Category: Scotland

The Freedom of Information Reform (Scotland) Bill  

The Scottish Government has always been more willing to extend the scope of FOI legislation than its counterpart in London. Back in 2014, it extended the application of  the Freedom of Information (Scotland) Act 2002 (FOISA) to organisations created by councils to deliver leisure and sporting facilities and in 2019 to registered social landlords. 

More recently though, the Scottish Government has been criticised for refusing to accept suggestions to extend the FOI regime to all bodies providing public services, including social care providers, following a consultation. Opposition MSPs described the decision as “utterly undemocratic” and accused ministers of secrecy.
The Scottish Information Commissioner has also called for reform.  

On 2nd June 2025 MSP, Katy Clark, laid a Private Member’s Bill in the Scottish Parliament which, alongside extending the scope of FOISA, contains a number of provisions to refresh and update the legislation. These are explained in full here

We list below the provisions of the Bill which caught our eye:  

Section 1 – General entitlement 
Introduces a presumption in favour of disclosure when public authorities are considering whether an exemption applies. This would apply to all exemptions, apart from the small number of “absolute” exemptions. 

Section 3 – Publicly-owned companies 
Addresses an anomaly in FOISA to ensure that companies which are jointly and wholly owned by the Scottish Ministers and another public authority are covered. 
 
Section 7 – Time for compliance 
Amends FOISA so that the 20 working day response time is paused, rather than reset, when clarification is requested and received.  It also removes the time extension which is currently available to grant-aided and independent special schools during holiday periods. 

Section 12 – Enforcement Notices 
Gives the Commissioner the power to issue enforcement notices in relation to failures to comply with the FOISAs codes of practice. 

Section 13 – Ministerial Veto 
Removes the First Minister’s power to veto decisions of the Scottish Information Commissioner in some circumstances. 

Section 15 – Proactive publication duty and publication code 
Reforms the FOISA approach to proactive publication, requiring that an authority proactively publishes up-to-date information relating to its functions in an accessible way. Section 15 also gives the Commissioner the power to issue a publication code of practice, and requires that public authorities comply with that code. 

Section 16 – Freedom of Information Officer 
Creates a statutory requirement to appoint an FOI Officer within public authorities. He/she would be responsible for ensuring the fulfilment of a number of duties, including staff training, advising on compliance with FOISA and the codes of practice, and reporting to senior management. 

Section 18 – Offence Amendment 
Enables prosecutions to be taken forward in circumstances where information has been destroyed to prevent disclosure under FOISA, without requiring that an information request for the information has been made.   

Section 19 – Time limit for proceedings 
Changes the time limit for bringing a prosecution for the deliberate destruction or concealment of records to three years from the beginning of a criminal investigation, rather than three years from the date of the offence. 

The Bill contain some interesting proposals (e.g. introducing the FOI Officer and new time limits) but it will be interesting to see if, as a Private Member’s Bill, it makes it on to the statute books.  

The Scottish Information Commissioner, David Hamilton, has welcomed the Bill, noting that “after twenty years, it’s undoubtedly time for a refresh… by taking action to protect and update FOISA now, we can ensure that our vital right to hold public bodies to account remains fit-for-purpose for the future”.  

Are you looking to develop your FOISA skills? The Act Now Practitioner Certificate in Freedom of Information (Scotland) is designed for FOI practitioners wishing to demonstrate that they have the knowledge and skills to handle FOISA requests and implement related information access legislation in Scotland.  

ICO Issues Reprimands to Scottish Councils for Subject Access Delays 

Last week the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 

Many Scottish local authorities have seen an increase in SARs in the past few years, particularly in relation to the Redress Scotland scheme which allows people, who suffered abuse while in care, to apply for redress using supporting documents such as their care record. This increase was reported as 67% between 2021 and 2024.  

