Police Scotland Fined for Mishandling Alleged Victim’s Mobile Phone Data 

The Information Commissioner’s Office (ICO) has fined the Police Scotland £66,000 and issued a Reprimand for serious failures in the handling of sensitive personal data. 

Detective Constable Lianne Gilbert, who has now waived her right to anonymity, made domestic abuse allegations, including serious sexual assault, against another officer in 2020. However when a misconduct inquiry took place two years later, it emerged data extracted from Ms Gilbert’s phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative. There were 40,000 pages of extracted data including 80,000 images, medical records and contact details of Ms Gilbert’s friends and family. Some of the images were of an intimate nature.  

Ms Gilbert has given her account to BBC Scotland News. She said: 

“It’s been absolutely horrific and very, very traumatic.” 

“At the time it happened I had a five-month-old baby. It’s really impacted my motherhood journey. At times I still feel quite numb.” 

It is important to note that the officer in question has not been charged with any offences against Ms Gilbert and the case remains live. 

UK GDPR Breaches 

The ICO investigation concluded that:  

a) Police Scotland failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data by the PSD for the purposes of compiling misconduct packs for disclosure as part of its investigations (Article 32(1) UK GDPR); 

b) These deficiencies put the personal data processed by the PSD at risk of unauthorised disclosure, in breach of the requirement to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f) UK GDPR); 

c) Police Scotland failed, at the time of the determination of the means of processing and at the time of the processing itself, to implement appropriate technical and organisational measures designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the UK GDPR and protect the rights of data subjects (Article 25(1)-(2) UK GDPR); 

d) Police Scotland failed to ensure that the personal data processed by the PSD when compiling misconduct packs for disclosure was adequate, relevant and limited to what was necessary in relation to the purposes for which it was processing that data (Article 5(1)(c) UK GDPR); and 

e) Police Scotland failed to inform the Commissioner of the personal data breach within 72 hours of becoming aware of the same (Article 33(1) UK GDPR) 

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. It initially concluded that a £132,000 fine would be effective, proportionate and dissuasive. However applying its controversial public sector approach to enforcement, it decided to reduce the amount by a factor of 50%. 

The Monetary Notice states that Police Scotland paid a sum of money (amount redacted) as compensation to Ms Gilbert. This may have been in anticipation of a civil claim by Ms Gilbert. Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. There may be more claims to come; no doubt amongst the data extracted (and shared) from Ms Gilbert’s phone there will have been personal data related to third parties. 

Part 3 DPA Reprimand 

The related reprimand was issued under Part 3 of the Data Protection Act 2018 (law enforcement processing). Police Scotland is a competent authority under Part 3 and was, according to the ICO, processing Ms Gilbert’s data for law enforcement purpose when it extracted the data. The ICO found that Police Scotland had infringed sections 35 and 37 of the DPA by failing to ensure that: 

a) The bulk download of personal data on the mobile phone of the Data Subject was lawful and fair (section 35 DPA); and 

b) The personal data processed from the mobile phone download was adequate, relevant and not excessive in relation to the purposes for which it was processed (section 37 DPA). 

The ICO initially considered that a fine would be appropriate for these DPA breaches, and considered notifying Police Scotland of its intention to impose a fine of £78,750. However, once again, due to the revised approach to public sector enforcement it decided a reprimand was more appropriate. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop and our Law Enforcement Data Processing workshop.

Guardians of Data Podcast: Episode 3

Act Now is pleased to bring you episode 3 of the Guardians of Data podcast. This is a show where we explore the world of information law and information governance – from privacy and AI to cybersecurity and freedom of information.  

In the past few weeks, we have had a stark reminder of why transparency in public life is a democratic necessity. The US Government’s release of millions of documents linked to the Jeffrey Epstein investigation has triggered, amongst other things, the arrest of the King’s brother, the sacking and subsequent arrest of a former Government minister, political jeopardy for the Prime Minister and questions about the future of the British monarchy.  

