Posted on Apr 05, 2019 in Data Protection by Loretta Maxfield
Scotland’s registered social landlords (RSLs) will be subject to the requirements of the Freedom of Information (Scotland) Act 2002 (FOISA) from 11 November 2019 assuming that, as expected, the Scottish Parliament approves the recently submitted Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019.
Preparing for FOISA and ensuring continued compliance can take a lot of time, effort and resource for some organisations, and we would recommend that RSLs start preparations now, if they have not already done so. Intellectual Property Partner, Loretta Maxfield provides an overview of what it means to be caught by FOISA and how RSLs can prepare for FOISA on a practical level.
Will all RSL activity be subject to FOISA?
It is important to note that the RSL and any connected body (e.g. any subsidiary) will be caught by FOISA in so far as relating to the in-scope services. The in-scope services are “housing services” as defined in section 165 of Housing (Scotland) Act 2010, subject to a few exceptions.
Essentially, FOISA will capture an RSL’s (and any subsidiary’s) activities in relation to housing accommodation and related services including anything done, or required to be done, in relation to:
(a) the prevention and alleviation of homelessness;
(b) the management of housing accommodation under a Scottish Secure Tenancy or a short Scottish Secure Tenancy;
(c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
(d) supply of financial and governance information to the Scottish Housing Regulator.
Notably, the management of housing accommodation that is not under a Scottish Secure Tenancy or a short Scottish Secure Tenancy is out of scope e.g. the provision of accommodation for private renting or mid-market rent. Likewise, the provision of services for owners and occupiers of houses (e.g. social services) is out of scope. Thus any information collected for these purposes will not be subject to FOISA.
What is the Freedom of Information (Scotland) Act 2002?
Broadly, FOISA gives the public the right to access certain information held by Scottish Public Authorities (SPAs).
This is achieved by obliging SPAs to (a) disclose information following a request received from members of the public, subject to certain exemptions; (b) have and maintain an approved publication scheme where the SPA would routinely make information publicly available; and (c) generally provide reasonable advice and assistance to members of the public in relation to exercising their rights under FOISA.
FOISA is enforced by the Scottish Information Commissioner and members of the public can appeal to the Commissioner if they feel that the SPA is not complying with FOISA. The Commissioner does not, arguably, have as many remedial tools at its disposal as the Information Commissioner’s Office that regulates data protection; nonetheless it can order SPAs to disclose information in certain circumstances. In addition, handling investigations by the Commissioner can be time-consuming, a drain on resource and have reputational consequences, and therefore it is advisable to avoid creating situations where appeals are likely if at all possible. To do so it will be important for each RSL to upskill their workforce in FOISA and embed the necessary policies, procedures and governance to ensure FOI Requests can be dealt with in accordance with FOISA.
What are FOI Requests and do RSLs need to disclose all information that is requested by members of the public?
Requests for information under FOISA must: (a) be in writing; (b) state the name and address of the requester; and (c) describe the information requested. Any individual can make a request (although those aged 12 and under may need to provide details of why they require the information). Requests do not need to refer to FOISA. As a result, SPAs should be vigilant in ensuring that any request for information is treated as a request under FOISA.
SPAs are obliged to respond to any requests within 20 working days. Generally, the response should outline whether the information is held by the SPA, whether the SPA is disclosing the information (in whole or in part), if relying on an exemption to withhold information the applicability of this should be explained, and information should be provided on how the individual can ask for a review of the decision and subsequently appeal to the Commissioner if dissatisfied.
As touched on above, if the information is held there are a number of exemptions to disclosure that may apply and these should be considered in advance of releasing any information. Use of these exemptions can be complex and are open to challenge by the Commissioner. Therefore, it is important to consider the applicability of these carefully and take legal advice in advance of relying on these where appropriate.
Consequences under the General Data Protection Regulation (GDPR)
RSLs should be aware that once they are designated as a public authority under FOISA, they will also be deemed a public authority under GDPR. A notable consequence of this is that RSLs will, from November, be required to appoint a Data Protection Officer (DPO).
A DPO’s role is set out in GDPR; in short however, a DPO has responsibility for informing and advising the RSL of their obligations under GDPR and other applicable data protection laws; monitoring the RSL’s compliance with GDPR; providing assistance with privacy impact assessments; and being a point of contact with the ICO and individuals in relation to the processing of personal data.
Failure to appoint a DPO can result in a fine up to the greater of €10M or 2% of annual turnover, therefore it is crucial that RSLs appoint a DPO before the deadline. This could be an existing employee, new recruit or alternatively a service provider, however it is important that the person fulfilling the role has expert knowledge of data protection law, has the ability to fulfil the above tasks and can act without conflict.
Preparation for FOISA
The implementation of FOISA training, policies and procedures, recruitment and compliance will take time. Therefore, it is important to take steps now to prepare before the November deadline. In particular, we recommend the following action points:
- Engage Senior Management and secure buy-in as complying with FOISA will demand allocation of resources and could impact budgets.
- Appoint an FOI officer who can champion and drive your compliance with FOISA and ensure that any requests you receive are dealt with in compliance with FOISA.
- Develop FOISA procedures with the FOI officer and ensure that staff have received training on them and are familiar with them (including what to do should they receive a request). Training should cover off FOISA but also Codes of Practice issued by the Commissioner which provide guidance on providing reasonable advice and assistance and good records management.
- Prepare template responses for FOI Requests to assist with management of FOI Requests.
- Create and prepare an FOI Register (RSLs will need to report to the Commissioner quarterly on its handling of FOI Requests).
- Inform the public how to make an FOI Request.
- Prepare and publish a Publication Scheme.
- Review document retention policy and identify information currently held and whether it is appropriate to have a declutter before November.
- Tenders – make tenderers aware that your organisation is now subject to FOISA as information they provide may be caught by FOISA.
- Consider FOI when entering into contracts and specifically the confidentiality clause. RSLs may wish to carve the obligation to disclose under FOISA out from any obligation of confidentiality.
- Appoint a DPO to ensure compliance with the requirement under GDPR for public authorities to have a DPO.
Our specialist team have extensive experience in assisting with FOISA compliance and preparing for FOISA compliance (including training packages, creation of template correspondence for FOISA requests, assistance with setting up publication schemes, handling complex FOISA Requests etc.)
We also have comprehensive outsourced DPO packages available and DPO assist packages available. If you would like further information in relation to this, please do not hesitate to contact us or click here for further information
Receive the latest news, legal updates and event information straight to your inboxStay Updated