In its press release, the ICO says it has supported local authorities to improve their SAR response times and this has led to a 75% improvement, with 13 local authorities reporting a compliance rate of 90% in 2023/24. However, two local authorities have been singled out for a reprimand: 

Why did the ICO not issue a fine? In June 2022, the ICO revised its approach to enforcement of the UK GDPR against public sector organisations choosing to issue reprimands in most cases. Last summer, it announced a review of this approach following criticism that it was not effective in delivering GDPR compliance and that it was unfair to treat the public sector differently to other sectors. 

In December last year, the Commissioner issued a statement following publication of the review report. In short, he has decided to continue with his approach. He said: 

“Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders. Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operating Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.” 

The Commissioner also launched a consultation on the scope of the public sector enforcement approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority. The deadline for responding to this consultation was 31st January 2025. We await its outcome.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!   

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

Privacy Concerns Raised Over Adoption Records on Genealogy Website 

Last week, the names and details of individuals adopted over the past century were found to be accessible on the genealogy website, Scotland’s People. The exposure of these records, alongside other recent data breaches, has ignited a discourse on privacy and security.

Upon being alerted by a concerned mother, who discovered her adopted child’s details on the website, the NRS acted promptly, removing the information within 36 hours. The mother detailed her experience in an interview with BBC Scotland News. She highlighted the potential risk of the website inadvertently enabling individuals to discern the adopted child’s new surname. This revelation is alarming, especially as many adoptive parents opt to retain the first names of their children.

Diving deeper into the website’s database, it was revealed that the platform had information on adoptions dating as far back as 1909, with the most recent entries from 2022. Nick Hobbs, the acting Children’s Commissioner in Scotland, said that the exposed data could be in violation of both the European Convention on Human Rights and the United Nations Convention on the Rights of the Child, both of which enshrine the right to privacy.

While the NRS responded by temporarily removing the records from the site, they highlighted their statutory responsibility to maintain open and searchable registers. They also stressed that this incident didn’t classify as a personal data breach. Nonetheless, as a precautionary measure, they informed the Information Commissioner’s Office (ICO) about the concerns raised.

The ICO, in its statement, underscored the importance of sensitive personal data being managed in congruence with data protection laws. They clarified that while the NRS did notify them, they hadn’t received a formal breach report.  

This incident serves as a poignant reminder of the complexities of balancing transparency and privacy in the digital age. As the debate around personal data continues to evolve, it underscores the need for stringent measures and vigilance in the handling of sensitive information, especially when it pertains to vulnerable demographics.
It is paramount that organisations ensure robust data governance practices to prevent potential breaches and safeguard individual rights. 

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

The Scottish Information Commissioner’s Annual (FOISA) Report 2020

wesley-tingey-snNHKZ-mGfE-unsplash

The Scottish Information Commissioner, Daren Fitzhenry, recently published his Annual Report and Accounts for the year 2019-20. It is available to read and download from the Commissioner’s website. Mr Fitzhenry enforces the Freedom of Information (Scotland) Act 2002  (FOISA) as well as the Environmental Information (Scotland) Regulations 2004.  

In publishing, the Commissioner Daren Fitzhenry said: 

“I am publishing my Annual Report at a time dominated by the Covid-19 pandemic.
While freedom of information in Scotland has certainly not been immune from the impact of the pandemic, the importance of the right to information is one clear constant. 

“Inevitably we all have questions about the decisions being made by our governments and public services. Never more so than at a time when those decisions, sadly, may mean the difference between life and death.  

“This is why it is so vital that Scotland’s law ensures everyone has a right to seek information from public authorities and – with only very few, limited exceptions – to receive it.”

Key statistics from the report include:

  • 79,300 FOI requests were made to Scottish public bodies during the year. 12.6% of these were for environmental information (an increase from 10.3% in 2018-19)
  • 76% of requests to Scottish public authorities resulted in full or partial disclosure of information to the requester (an increase from 75% in 2018-19)
  • 251 interventions regarding authority practice improvements were carried out by the Commissioner (compared to 252 in 2018-19 and 234 in 2017-18)
  • There were 494 appeals made to the Commissioner (0.6% of total requests made to Scottish public bodies). 75% of appeals were made by members of the public. 
  • On average, cases appealed to the Commissioner were closed within 3.4 months
  • 23% of valid appeals to the Commissioner related to an authority’s failure to respond
  • 67% of the Commissioner’s decisions found wholly or partially in favour of the requester (an increase from 65% in 2018-19)

Please note that this annual report covers the period 1 April 2019 – 31 March 2020.
The Commissioner will publish an initial insights briefing specifically examining the impact of the Covid-19 on FOI in Scotland later in 2020.

Our most popular FOISA course will take place online in November. Click here for details.

Records Management in Scottish Public Authorities is Changing

backgrounds-building-exterior-builtstructure-calton-hill-edinburgh-castle-scotland-1

The Public Records (Scotland) Act 2011 (PRSA 2011) requires public bodies in Scotland to develop a Records Management Plan and submit it for the approval of the Keeper of the Records of Scotland. Many of these plans, usually approved on a five year basis, are now approaching the time when they will need to be revised and put through the approval process once again. Moreover, the Keeper’s team have been actively revising their “Model Plan” and will be expecting more from authorities on the submission of their new plans over the next couple of years.

Background

The PRSA 2011 received Royal Assent on 20 April 2011, aiming to fill a gap in information governance which had long existed. Although there had been some sector specific records requirements there was no overall legislative framework guiding the creation, management or retention of information in the Scottish public sector.

The Act came in on the back of the 2007 Shaw Report which blamed poor record keeping for many of the difficulties faced by former residents of residential schools and children’s homes. The Scottish Government took  a broad view of the implications of Shaw; this in turn led to the PRSA covering a broad range of named public authorities including the Scottish Government and Parliament, local authorities, NHS, police and the courts.

Despite concerns, strongly expressed at the time by COSLA among others, that the Act would present yet another onerous burden during a period of particularly harsh austerity, it is probably fair to say that the PRSA has been a success, giving Scotland a solid statutory basis for its record keeping for the first time.

Records Management Plans

The core of the Act is the requirement to develop and maintain a Records Management Plan. This, in theory, can take any form but in practice authorities have tended to closely follow the Keeper’s “Model” comprising (originally) 14 elements:

  1. Senior management responsibility 
  2. Records manager responsibility 
  3. Records management policy statement 
  4. Business classification 
  5. Retention schedules 
  6. Destruction arrangements 
  7. Archiving and transfer arrangements 
  8. Information security 
  9. Data protection 
  10. Business continuity and vital records
  11. Audit trail 
  12. Competency framework for records management staff 
  13. Assessment and review 
  14. Shared information

Changes 

One significant change to the way that the Keeper will be assessing authorities’ Records Management Plans is that there is now an “Element 15” in the Model Plan, covering third party records. S2 and S3 of the Public Records (Scotland) Act always defined the scope of the legislation broadly so as to cover the records of external agencies carrying out functions on behalf of the public authority, but that is now going to be more explicitly defined and the Keeper will expect to see evidence of policies and procedures under this “Element 15”.

The Keeper is currently undertaking a review of these requirements so it is as yet unclear exactly what will be required. The issue was covered in some detail at the Stakeholders’ forums which the Keeper hosted last year, and there is some guidance and model contractual clauses available from the National Records of Scotland, and from the Scottish Council on Archives and Quality Scotland.

Another significant change in the Keeper’s approach to what will be required from Records Management Plans is a general refocussing on data protection. This had always featured in the Model Plan with element 9 dedicated to the appropriate management of personal data but now data protection runs through the Keeper’s guidance like the writing through a stick of rock. As well as beefing up element 9, each section of the Keeper’s guidance now includes a data protection theme as an example of good practice.

The scope of the PRSA continues to broaden. The Keeper is currently going through the approval process of the Integrated Joint Boards, and (as with Freedom of Information?) there will be pressure to extend the list of bodies covered by the Act. The position of Trusts and some other arms-length authorities remains unclear but all organisations of a public nature would be well advised to get up to speed with the requirements of the Public Records (Scotland) Act 2011.