In Episode 3, our guest is Maurice Frankel OBE, Director of the Campaign for Freedom of Information. We discuss the remarkable story behind the UK’s Freedom of Information Act. From his early work with the campaigner Des Wilson in the 1980s, to the later attacks launched to weaken FOI’s impact, Maurice shares insights on:

• Life before the Act and how public authorities’ culture has evolved

• The key battles to see the law passed and fully implemented

• Lessons from major disclosures, inquiries and data releases

• FOI shortcomings, from excessive public interest extensions to the need for proactive publication

• Emerging threats to transparency

Hear what still inspires one of the UK’s foremost transparency advocates and why FOI remains a vital tool for public accountability.

Listen via this link, or on your preferred podcast app. Available on Apple Podcasts, Spotify, and all major podcast platforms. 

Previous episodes of the Guardians of Data podcast have featured Jon Baines, talking about his career as a Data Protection specialist and the hot issues in information governance, and Lynn Wyeth discussing the recent controversy around Grok AI.  

Iain Harrison

Act Now Training is deeply saddened to report the passing of our colleague and dear friend, Iain Harrison

Over a career spanning more than 20 years, Iain provided training and consultancy on information law related issues to a wide range of public, private, and voluntary sector organisations. Iain’s final job was Senior Information Assurance Officer at Leicester University. He also worked for Wolverhampton City Council, Wright Hassle LLP, Leicester City Council and Birmingham City Council.  

Alongside his day job, Iain was a Senior Associate at Act Now Training where he used his vast experience to deliver training on data protection and freedom information.  His courses were defined by his depth of knowledge, sound judgement, and an unwavering commitment to supporting others. Colleagues and clients alike valued Iain for his clarity, calm guidance and understated humour. Delegates always commented about his rare ability to make complex legal frameworks accessible and manageable. He always approached his work with patience, integrity and a genuine desire to help.  

Iain’s contribution to the field of information law, and to the many people and organisations he supported throughout his career, leaves a lasting legacy. He will be greatly missed by colleagues, clients and friends. 

Ibrahim Hasan, Director of Act Now Training, said: 

“I knew Iain for over 20 years, since his days at  Coventry City Council. Behind the quiet, unassuming person was a true expert, always willing to listen and help. Every interaction I had with him was filled with kindness and good humour. My thoughts and prayers are with his loved ones.” 

Is Data Still ‘Personal’ if the Recipient Cannot Identify the Data Subject? 

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

The case will now return to the FTT to apply the Court of Appeal’s interpretation of the law to the facts of the DSG cyberattack. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop.

Children’s Privacy Failures Result in a £14.47m for Reddit

Safeguarding children’s privacy is a key enforcement priority for the Information Commissioner’s Office (ICO). It is also one of their duties under the Online Safety Act, alongside OFCOM.  

In March 2025, the ICO announced three investigations looking into how TikTok, Reddit and Imgur (an image sharing and hosting platform) protect the privacy of their child users in the UK. The investigations into Imgur and Reddit specifically focussed on how the platforms use UK children’s personal data and their use of age assurance measures. 

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services”  (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able to provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states: 

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” 

Earlier this month MediaLab.AI, Inc. (MediaLab), owner of Imgur, was fined £247,590 for processing children’s personal data in ways that breached the UK GDPR. Imgur’s terms of use stated that children under 13 could only use the platform with parental supervision. However, the ICO investigation found that, MediaLab did not implement any form of age assurance measures to determine the age of Imgur users and did not have measures in place to obtain parental consent where children under 13 used the platform. 

