Guidance on the use of regulation 11 of the EIRs
UPDATED January 2021: Following Brexit, the UK is no longer subject to the General Data Protection Regulation (GDPR), but is subject to what is known as the "UK GDPR". We have updated our guidance to reflect this change and related amendments to other legislation. Some of the decisions referred to in the briefing were issued before the GDPR, Data Protection Act 2018 and UK GDPR came into force; although the key principles remain very similar, readers need to ensure they comply with the new regime.
We update the guidance as new decisions are issued and further data protection guidance becomes available.
Other recent changes to this guidance
- "Consent" is no longer suggested as a basis for disclosing personal data in response to an FOI request - in line with recent decisions, our guidance now states "legitimate interest" is the only condition likely to apply in practice
- Links to other resources now include updated ICO guidance on data protection and Brexit, the UK GDPR Keeling Schedule and the ICO's "Right of Access" guidance in place of the previous "Subject Access Code of Practice"
About regulation 11
Regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs) sets outs when personal data can and cannot be disclosed under the EIRs. Regulation 10(3) makes it clear that, where a request for environmental information includes personal data, the personal data must not be made available (i.e. disclosed) otherwise than in accordance with regulation 11.
Personal data must not be disclosed if it is:
- the personal data of the person requesting the information (regulation 11(1));
- the personal data of a third party – and other conditions apply (regulation 11(2)).
The exceptions in regulation 11 regulate the relationship between the EIRs, the UK General Data Protection Regulation and the Data Protection Act 2018. Remember that regulation 11 covers personal data which also falls within the definition of environmental information. There is a separate exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) for personal data which is not environmental information. See the Commissioner's briefing on section 38.
Regulation 11 applies regardless of how old the information is. In practice, this will be limited because the provisions can only be applied if the information relates to living individuals. The exceptions do not apply to personal information of deceased people.
Regulation 11 and the public interest test
The exceptions in regulation 11 are generally absolute, which means that they are not subject to the public interest test. However, in two specific situations, the exception in regulation 11(2) is subject to the public interest test. This means that, even if the exception applies, the personal data must be disclosed unless, in all the circumstances of the case, the public interest in making the personal data available is outweighed by the public interest in not making it available. This is looked at in more detail in the briefing.
Regulation 11 and neither confirm nor deny
Where any of the exceptions in regulation 11 applies, a public authority can refuse to reveal whether personal data exists or is held by it (regardless of whether it actually holds the personal data), provided it is satisfied that revealing whether the personal data exists or is held would, of itself, involve making personal data available contrary to regulation 11 (see regulation 11(6))