Personal information - Regulation 11
The main points
Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs. Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data shall not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.
Personal data must not be disclosed if it is:
- the personal data of the person requesting the information (regulation 11(1));
- the personal data of a third party – and other conditions apply (regulation 11(2)).
The tests in regulation 11 can be complex to apply. You are advised to consider them methodically, referring to this briefing as you go to be sure you are applying the correct tests.
Remember that regulation 11 covers personal data which also falls within the definition of environmental information. There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information. See the Commissioner's guidance Exemptions - Personal information (section 38).
Note Regulation 11 regulates the relationship between the EIRs and the Data Protection Act 1998 (the DPA). It is intended that, on 25 May 2018, the DPA will be superseded in the UK by a new EU-wide General Data Protection Regulation (GDPR) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. (See General Data Protection Regulation) Following the June 2016 referendum on the United Kingdom leaving the EU, it is unclear what will happen with the GDPR in the UK. Updates are available from the (UK) Information Commissioner's website.
Regulation 11 applies regardless of how old the information is. In practice, this will be limited because the provisions can only be applied if the information relates to living individuals. The exemptions do not apply to personal information of deceased people.
Regulation 11 and the public interest test
Regulation 11 is generally absolute, which means that the public interest test need not be considered when deciding whether to disclose personal data. However, in two situations, authorities do need to think about the public interest test. This is looked at in more detail in the briefing.
Regulation 11 and neither confirm nor deny
A public authority may refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), if revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11 (see regulation 11(6) and Appendix 1 of the briefing which sets out links to decisions issued by the Commissioner on this point).
This briefing contains a flowchart which looks at responding to requests for third party personal data under regulation 11(2).
Download the briefing and flowchart
EIRs Guidance Regulation 11: Personal data
Page last updated 09 December 2016
Back to Top