Yesterday the ICO announced that Reddit has now been fined £14.47m under the UK GDPR. The circumstance of the fine are very similar to MediaLabs. In summary: 

  • Reddit’s terms of service prohibited children under 13 years of age using its platform, but despite that it did not have measures in place to check the age of users accessing its platform until July 2025. 
  • The ICO’s estimates indicated that there were a large number of children under 13 on the platform and Reddit did not have a lawful basis for processing their personal data. 
  • Reddit had not completed a Data Protection Impact Assessment focusing on the risks of using children’s personal data before January 2025, even though children between 13 and 18 were allowed to use the platform. 
  • By using under 13-year-olds’ personal data without a lawful basis and without having properly considered the risks to children more generally, children were at risk of exposure to inappropriate and harmful content on Reddit’s platform. 

We are waiting for the ICO to publish the Monetary Penalty Notices in relation to Redditt and MediaLab. In the case of the latter, the ICO said at the time that it is still considering the redaction of personal and commercially confidential or sensitive information.  

The ICO’s investigation into TikTok is still ongoing. It is considering how the platform uses personal data of 13–17-year-olds in the UK to make recommendations to them and deliver suggested content to their feeds. This is in the light of growing concerns about social media and video sharing platforms using data generated by children’s online activity in their recommender systems, which could lead to them being served inappropriate or harmful content.  

The ICO is also investigating 17 other platforms, including Discord, Pinterest, and X, and has been in discussions with Meta and Snapchat over how they use children’s location data in their user map features. Watch this space! 

The Data (Use and Access) Act 2025, most of which came in to force earlier this month, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.  

This and other developments relating to children’s data will be covered forthcoming workshop, Working with Children’s Data.

AI Transcription Tools in Social Work Under Scrutiny 

Anyone remember Dragon Dictate? The first versions of this voice transcription software required users to spend hours training it (usually wearing a headset) by repeating stock phrases many times over. Even after full training, the transcription output was far from accurate. How technology has moved on, especially in the last few years, with the proliferation of AI. 

AI powered transcription software has been rapidly adopted by public sector organisations especially in local authority social work departments. Tools, like Magic Notes and Microsoft Copilot, are used by social workers to record conversations with children and families (e.g. interviews or assessments), transcribe spoken audio into text and generate summaries automatically. These “ambient scribes” listen in real-time or process recordings, reducing the need for manual notetaking; thus allowing professionals to focus on interactions rather than documentation. However the use of such tools, especially in sensitive contexts like social work, is not without risks as was highlighted by a recent report.  

Ada Lovelace Institute Report 

On 11th February 2026, the Ada Lovelace Institute published a report titled “Scribe and prejudice? Exploring the use of AI transcription tools in social care.” The report explored the dynamics of adoption and the impacts of AI transcription tools in adult and children’s social care across 17 local authorities in England and Scotland. Based on interviews with frontline social workers and managers, it highlighted serious risks that should be addressed by users.  

These include, amongst others: 

AI “Hallucinations”: The AI sometimes generates false information that wasn’t said in the recorded conversation. A prominent example involved an AI-generated summary incorrectly stating that a child had expressed suicidal ideation. This kind of error is especially dangerous in child protection or mental health contexts, where it could trigger unnecessary interventions or lead to flawed decisions about care. 

Gibberish, misrepresentations, and other errors: AI generated transcripts have included nonsense phrases, misspelled names, incorrect speaker attributions (especially in multi-person conversations), fabricated statements, irrelevant or foul language insertions and overly formal or academic wording that doesn’t reflect normal social work language. 

Bias and Harmful Stereotyping: Some outputs have reportedly promoted stereotypes or biased perceptions of individuals that weren’t present in the original recording. 

These issues echo broader AI concerns but of course are more serious in the context of social work records. Inaccuracies entering official care records could lead to incorrect decisions about a child’s safety, family support, or adult care; potentially resulting in harm to vulnerable people, professional consequences for social workers or even legal liability. 

Social workers generally bear full responsibility for reviewing and approving these AI outputs (the “human in the loop” safeguard), but practices vary widely according to the report. Some social workers spend minutes checking AI output whilst others spend hours. The report questions how effective this is in high-pressure frontline environments. There is also concern that over-reliance on summarisation features could erode professional judgment and the nuanced, interpretive nature of social work documentation. 

The report notes that in early 2025, one AI transcription tool was already in active use by 85 local authorities for social care. But the Ada Lovelace Institute criticises the “limited and light-touch” approaches to ethics, evaluation, testing, regulation, and risk mitigation so far. It has called for more robust safeguards, better guidance and thorough evaluation before wider use. 

Recommendations 

To ensure the safe and responsible use of AI transcription tools, the Institute urged the government to require local authorities to document their use of such tools through the ‘Algorithmic Transparency Reporting Standard.’ 

It also recommended that social care regulators and local authorities collaborate with relevant sector bodies to develop guidance on using AI transcription tools in statutory processes and formal proceedings, supported by clear accountability structures. 

The Institute added that: ‘To enable end-to-end accountability, regulators and professional bodies should review and revise rules and guidance on professional ethics for social workers and support social workers to collaborate with legal and advisory bodies around procedures for AI use in formal proceedings. An advisory board comprised of people with lived experience of drawing on care should be established to inform these actions.’ 

Further recommendations include: 

  • The UK government should extend its pilots of AI transcription tools to include various locations and public sector contexts. 
  • The UK government should set up a What Works Centre for AI in Public Services to generate and synthesise learnings from pilots and evaluations. 
  • A coalition of researchers, policymakers, civil society and community groups should collaborate on research on the systemic impacts of AI transcription tools. 
  • Local authorities should specify their outcomes and expected impact when procuring AI transcription tools to ensure a shared understanding among staff and users. 

The UK GDPR Angle 

The use of AI powered transcription software will involve processing highly sensitive personal data, including audio recordings and derived transcripts/summaries of conversations involving vulnerable individuals. This triggers UK GDPR obligations, with heightened risks due to the sensitive nature of the data and potential for harm if errors occur. 

Local authorities and social care providers should integrate UK GDPR compliance into procurement, deployment, and ongoing use of AI transcription software. Key practical steps include: 

  • Conduct a DPIA:  Before rollout or expansion, complete a Data Protection Impact Assessment to assess all the risks (e.g., hallucinations affecting accuracy, bias in diverse accents/dialects, unauthorised access). Update DPIAs for new tools or features. Involve the organisation’s Data Protection Officer from the outset. 
  • Choose compliant tools and vendors: Prioritise tools with strong data protection (e.g. UK-hosted data, no unnecessary retention, robust security). Review vendor DPIAs, processor agreements, and compliance certifications.  
  • Establish clear consent and transparency processes: Inform service users upfront about recording, AI involvement, and data use (via privacy notices or verbal explanation). Document decisions and allow opt-outs where appropriate. 
  • Implement strong human oversight and review: Mandate thorough checks of all AI outputs before approving records. Train staff to detect inaccuracies, bias, or inappropriate content. Flag AI-generated sections (e.g. via watermarks or metadata) for transparency and future audits. 
  • Secure data handling and contracts: Use encrypted recording/uploading, limit data shared with tools and delete audio promptly after transcription. Ensure processor contracts (Article 28) specify UK GDPR compliance, audit rights and breach notification. 
  • Monitor, audit and train: Regularly audit tool use and outputs for compliance. Provide targeted training on UK GDPR risks (e.g. accuracy, breaches, bias). Track incidents (e.g. hallucinations) and report serious ones as breaches if required. 
  • Define boundaries for use: Establish consensus on when AI transcription is appropriate (or unacceptable).  

AI transcription offers clear benefits for reducing paperwork and freeing up social workers’ time for direct care. However, strong governance measures must be taken to avoid dangerous inaccuracies slipping into official records, and the potential for biased or harmful decisions. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information. 

If you need to train your staff on responsible use of AI please get in touch to discuss our customised in house training. The following public courses may also interest you: 

AI and Information Governance:  A one day workshop examining the key data protection and IG issues when deploying AI solutions.  

