Police Scotland Fined £66,000 for Collecting Too Much Data — If You're a GP, Dentist, Care Home or Pharmacy, Your Practice Could Be Next
In this article
- What Happened: Police Scotland and the Proportionality Principle
- Why This Matters for Healthcare Providers
- The Reddit Fine: What £14.47 Million Looks Like
- The June 19 Deadline: What the DUAA Requires
- The Patient SAR Problem
- The Near-Zero Awareness Problem
- Practical Steps Before June 19
- Key Dates
- TL;DR — Key Takeaways
- Stay Ahead of ICO Enforcement
Police Scotland Fined £66,000 for Collecting Too Much Data — If You're a GP, Dentist, Care Home or Pharmacy, Your Practice Could Be Next
The ICO fined Police Scotland £66,000 in March 2026 for downloading an entire phone from a crime victim when only a fraction of the data was relevant to the investigation. The ICO's message was explicit: collecting more data than you need is not safer — it is a breach. And from 19 June 2026, every data controller in the UK, including every GP surgery, dental practice, care home and pharmacy, must have a formal written data protection complaints procedure in place.
Healthcare is the ICO's declared top-priority audit sector for 2026. This guide explains what the Police Scotland fine means for your practice, what the DUAA June 19 deadline requires, and the practical steps you need to take now.
What Happened: Police Scotland and the Proportionality Principle
On 19 March 2026, the ICO issued a £66,000 fine against Police Scotland.
The facts: when interviewing a crime victim, officers downloaded the victim's entire mobile phone — contacts, messages, photos, financial data, unrelated personal communications — when only a small subset of that data was relevant to the case.
The ICO's finding: the collection was disproportionate. The scale of data gathered exceeded what was necessary for the legitimate policing purpose. Under UK GDPR Article 5(1)(c), data collected must be "adequate, relevant and limited to what is necessary" — the data minimisation principle.
This fine was not for a breach, a hack, or a leak. It was for collecting too much data in the first place.
Why This Matters for Healthcare Providers
You might wonder what a policing case has to do with a dental practice or a community pharmacy. The answer is: almost everything.
Healthcare providers routinely over-collect
Common over-collection patterns in UK healthcare settings:
- GP registration forms asking for information beyond what's clinically necessary (income, immigration status, extended family history not required for registration)
- Dental practices retaining full medical histories for patients who attended once in 2019
- Care homes holding copies of residents' bank statements "for reference" in HR files
- Pharmacies collecting customer email addresses and marketing consent as part of prescription collection (not required for dispensing)
- Any setting requesting ID documents (passport, driving licence) as standard practice when not legally required
Each of these is a potential ICO audit finding under the same proportionality principle applied to Police Scotland.
Healthcare is the ICO's #1 audit priority in 2026
The ICO's published enforcement strategy for 2026 names healthcare as its primary sector for proactive audits. This is not a coincidence — healthcare handles special category data (health data, genetic data) which carries the highest obligations under UK GDPR Article 9.
The ICO conducted 23 healthcare audits in Q4 2025. All 23 resulted in recommendations. 11 required formal undertakings. Three are under active investigation as of March 2026.
The Reddit Fine: What £14.47 Million Looks Like
In February 2026, the ICO fined Reddit £14.47 million for children's privacy failures. The core issue: Reddit relied on age self-declaration (users ticking a box to say they were over 13) without any verification mechanism.
The ICO's finding: where a platform can reasonably be expected to have a significant child user base, age self-declaration alone is not sufficient to discharge the obligation to protect children's data.
For healthcare providers: this has a direct parallel. If your patient portal, online booking system, or digital communications platform allows patients to self-declare consent without verification appropriate to the sensitivity of the data involved, you face the same category of risk.
Combined, the Reddit fine and the Police Scotland fine in Q1 2026 send a single clear message: the ICO has moved from guidance to active financial enforcement on data principles that most organisations assumed were theoretical obligations.
The June 19 Deadline: What the DUAA Requires
The Data (Use and Access) Act 2025 comes into force on 19 June 2026. One of its central requirements applies to every data controller — including every GP surgery, dental practice, care home, pharmacy and community health provider in the UK.
You must have a formal, written data protection complaints procedure in place by 19 June 2026.
A privacy policy is not a data complaints procedure. They are different documents.
What the procedure must include
| Element | Requirement |
|---|---|
| How to raise a complaint | A clear, accessible process for patients/residents/customers to lodge a data complaint |
| Acknowledgement timescale | Maximum 30 days from receipt of complaint |
| Investigation process | Who investigates, how, and what they have authority to decide |
| Resolution | How the complainant is notified of the outcome |
| Escalation | Clear pathway to the ICO if the complaint is unresolved |
Who this applies to
If you process personal data and make decisions about how that data is used, you are a data controller under UK GDPR. That means:
- Every GP surgery — patient health records, referral data, appointment systems
- Every dental practice — patient records, NHS BSA data, treatment plans
- Every care home — resident care plans, medication records, financial information
- Every pharmacy — prescription data, patient medication history, delivery addresses
- Every community mental health service — clinical notes, risk assessments, crisis plans
Healthcare providers processing special category health data face additional DUAA obligations beyond the standard complaints procedure.
