The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Book Icon


Personal Data - Regulation 11 under the OLD rules

 Exclamation IconData protection laws have changed. Please do not rely on the guidance on this page 

for any information requests received on or after 25 May 2018.


This is when both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into effect. The DPA 2018 amends section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA( and regulation 11 of the Environmental  Information (Scotland) Regulations 2004 (the EIRs). The changes affect when personal data can, and can't be disclosed in response to a request for it under FOISA or the EIRs. 

Read our new draft guidance on personal information under the new rules Draft Briefing Personal Information - Section 38 under the new rules

Up to date information about the GDPR can be found on the (UK) Information Commissioner data protection reform website.

The main points

Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs.  Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data shall not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.

Personal data must not be disclosed if it is:

  • the personal data of the person requesting the information (regulation 11(1));
  • the personal data of a third party – and other conditions apply (regulation 11(2)).

The tests in regulation 11 can be complex to apply.  You are advised to consider them methodically, referring to this briefing as you go to be sure you are applying the correct tests.

Remember that regulation 11 covers personal data which also falls within the definition of environmental information.  There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information.  See the Commissioner's guidance Exemptions - Personal information (section 38).



Regulation 11 applies regardless of how old the information is.  In practice, this will be limited because the provisions can only be applied if the information relates to living individuals.  The exemptions do not apply to personal information of deceased people.

Regulation 11 and the public interest test

Regulation 11 is generally absolute, which means that the public interest test need not be considered when deciding whether to disclose personal data.  However, in two situations, authorities do need to think about the public interest test.  This is looked at in more detail in the briefing.

Regulation 11 and neither confirm nor deny

A public authority may refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), if revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11 (see regulation 11(6) and Appendix 1 of the briefing which sets out links to decisions issued by the Commissioner on this point). 


This briefing contains a flowchart which looks at responding to requests for third party personal data under regulation 11(2).

Download the briefing

PDF iconEIRs Briefing Regulation 11: Personal data


Page last updated 11 July 2017

Back to Top