The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Book Icon

 

Personal Data - Regulation 11

 

The main points

Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs.  Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data shall not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.

Personal data must not be disclosed if it is:

  • the personal data of the person requesting the information (regulation 11(1));
  • the personal data of a third party – and other conditions apply (regulation 11(2)).

The tests in regulation 11 can be complex to apply.  You are advised to consider them methodically, referring to this briefing as you go to be sure you are applying the correct tests.

Remember that regulation 11 covers personal data which also falls within the definition of environmental information.  There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information.  See the Commissioner's guidance Exemptions - Personal information (section 38).

Note The exceptions in regulation 11 regulate the relationship between the EIRs and the Data Protection Act 1998 (the DPA). However, a new law, the EU-wide General Data Protection Regulation (GDPR) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data will apply in the UK from 25 May 2018. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. Up to date information about the GDPR can be found on the (UK) Information Commissioner data protection reform website.


Duration

Regulation 11 applies regardless of how old the information is.  In practice, this will be limited because the provisions can only be applied if the information relates to living individuals.  The exemptions do not apply to personal information of deceased people.


Regulation 11 and the public interest test

Regulation 11 is generally absolute, which means that the public interest test need not be considered when deciding whether to disclose personal data.  However, in two situations, authorities do need to think about the public interest test.  This is looked at in more detail in the briefing.


Regulation 11 and neither confirm nor deny

A public authority may refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), if revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11 (see regulation 11(6) and Appendix 1 of the briefing which sets out links to decisions issued by the Commissioner on this point). 


Flowchart

This briefing contains a flowchart which looks at responding to requests for third party personal data under regulation 11(2).


Download the briefing and flowchart

PDF iconEIRs Briefing Regulation 11: Personal data

 

Page last updated 11 July 2017

Back to Top