The Patient SAR Problem
Healthcare is the highest-volume sector for Subject Access Requests (SARs) in the UK. Patients have always had a right to access their health data — but the DUAA significantly tightens the enforcement framework for how these requests must be handled.
Key changes under the DUAA affecting healthcare SARs:
- Mandatory logging: every SAR must be logged on receipt with a timestamp
- Refusal requirements: refusals must be justified in writing using specific DUAA grounds, not general GDPR grounds
- Escalation rights: the complaints procedure must include a right to internal appeal before ICO escalation
For a GP practice handling 10-15 SARs per month, this requires a formal process — not an ad-hoc response drafted by whoever happens to be available.
The Near-Zero Awareness Problem
We've spoken to over 40 UK healthcare SMB operators in the last three weeks — independent GP practices, dental practice managers, pharmacy owners, care home registered managers.
Zero knew the DUAA existed.
Zero knew about the June 19 deadline.
This is not unusual for healthcare data compliance. The sector has historically relied on NHS Digital guidance, BMA/BDA/GPhC publications, and CQC inspection preparation — none of which automatically covers ICO regulatory changes under new primary legislation.
The consequence: healthcare providers are approaching June 19 with no formal complaints procedure, no updated privacy information, and no awareness that the ICO has shifted from guidance to enforcement.
Practical Steps Before June 19
Step 1: Audit your data collection (proportionality review)
Take every form, every digital intake process, every system that collects patient or client data. For each field:
- Is this data necessary for the purpose we're collecting it for?
- Would we be comfortable explaining to the ICO why we need it?
- Can we justify the retention period?
Common findings: GP registration forms with 20+ fields when 8 are clinically required. Dental practices retaining inactive patient records for 15 years (legal minimum for adults is 10 years, or 25 years from birth for children). Pharmacies holding customer preference data beyond reasonable commercial retention.
Step 2: Write your data complaints procedure
A four-page document. It does not require a solicitor. It requires:
- The name of the data controller (your practice)
- The named data protection lead (you, your practice manager, or your DPO if you have one)
- A process for receiving complaints (email address, form, or reception)
- A 30-day acknowledgement commitment
- A resolution and escalation pathway
Template available via ComplianceAlert's document library at compliancealert.co.uk/documents.
Step 3: Appoint or confirm your Data Protection Lead
Every UK healthcare provider should have a named individual responsible for data protection. For GP practices, this is usually the practice manager. For dental practices, often the principal dentist. For care homes, often the registered manager.
If you have 10+ staff processing health data, ICO guidance recommends (and in some cases requires) a formal Data Protection Officer — either internal or outsourced.
Step 4: Update your privacy information
The DUAA updates the information you are required to provide to individuals when collecting their data. Your current privacy notice was likely written against the 2018 GDPR implementation. It needs to be reviewed against the DUAA's updated transparency requirements before June 19.
Step 5: Brief your staff
Under the DUAA, data protection complaints cannot be handled by unaware reception staff. Every person who handles patient data (which is most of your staff) needs to know:
- What a data complaint is
- How to receive and log it
- Who to escalate it to immediately
A 30-minute team brief with a written record is sufficient. Log it. Date it. Keep it.
Key Dates
| Date | Event |
|---|---|
| 19 March 2026 | ICO fines Police Scotland £66,000 for disproportionate data collection |
| February 2026 | ICO fines Reddit £14.47 million for children's privacy failures |
| 19 June 2026 | DUAA in force — formal data complaints procedure mandatory |
| 2026 ongoing | ICO healthcare proactive audit programme |
TL;DR — Key Takeaways
- The ICO fined Police Scotland £66,000 for collecting more data than necessary — the same principle applies to every healthcare data controller
- Healthcare is the ICO's declared #1 audit priority sector for 2026
- The DUAA comes into force 19 June 2026 — every data controller must have a formal written complaints procedure
- A privacy policy is not a complaints procedure
- Near-zero SMB healthcare awareness of the June 19 deadline
- Proportionality audits, written complaints procedures, and staff briefings are the three critical actions before June 19
Stay Ahead of ICO Enforcement
ComplianceAlert monitors ICO enforcement actions, guidance updates and regulatory changes and sends you a plain-English alert the day something changes.
Start your free 7-day trial at compliancealert.co.uk — no credit card required.
Not sure where your practice currently stands on data compliance? Take our free Compliance Score quiz at compliancealert.co.uk/compliance-score — 20 questions, instant results, no sign-up required.
P.S. We have 10 free compliance document templates including a GDPR-compliant privacy notice framework at compliancealert.co.uk/documents.
Stay ahead of UK regulations
ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.
Try ComplianceAlert free for 7 days →7-day free trial · No card needed · Free for 7 days · Cancel anytime
Have a question?
Talk to us about how ComplianceAlert can help your business. We reply within one business day.
Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk
