The government's interception of communications regulator has confirmed that Police Scotland unlawfully accessed phone records to find journalistic sources without judicial approval.
The communications data of four individuals was improperly obtained, but the force has said no journalists' records were targeted.
The practice of police forces using the Regulation of Investigatory Powers Act (RIPA) to find sources without the approval of a judge was outlawed in March this year following Press Gazette’s six-month Save Our Sources campaign.
The Interception of Communications Commissioner's Office (IOCCO) revealed over the summer that two police forces had already breached this law, but did not say which forces they were.
It was reported in August that Police Scotland was one of the two, but neither the force nor IOCCO confirmed this at the time. The identity of the second force has not yet been disclosed.
IOCCO has today released a statement revealing Police Scotland had contravened the Acquisition and Disclosure of Communications Data Code of Practice 2015 in respect of five applications for communications data.
Interception of Communications Commissioner Sir Stanley Burnton said: “It is evident from these applications that Police Scotland sought communications data in order to determine either a journalist’s source or the communications of those suspected to have been acting as intermediaries between a journalist and a suspected source.”
He concluded that judicial approval was not sought and that Police Scotland “failed to satisfy adequately the requirements of necessity and proportionality or to give due consideration to Article 8 or Article 10 of the European Convention on Human Rights (ECHR)”.
Two of the applications, he said, were approved by a designated person (DP) who was not independent of the investigation, in another breach of the code.
Burnton said: “I am satisfied that four individuals were adversely affected by these contraventions and that the failures identified can properly be viewed as reckless. I have written to those individuals and provided them with sufficient information to enable them to engage the Investigatory Powers Tribunal effectively should they wish to do so.
“The primary concern throughout this investigation was to protect the privacy of individuals who may have been adversely affected and to ensure that those individuals are able to seek effective remedy.
“I also recognise the public interest in these matters and the importance of the provisions passed by Parliament in March 2015 to protect the confidentiality of journalistic sources.”
He said Police Scotland has now “put in place significant measures in order to prevent any recurrence of such contraventions”.
Police Scotland has issued a statement clarifying that no journalists' records were targeted.
ACC Ruaraidh Nicolson, who has overseen the response to the IOCCO inspection, said: “Police Scotland can confirm that it did not adhere to the new guidelines covering access to communications data during a recent investigation into alleged serious breaches of information security.
“An inspection by the Interception of Communications Commissioner’s Office (IOCCO) in June 2015 found that five applications for data, which were all directly connected to one investigation into the alleged unauthorised release of sensitive police information in early April 2015, were not in accordance with the terms of the new Code of Practice covering the acquisition of communications data which came into effect on 25 March 2015.
"We also acknowledge the deficiencies in the applications themselves, which have been highlighted by IOCCO.
“For the purposes of clarification, none of the applications concerned a journalist.
“IOCCO has noted that there was no evidence of an intentional act by Police Scotland to avoid the requirements of the Code. A detailed action plan was put in place as soon as the issue was highlighted by IOCCO and no further recommendations have been made to Police Scotland.
"IOCCO has also commented on the robust and rigorous steps Police Scotland has taken to ensure processes for all applications for communications data are fully compliant with the Code of Practice and all legislative requirements.
“Police Scotland is aware that IOCCO intends to notify those individuals considered to have been affected. In consequence of that ongoing process, it would be inappropriate to comment further.”
In August, BBC reporter Eamon O'Connor said a "very dependable source" had told him his records had been obtained by Police Scotland while he was investigating a "screwed up" murder inquiry.
Michael Matheson, the Scottish government's justice secretary, said: “We note IOCCO’s clarification that no journalists were targeted by Police Scotland as part of their investigations.
“Any breach of the Code of Practice in this area is unacceptable and I expect Police Scotland to comply fully with any recommendations made by IOCCO. A free press is the cornerstone of a healthy democracy and we are committed to protecting the privacy of all law-abiding members of the public, including journalists.
“It is important to recognise that, since these breaches were discovered in July 2015, Police Scotland has been working on a robust action plan to ensure there have been no repeat of these incidents, and that it cannot happen again. However, it is clear Police Scotland’s actions in accessing communications data have fallen short of the standards expected and I welcome today’s announcement by the Scottish Police Authority that they have asked HMICS to review the robustness of procedures around Police Scotland’s counter corruption practices.”