Personal Data

Guidance on the use of regulation 11 of the EIRs

A note for readers

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into effect in May 2018, making many changes to data protection laws in the UK. Some of the cases and decisions referred to in this briefing were decided in line with the Data Protection Act 1998 (which is no longer in force). Although many of the key principles involved remain very similar under the new rules, readers need to ensure they comply with the new regime.

We update the guidance as new decisions are issued and further data protection guidance becomes available.

Recent changes to this guidance

  • New paragraph on Brexit, with a link to the ICO's website
  • Reference to transitional provisions removed
  • Definition of "personal data" focused on s3 of DPA 2018 rather than GDPR definition (substantially similar)
  • New text about the definition of "relates to"
  • New references to recent decisions under the new rules added to Appendix

About regulation 11

Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs. Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data must not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.

Personal data must not be disclosed if it is:

  • the personal data of the person requesting the information (regulation 11(1));
  • the personal data of a third party – and other conditions apply (regulation 11(2)).

The exceptions in regulation 11 regulate the relationship between the EIRs, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the DPA 2018). Remember that regulation 11 covers personal data which also falls within the definition of environmental information. There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information. See the Commissioner's briefing on section 38.


Regulation 11 applies regardless of how old the information is. In practice, this will be limited because the provisions can only be applied if the information relates to living individuals. The exceptions do not apply to personal information of deceased people.

Regulation 11 and the public interest test

The exceptions in regulation 11 are generally absolute, which means that they are not subject to the public interest test. However, in two specific situations, the exception in regulation 11(2) is subject to the public interest test. This means that, even if the exception applies, the personal data must be disclosed unless, in all the circumstances of the case, the public interest in making the personal data available is outweighed by the public interest in not making it available. This is looked at in more detail in the briefing.

Regulation 11 and neither confirm nor deny

Where any of the exceptions in regulation 11 applies, a public authority can refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), provided it is satisfied that revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11 (see regulation 11(6)).

Download the briefing

EIRs Briefing Regulation 11: Personal data

Personal information under FOISA

See our briefing on personal information under FOISA – Exemptions - Personal information (section 38)

Back to Top