The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Personal Data - Regulation 11

Published 03 September 2018


Exclamation Mark IconThe General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (the DPA) came into effect on 25 May 2018 and made a lot of changes to data protection laws in the UK (and the rest of Europe).  Anyone using this guidance should be aware that the cases and decisions referred to were decided in line with the Data Protection Act 1998 (no longer in force). Although many of the key principles involved remain very similar under the new rules, care is required to ensure that the new regime is being complied with.  This guidance will be updated as new decisions are issued and as further guidance on data protection is published by the Information Commissioner's Office  which enforces and regulates data protection throughout the whole of the UK, including Scotland. 

About Regulation 11

Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs.  Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data must not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.

Personal data must not be disclosed if it is:

  • the personal data of the person requesting the information (regulation 11(1));
  • the personal data of a third party – and other conditions apply (regulation 11(2)).

The exceptions in regulation 11 regulate the relationship between the EIRs, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the DPA 2018).  Remember that regulation 11 covers personal data which also falls within the definition of environmental information.  There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information.  See the Commissioner’s briefing on section 38.


Regulation 11 applies regardless of how old the information is.  In practice, this will be limited because the provisions can only be applied if the information relates to living individuals.  The exemptions do not apply to personal information of deceased people.

Regulation 11 and the public interest test

The exceptions in regulation 11 are generally absolute, which means that they are not subject to the public interest test.   However, in two specific situations, the exception in regulation 11(2) is subject to the public interest test.  This means that, even if the exception applies, the personal data must be disclosed unless, in all the circumstances of the case, the public interest in making the personal data available is outweighed by the public interest in not making it available.  This is looked at in more detail in the briefing.

Regulation 11 and neither confirm nor deny

Where any of the exceptions in regulation 11 applies, a public authority can refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), provided it is satisfied that revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11.  (See regulation 11(6)).

Download the briefing

PDF iconEIRs Briefing Regulation 11: Personal data

Previous version of this guidance

If you'd like to see the previous version of this guidance, please contact us

Personal information under FOISA

See our briefing on personal information under FOISA - Exemptions - Personal information (section 38)

Back to Top