AI Governance Practitioner Certificate training programme: A four day course providing a practical overview of how AI systems are developed, deployed, and regulated, with particular attention to risk, bias, and accountability. 

Act Now Nominated for IRMS Supplier of the Year Award 

Act Now Training is pleased to announce that it has been nominated for the 2026 Information and Records Management Society (IRMS) awards. 

Each year the IRMS recognises excellence in the field of information management with their prestigious industry awards. These highly sought-after awards are presented at a glittering ceremony at the annual Conference following the Gala Dinner.  

Act Now has been nominated for the Supplier of the Year award which it previously won in 2021, 2022 and 2024. 

Voting is open to IRMS members until Wednesday 18th March 2026. 

If you are an IRMS member, you can login to your account and vote for Act Now here

Thank you for your support!

Listen to the Guardians of Data Podcast for the latest news and views on developments in GDPR, AI, cyber security and FOI

Survey of FOI Officers 

Dr Ben Worthy, an academic at Birkbeck College, is looking for Local Government FOI officers to complete another survey. 

The survey is part of a joint US/UK research project, funded by Democracy Fund, which started last year looking at FOI request burdens.  They want to follow up on the use of AI to help make FOI requests. 

The survey should take around 5-10 minutes to complete.  An anonymised summary of the findings will be sent to anyone who wishes to see it.  

You can read more about the project here. The survey can be accessed here.

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information. 

Guardians of Data Podcast Episode 2: The Grok AI Controversy with Lynn Wyeth 

Act Now is pleased to bring you episode 2 of a new podcast; Guardians of Data. This is a show where we explore the world of information law and information governance – from privacy and AI to cybersecurity and freedom of information. In each episode we will be speaking with experts and practitioners to unpack the big issues shaping the IG profession. 

In the first episode, we were joined by Jon Baines, a Senior Data Protection Specialist at Mishcon de Reya LLP and the long-standing chair of NADPO. In a wide ranging conversation, Jon shared his journey into IG, his advice for both new starters and seasoned professionals and his perspective on the future of the profession. 

In Episode 2 we discuss the recent controversy around Grok AI. 

Grok,  the AI chatbot developed by xAI and integrated into the social media platform X, has caught the attention of governments and regulators across the world after it was used to edit pictures of real women to show them in revealing clothes and suggestive poses. In the UK, Ofcom and the Information Commissioner’s Office have opened formal investigations,  a significant step that signals how seriously AI-related risks are now being taken.  

This controversy raises fundamental questions about how AI systems are designed and overseen and about whether existing laws and board-level oversight are keeping pace. In episode 2, we unpack these issues with the help of Lynn Wyeth, an expert in AI, data protection and responsible technology.  

Listen via this link or on your preferred podcast app. 
Available on Apple Podcasts, Spotify, and all major podcast platforms.

Data Protection Complaints Procedure: New ICO Guidance 

The main changes to the UK  data protection regime made by the Data (Use and Access) Act 2025 (DUA Act) came into force on Thursday 5th February 2026. One key provision though is due to commence on 19th June 2026; the requirement for Data Controllers to have a complaints procedure to handle data protection complaints.  

A new section 164A into the Data Protection Act 2018 requires Data Controllers to: 

  • give Data Subjects a way of making data protection complaints; 
  • acknowledge receipt of complaints within 30 days of receiving them; 
  • without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep Data Subjects informed; and 
  • without undue delay, tell Data Subjects the outcome of their complaints 

Following a consultation, which closed in October last year, the ICO has published its guidance explaining the new requirements and informing Data Controllers of what they must, should and could do to comply.  

Data protection expert, and guest on the first Guardians of Data podcast, Jon Baines writes on his personal blog that in declining to suggest how long controllers should normally take to respond to data subject complaints, the ICO has missed an opportunity to provide regulatory clarity.  

Listen to the Guardians of Data Podcast for the latest news and views on developments in GDPR, AI, cyber security and FOI.

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop.  

The newly updated UK GDPR Handbook (2nd edition) includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact.