Home Decisions

Decision 172/2024

Decision 172/2024: Correspondence regarding cemetery headstone testing

Authority: Scottish Borders Council
Case Ref: 202400031

Summary

The Applicant asked the Authority for correspondence relating to headstone safety testing works in Berwickshire cemeteries over a specified period.  The Authority disclosed the correspondence, but redacted some information it considered to be personal data or would otherwise substantially prejudice the interests of the persons who had provided it with the information.   The Commissioner investigated and found that the Authority had incorrectly withheld information under regulation 10(5)(f) of the EIRs, but that 
most of the personal data was correctly withheld.  He required the Authority to disclose a small amount of information wrongly withheld as personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 39(2) (Health, safety and the environment); 47(1) and (2) (Application for decision by Commissioner)

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of “the Act” “applicant”, “the Commissioner”, “data protection principles”, “data subject”, paragraphs (a), (c) and (f) of definition of “environmental information”, “personal data” and “the UK GDPR”) and (3A)(a) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 10(1), (2), (3) and (5)(f) (Exceptions from duty to make environmental information available); 11(2)(a), (3A)(a) and (7) (Personal data); 17(1), (2)(a), (b) and (f) (Enforcement and appeal provisions)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 9(1) and (2)(e) (Processing of special categories of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 16 July 2023, the Applicant made a request for information to the Authority.  Among other things, they asked for:

“all correspondence received by the [Authority] from January 1st 2022 to May 1st 2023 regarding works done in cemeteries.”

2. The Applicant subsequently clarified their request as seeking all correspondence from private individuals or their legal representatives regarding headstone testing in graveyards in Berwickshire from January 2022 to March 2023.  

3. The Authority responded on 25 August 2023.  The Authority disclosed 37 redacted pages of correspondence, withholding some information under regulation 11(2) of the EIRs as it considered the information to be third party personal data.

4. On 5 September 2023, the Applicant wrote to the Authority requesting a review of its decision on the basis that they were dissatisfied the Authority had withheld specific text on pages 10, 21/22 and 24 of the correspondence it had disclosed to him.

5. The Authority notified the Applicant of the outcome of its review on 3 October 2023.  The Authority upheld the application of regulation 11(2) of the EIRs to the passages identified by the Applicant, but disclosed a small amount of information considered outwith the scope of the request (subject to the redactions under regulation 11(2) of the EIRs).  The Authority also applied the exception at regulation 10(5)(f) of the EIRs to text it had withheld on pages 21/22 and 24, as it considered disclosure would cause substantial prejudice to the interests of the person who had voluntarily provided this information.

6. On 10 January 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications.  The Applicant stated they were dissatisfied with the outcome of the Authority’s review because they believed the redacted information they had specified should be disclosed.

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

8. On 21 February 2024 the Authority was notified in writing that the Applicant had made a valid application and the case was subsequently allocated to an investigating officer.  

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Application of the EIRs

11. The Authority considered the Applicant's request under the EIRs, having concluded that the information requested was environmental information as defined in regulation 2(1) of the EIRs.

12. Where information falls within the scope of this definition, a person has a right to access it (and the public authority has a corresponding obligation to respond) under the EIRs, subject to the various restrictions and exceptions contained in the EIRs.

13. The Applicant has not disputed the Authority’s decision to handle their request under the EIRs and the Commissioner is satisfied, in the circumstances, that the information requested by the Applicant falls within the definition of environmental information set out in regulation 2(1), in particular paragraphs (a), (c) and (f) of that definition.

Section 39(2) of FOISA – Environmental information

14. The exemption in section 39(2) of FOISA provides, in effect, that environmental information (as defined by regulation 2(1) of the EIRs) is exempt from disclosure under FOISA, thereby allowing any such information to be considered solely in terms of the EIRs.  In this case, the Commissioner accepts that the Authority was entitled to apply this exemption to the information withheld under FOISA, given his conclusion that it is properly classified as environmental information.

15. As there is a statutory right of access to environmental information available to the Applicant in this case, the Commissioner accepts, in all the circumstances, that the public interest in maintaining this exemption (and responding to the request under the EIRs) outweighs any public interest in disclosing the information under FOISA.  Both regimes are intended to promote public access to information and there would appear to be no reason why (in this particular case) disclosure of the information should be more likely under FOISA than under the EIRs.

16. The Commissioner therefore concludes that the Authority was correct to apply section 39(2) of FOISA and to consider the Applicant's information request under the EIRs.

Regulation 5(1) of the EIRs – Duty to make environmental information available

17. Regulation 5(1) of the EIRs requires a Scottish public authority which holds environmental information to make it available when requested to do so by any applicant.  This is subject to the various qualifications contained in regulations 6 to 12 of the EIRs.

18. In this case, the Authority submitted that it wished to rely on the exception in regulation 11(2) of the EIRs to withhold all of the text specified by the Applicant on pages 10, 21/22 and 24.  For the text withheld on pages 21/22 and 24, the Authority also relied on the exception in regulation 10(5)(f) of the EIRs.

19. The Authority’s review response suggested that a small amount of information was outwith the scope of the request.  However, the Authority ultimately disclosed this information (subject to personal data redactions under the exception in regulation 11(2) of the EIRs) to the Applicant as part of its review response.  Having reviewed the information, the Commissioner is satisfied that does fall within the scope of the request.  He will therefore consider the redactions made to that information under the 
exception in regulation 11(2) as part of his decision.  

Regulation 10(5)(f) – Third party interests

20. Regulation 10(5)(f) of the EIRs provides that a Scottish public authority may refuse to make environmental information available to the extent that its disclosure would, or would be likely to, prejudice substantially the interests of the person who provided that information, where that person:

(i) was not under, and could not have been put under, any legal obligation to supply the information;

(ii) did not supply it in circumstances such that it could, apart from the EIRs, be made available; and

(iii) has not consented to its disclosure.

21. This exception can only be applied if all three of the above tests are satisfied.

22. Regulation 10(2) of the EIRs provides that this exception must be interpreted in a restrictive way and that the public authority shall apply a presumption in favour of disclosure.  The exception is also subject to the public interest test in regulation 10(1)(b).
Does regulation 10(5)(f) apply in this case?

23. A number of factors should be addressed in considering whether this exception applies. These include:

  • Was the information provided by a third party?
  • Was the provider, or could the provider be, required by law to provide it?
  • Is the information otherwise publicly available?
  • Has the provider consented to disclosure?
  • Would disclosure of the information cause, or be likely to cause, substantial harm to the interests of the provider?

24. The Authority submitted that the information withheld in terms of regulation 10(5)(f) of the EIRs related to a complaint, provided voluntarily, regarding family graves at a named cemetery which, to its knowledge, had not been made public.

25. While not addressed in its submissions to the Commissioner, the Authority’s review response stated that the third parties were not legally obliged, and could not be legally obliged, to supply the information that it had withheld under the exception in regulation 10(5)(f) of the EIRs.

26. The Authority also explained that, due to the personal and emotive content of the correspondence, it had considered that it would have been inappropriate to have sought the consent of the relevant third parties.  However, the Authority argued that, in each case, the third parties would have no expectation that this information would be disclosed publicly.  

Was the information provided by a third party?

27. Having considered the submissions from the Authority and the content of the withheld information, the Commissioner accepts that the information was provided in each case by a third party.

Was the provider, or could the provider be, required by law to provide it?

28. Having considered the submissions from the Authority and the content of the withheld information, the Commissioner is not satisfied that it is information that the providers were required, or could have been required, to provide by law.

Is the information otherwise publicly available?

29. Having considered the submissions from the Authority and the content of the withheld information, the Commissioner is satisfied that the withheld information is not (and has not been) otherwise available to the public.

Has the provider consented to disclosure?

30. The issue regarding consent is covered by the Aarhus Convention Implementation Guide (at page 89) states:

“Not only must the information in question qualify as voluntarily supplied information, the person that provided it must have denied consent to have it released to the 
public."

31. The Commissioner has also found in previous decisions that specific refusal of consent is fundamental to the application of regulation 10(5)(f) of the EIRs.  This is also covered in his guidance on the application of regulation 10(5)(f).

32. Generally, in the Commissioner's view, consent (and its refusal) will involve an active expression of the wishes of the individual concerned and will be specific to the circumstances for which it was sought.  Generally, therefore, the issue must be approached on a case-by-case basis and clearly apply to the information in question.

33. The Commissioner acknowledges the reasoning provided by the Authority for why it did not, in the circumstances, consider that seeking consent of the relevant third parties was appropriate.

34. However, as rehearsed earlier (at paragraph 21), the exception in regulation 10(5)(f) of the EIRs can only be applied if all three of the tests are satisfied.  In this case, in the absence of a specific refusal of consent from the relevant third parties, the Commissioner therefore does not accept that the Authority was entitled to apply the exception in regulation 10(5)(f) to the withheld information.

35. As the Authority also relied on the exception in regulation 11(2) of the EIRs to withhold the information requested, the Commissioner will go on to consider this below.

Regulation 11(2) – Personal data

36. As rehearsed earlier, the Authority relied on the exception in regulation 11(2) of the EIRs (as read with regulation 11(3A)(a)) to withhold information at pages 10, 21-22 and 24 of the correspondence it disclosed to the Applicant.

37. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11.  Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply.  These include where disclosure would contravene any of the data protection principles in the UK GDPR or the DPA 2018 (regulation 11(3A)(a).

38. The Authority submitted that the redacted information constituted personal data, disclosure of which, in response to this request, would breach the first data protection principle in Article 5(1) of the UK GDPR ("lawfulness, fairness and transparency").

Is the information personal data?

39. The first question the Commissioner must address is whether the information is personal data in terms of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual.

40. Section 3(3) of the DPA 2018 defines "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

41. Information will "relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.  An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.

42. Most of the withheld information is clearly personal data as it relates to identified (or identifiable) individuals (e.g. it comprises names and email addresses of living individuals).  The Commissioner is therefore satisfied that information is personal data in terms of section 3(2) of the DPA 2018.

43. However, for a small amount of the withheld information, the Commissioner needs to carefully consider whether the personal data relate to identified (or identifiable) individuals.

44. In the case of Breyer v Bundesrepublik Deutschland (C-582/14), the Court of Justice of the European Union took the view that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain – if the risk of identification is "insignificant", the information will not be personal data.

45. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.  

46. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments.  It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

The Authority’s submissions

47. The Authority explained that the information it had redacted under regulation 11(2) of the EIRs comprised the names, addresses and contact details of individuals, including those acting in a professional capacity.

48. The Authority submitted that some of the information was extremely personal, sensitive and emotive, while other information comprised special category data as defined in Article 9 of the UK GDPR.

49. The Authority considered that individuals were clearly identified or made identifiable by the information withheld on pages 10 and 24 (and that the information was therefore personal data) but recognised that some of the information withheld on pages 21-22 under regulation 11(2) of the EIRs may not comprise personal data.  

The Commissioner’s view

50. As a starting point, when considering identifiability, the Commissioner notes that disclosure under the EIRs is disclosure to the public at large.

51. In reaching his view on identifiability, the Commissioner has also given regard to the guidance published by the UK Information Commissioner’s Office on indirect identifiability.  Specifically, at paragraph 30:

“You should consider what means are reasonably likely to be used to identify the individual … You should assume that you are not looking just at the means reasonably likely to be used by an ordinary person, but also by a determined person with a particular reason to want to identify individuals”.

52. Having reviewed the withheld information, and in the absence of persuasive arguments from the Authority, the Commissioner does not accept that some of the information withheld under regulation 11(2) of the EIRs is personal data.

53. This is because, given the other information withheld under regulation 11(2) of the EIRs (which includes direct identifiers), the Commissioner does not consider that a realistic causal chain of identification existed in relation to some of the withheld information.  In other words, the risk of identification of identified (or identifiable) individuals from disclosure of that information was insignificant.

54. However, the Commissioner acknowledges that this information would be personal data if the Authority was not entitled to withhold under regulation 11(2) of the EIRs the other information (including direct identifiers) that he has accepted is personal data in terms of section 3(2) of the DPA 2018.

55. In considering whether the Authority complied with regulation 11(2) of the EIRs, the Commissioner will therefore consider below whether the Authority was correct to withhold under that exception the information he has accepted is personal data in terms of section 3(2) of the DPA 2018.

Special category data – lawfulness

56. The Commissioner has accepted that a small amount of the withheld personal data would be special category data for the purposes of Article 9(1) of the UK GDPR.  Special category personal data is afforded more protection by the UK GDPR.  To be lawful, their processing must meet one of the conditions in Article 9(2) of the UK GDPR.

57. The Commissioner's guidance on regulation 11(2) of the EIRs notes that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances.  The Commissioner considers that the only situation where it is likely to be lawful to disclose special category personal data in response to an information request under the EIRs is where the condition in Article 9(2)(e) applies.

Article 9(2)(e): Manifestly made public

58. Article 9(2)(e) allows special category personal data to be processed where the personal data have manifestly been made public by the data subjects.

59. “Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to an EIRs request.

60. Neither the Authority nor the Applicant has suggested that the personal data have manifestly been made public by the data subjects.

61. The Commissioner is satisfied that the information would not have been made public as a result of steps deliberately taken by the data subjects, and so condition 2(e) could not be met in this case.  It is not information of a kind it would be reasonable to expect would be made public in such a manner.

62. In the circumstances, the Commissioner must conclude that, in the absence of a condition in the UK GDPR allowing the special category personal data to be processed, that disclosure would be unlawful.  

63. Given that the Commissioner has concluded that the processing of the special category personal data would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be fair or transparent in relation to the data subjects.

64. Consequently, the Commissioner is satisfied that disclosure of this personal data is not permitted by regulation 11(2) of the EIRs.

Personal data (that is not Special category personal data) – Would disclosure contravene one of the data protection principles?

65. The Authority submitted that disclosure of the personal data withheld under regulation 11(2) would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.  As noted above the definition of “processing” is wide and includes 
“disclosure by transmission, dissemination or otherwise making available” (section 3(4)(d) of the DPA 2018).

66. In the case of the EIRs, personal data are processed when disclosed in response to a request.  Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

67. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. Generally, when considering whether personal data can lawfully be disclosed under the EIRs, only condition (f) (legitimate interests) is likely to be relevant.

Condition (f): legitimate interests

68. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …”

69. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.

70. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

71. The Applicant explained that they had complained, to no effect, to the Authority about the testing and laying flat of headstones in a named cemetery.  However, the Applicant noted that a complaint by an individual or their legal representative in this case (in relation to a different cemetery) had led to the Authority halting the works across the region and to the re-erection of headstones in that cemetery.

72. The Applicant stated that they, and the wider public, had a legitimate interest in disclosure of the withheld information to understand why the Authority had esponded in the way that it had.  

73. Given the seriousness of their previous complaints, the Applicant considered that there was a clear legitimate interest in knowing who had made the complaint resulting in the pausing of the works across the region.

74. The Authority acknowledged that the Applicant had a legitimate interest in the requested information.

75. In the circumstances, the Commissioner is satisfied that the Applicant has a legitimate interest in the information requested.

Is disclosure of the personal data necessary?

76. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of that personal data is necessary to meet that legitimate interest.

77. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

78. The Authority submitted that disclosure of the information withheld was not necessary to satisfy the Applicant’s legitimate interest, though it did not explain why and instead referred to a copy of its internal deliberations prior to issuing its review response to the Applicant.

79. In the circumstances, the Commissioner accepts that disclosure of the withheld information would be necessary to satisfy the legitimate interests identified.  He can identify no other way of meeting the Applicant’s legitimate interests.

Interests of the data subject

80. The Commissioner has acknowledged that disclosure of the information in question would be necessary to achieve the Applicant’s legitimate interests.  This must be balanced against the interests or fundamental rights and freedoms of the third parties.  Only if the legitimate interests of the Applicant outweigh those of the data subjects could personal data be disclosed without breaching the first data protection principle.

81. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55.

82. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject.  Factors which will be relevant in determining reasonable expectations include:

(i) whether the information relates to an individual's public life (their work as a public official or employee, wherein their seniority and whether their role is public-facing is a factor) or to their private life (their home, family, social life or finances)

(ii) whether the individual objected to the disclosure

(iii) the potential harm or distress that may be caused by disclosure.

83. The Authority submitted that, as it had found disclosure was not necessary, it was not required to go on to carry out the balancing test above.

84. However, in its review response the Authority noted that the individuals identified within the withheld information would not, in the circumstances, expect public disclosure of their identity.  

85. The Authority further submitted that these individuals would expect this information (including that of a personal and emotive nature) to remain confidential absent their consent to the contrary, but that it had not asked for their consent as it considered to do so would be inappropriate given the sensitivity of the circumstances.

The Authority also considered disclosure would represent a breach of the individuals’ privacy which would have a detrimental effect on those individuals, particularly where the information comprised special category data.

86. As rehearsed earlier, the Applicant believed disclosure of the withheld information, including the identity of the individuals, was the only way in which they could understand why the Authority had halted works (and reinstated headstones at a specified cemetery).  The Applicant stated that this was both a matter of interest to them and to the wider community.

87. The Commissioner has considered the likely expectations of the data subjects, along with the potential for harm or distress being caused by disclosure of the information.

88. Having considered the withheld information, the Commissioner notes that:

  • some of the correspondence was made in a private capacity, relates to individuals’ private lives and relationships and is personal and sensitive
  • some of the correspondence was made in a professional capacity by an individual in a non-senior role which would not engender an expectation of disclosure of their personal data in response to a request under the EIRs or FOISA.

89. In the circumstances, the Commissioner therefore takes the view that the legitimate interests served by disclosure of the information to the Applicant (and the wider public) would not outweigh any prejudice that would be caused to the data subjects’ rights and freedoms or legitimate interests.

90. Consequently, the Commissioner finds that such prejudice would be unwarranted.  He is not, therefore, satisfied that a lawful condition of processing in Article 6 of the UK GDPR could be met in relation to the personal data under consideration.

91. Given that the Commissioner has found that no condition of processing in Article 6 of the UK GDPR could be met by disclosure of the personal data, he has found that the processing would be unlawful.

92. In all the circumstances of the case, in the absence of a condition in Article 6(1) of the UK GDPR being met, the Commissioner must conclude that making the personal data available would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is satisfied that making the personal data available is not permitted by regulation 11(2) of the EIRs.

93. Following this, the Commissioner finds that the Authority was not entitled to withhold under regulation 11(2) of the EIRs the information he earlier found (at paragraph 52) was not personal data in terms of section 3(2) of the DPA 2018.

94. The Commissioner requires the Authority to disclose the information the Authority was not entitled to withhold under regulation 11(2) of the EIRs.  He will provide the Authority with a marked-up copy of the information showing the information which should be disclosed.

Decision

The Commissioner finds that the Authority partially complied with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the Applicant’s 
request.

The Commissioner finds that:

  • the Authority was not entitled to rely on the exception in regulation 10(5)(f) of the EIRs to withhold information
  • the Authority correctly withheld most of the information it had withheld under the exception in regulation 11(2) of the EIRs
  • the Authority wrongly withheld a small amount of information under the exception in regulation 11(2) of the EIRs.  In failing to disclose that information to the Applicant, the Authority failed to comply with regulation 5(1) of the EIRs.


The Commissioner therefore requires the Authority to disclose to the Applicant the information it wrongly withheld by 7 October 2024.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

David Hamilton
Scottish Information Commissioner

21 August 2024


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

39 Health, safety and the environment

(2) Information is exempt information if a Scottish public authority-

(a) is obliged by regulations under section 62 to make it available to the public in accordance with the regulations; or

(b) would be so obliged but for any exemption contained in the regulations.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify –

(i) the request for information to which the requirement for review relates;

(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);

and

(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).



The Environmental Information (Scotland) Regulations 2004

2 Interpretation

(1) In these Regulations –

“the Act” means the Freedom of Information (Scotland) Act 2002;

“applicant” means any person who requests that environmental information be made available;

“the Commissioner” means the Scottish Information Commissioner constituted by section 42 of the Act;

“the data protection principles” means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

“data subject” has the same meaning as in the Data Protection Act 2018 (see section of that Act):

"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form 
on -

(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, 
biological diversity and its components, including genetically modified organisms, and the interaction among these elements;

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect 
the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;

(f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures 
inasmuch as they are or may be affected by the state of the elements of the environment referred to in paragraph (a) or, through those elements, by any of the matters 
referred to in paragraphs (b) and (c);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act); and

(3A) In these Regulations, references to the UK GDPR and the Data Protection Act 2018 have effect as if in Article 2 of the UK GDPR and Chapter 3 of Part 2 of that Act 
(exemptions for manual unstructured processing and for national security and defence purposes) -

(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and

5 Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

(b) is subject to regulations 6 to 12.

…    
    …

10 Exceptions from duty to make environmental information available

(1) A Scottish public authority may refuse a request to make environmental information available if-

(a) there is an exception to disclosure under paragraphs (4) or (5); and

(b) in all the circumstances, the public interest in making the information available is outweighed by that in maintaining the exception.

(2) In considering the application of the exceptions referred to in paragraphs (4) and (5), a Scottish public authority shall-

(a) interpret those paragraphs in a restrictive way; and

(b) apply a presumption in favour of disclosure.

(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with 
regulation 11.

(5) A Scottish public authority may refuse to make environmental information available to the extent that its disclosure would, or would be likely to, prejudice 
substantially-

(f) the interests of the person who provided the information where that person-

(i) was not under, and could not have been put under, any legal obligation to supply the information;

(ii) did not supply it in circumstances such that it could, apart from these Regulations, be made available; and

(iii) has not consented to its disclosure; or

11 Personal data

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -

(a) the first condition set out in paragraph (3A) is satisfied, or

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations –

(a) would contravene any of the data protection principles, or

(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

17 Enforcement and appeal provisions

(1) The provisions of Part 4 of the Act (Enforcement) including schedule 3 (powers of entry and inspection), shall apply for the purposes of these Regulations as they apply for the purposes of the Act but with the modifications specified in paragraph (2).

(2) In the application of any provision of the Act by paragraph (1) any reference to -

(a) the Act is deemed to be a reference to these Regulations;

(b) the requirements of Part 1 of the Act is deemed to be a reference to the requirements of these Regulations;

(f) a notice under section 21(5) or (9) (review by a Scottish public authority) of the Act is deemed to be a reference to a notice under regulation 16(4); and

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Article 9 Processing of special categories of personal data

1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.  

2 Paragraph 1 shall not apply if one of the following applies:

    …

    e. processing relates to personal data which are manifestly made public by the data subject;

    …

Data Protection Act 2018

3 Terms relating to the processing of personal data

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –

        (a) an identifier such as a name, an identification number, location data or an online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

    …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided –

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.