breaches that were not reported to the ICO.
Since 2019, 16 incidents have been reported to the watchdog – eight of those were in the last year.
“I still to this day don’t know which intimate images of me have been shared”
Detective constable Lianne Gilbert
DC Gilbert said the breach that affected her has been traumatic and has left her with “significant psychological issues”.
“I still to this day don’t know which intimate images of me have been shared,” she told STV News.
“When I first got that initial letter from Police Scotland, I remember reading it and I was just so upset and I thought surely this is a crime, I couldn’t understand.”
She believes more people need to be aware that they can report incidents directly to the watchdog to ensure incidents are “investigated properly”.
She said: “The number of breaches deemed not reportable to the ICO by Police Scotland is concerning because I was told the breach that affected me did not meet the threshold.
“I think more people should be aware that members of the public can report data breaches directly to the ICO to make sure they are investigated properly.
“People might trust the police to know what they are doing when it comes to their data, but it is easy to report it themselves.”
The Scottish Police Authority, which oversees policing in Scotland, receives a six-monthly report regarding data breaches and security incidents.
“This incident is a stark example of the devastating consequences of poor data protection practices”
Sally-Anne Poole, ICO head of investigations
But the brief does not include specifics on the incidents reported to the ICO.
The information watchdog says it is down to organisations, in this case Police Scotland, to identify whether a breach meets the reporting threshold.
Police Scotland told STV News there are “robust processes in place” to identify, record, investigate and respond to information security incidents, including data breaches.
All incidents are recorded and assessed by the information security team.
A decision on whether a breach meets the threshold to report to the ICO is made by the Information Security Manager and the Data Protection Officer based on the “risk posed to individuals’ rights and freedoms”.
In DC Gilbert’s case, in which her phone contents were shared with the police colleague she accused of rape, an officer called the ICO helpline to discuss the incident. The force did not use the official reporting tool.
An official complaint was lodged by DC Gilbert on September 2, 2022, three months after the breach.
On Wednesday, March 11, 2026 – three and a half years after it was reported – the watchdog said it had issued a £66,000 fine and a reprimand to Police Scotland for serious failures in the handling of sensitive personal information.
Following the incident involving DC Gilbert, Police Scotland engaged in a voluntary audit by the ICO, which has been completed.
A Police Scotland spokesperson said: “All incidents are assessed by specialist staff, with decisions on whether a breach is reported to the Information Commissioner’s Office based on the level of risk posed to individuals’ rights and freedoms, rather than the volume of incidents, in accordance with UK GDPR requirements.
“Where a breach meets the reporting threshold, the Information Commissioner’s Office is notified as soon as is practicable. Where it does not, incidents are still recorded, assessed and managed appropriately, with measures taken to reduce the risk of recurrence.”
According to figures seen by STV News, the watchdog has received 392 complaints regarding Police Scotland’s handling of data since the beginning of 2022.
The complaints relate to a number of things, including failing to give people access to their personal information that is being used for law enforcement purposes, failure to implement technical and organisational measures to ensure a level of security appropriate to risk, keeping data for longer than necessary, not complying with subject access requests and lawfulness of processing data.
So far this year, the ICO has received 27 complaints.
Police Scotland has committed 133 infringements or potential infringements over the last four years, according to the information watchdog.
Case officers have yet to look at 114 complaints regarding Police Scotland made between 2025 and 2026.
DC Gilbert believes a full “independent overhaul” should be carried out into Police Scotland’s handling of data.
She said: “I think there needs to be an independent overhaul of the process.
“Cases like mine could be missed because they aren’t thought to meet the reportable threshold. If someone came in independently to assess the breaches, it would give people more confidence and build trust.”
In a letter last month, chief superintendent Helen Harrison said that processes surrounding personal data had been strengthened, training and support for staff had improved, and oversight had increased to ensure similar incidents don’t happen.
She added: “Police Scotland is committed to learning from this incident and ensuring people’s information is treated with care.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