Throughout the process of the passage of the Bill, the Keeper always made a commitment to use the carrot rather than the stick. This has worked well, with the very helpful team at the NRS providing support and guidance on a range of records issues. As the records environment matures, however, and as more is expected of authorities, might we see a more robust approach from the regulator? In retrospect, some of the early schemes which the Keeper approved now look somewhat thin; it may be unlikely that these would have passed had they been submitted today.

Act Now has arranged a series of webinars and full day workshops on the themes raised by the developments within the PRSA. Among other issues, we will be looking at:

  • Records Management Policies. Some authorities conflate “policy” and “Plan”.
    I’d suggest a clear separation, with the Policy simply summarising the case for records management, allocating responsibilities, defining terms and setting out key principles. This element of the plan can also be used to include area-specific policies and procedures which perhaps don’t fit neatly elsewhere.
  • We’ll consider the standards and resources available. What are the standards that you need to know about? In developing or amending your plan, how far can you rely on off-the-shelf resources such as business classification schemes and retention schedules? What do you have to do to make these really work for you?
  • The Keeper has a self-review mechanism for already established Records Management Plans. The “Progress Update Review” mechanism is available and the Keeper has suggested that completing this process will delay the requirement for a full resubmission of your Plan. But what factors should be considered in deciding when to use the PUR and when to complete a full resubmission? 
  • Links to other relevant legislation. In particular, the GDPR, the Data Protection Act 2018 and the Freedom of Information (Scotland) Act 2004. As noted above, the start of the review of the model scheme was at the same time as the implementation of the GDPR and this seems to have very much focussed the Keeper’s attention on data protection. What will authorities need to do to ensure that their RMPs are up to speed with the new DP requirements?
  • Electronic Records Management. In theory, records principles are blind to the media by which the information is created, stored and managed. In practice, however, the Records Management Plan can be an excellent focus to develop and promote policies and practical guidance which relates specifically to information in alternative media.
  • Getting “buy in”. We will consider the best ways to get support for the Records Management Plan within your organisation. It is important that you are able to show the benefits of good records management – and not just in terms of statutory compliance or improved efficiency. By developing a culture of regarding information as a corporate asset you be able to demonstrate that records management is vital in evidencing the rights and responsibilities of the organisation and in maintaining a high quality corporate memory through the development of a proper archive service. 
  • Making it real. The RMP should not just be a paper exercise but should be a functioning set of tools which ensure that the organisation derives maximum value from its information resources. To be of real value, the Plan needs to be embedded throughout the organisation, rather than just a neat stack of policies on a corner of the Chief Executive’s desk. 

Craig Geddes is a qualified archivist and records manager, with 28 years’ experience working across the range of information governance activities. He has recently joined the Act Now team to deliver freedom of information and records management courses in Scotland

Blog Footer Blue and White 2

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

Freedom of Information comes to Scottish Registered Social Landlords

jack-anstey-XVoyX7l9ocY-unsplash

The social housing sector already prides itself on being open and accountable to tenants. But from  11 November 2019, registered social landlords (RSLs) in Scotland will acquire new transparency obligations under the Freedom of Information (Scotland) Act 2002 (FOISA).

After years of debate and the robust recommendation of successive Scottish Information Commissioners, that housing associations should be in scope of FOISA, a designation order (under Section 5) adds RSLs to the list of public authorities in Schedule 1 of FOISA. The last such order  (S.I. 2016/139) came into force on 2ndMarch 2016and extended coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited.

Housing associations are already subject to the Environmental Information (Scotland) Regulations 2004 (EISR) as their scope is broader than FOISA. However, awareness of the EISR is low among the public, and even some housing associations were probably unaware of them. Many of the types of requests which RSLs are likely to receive – around construction and repairs for example – will continue to fall under the EISRs.

Unlike other Scottish public authorities, the scope of FOISA does not apply to all the activities that an RSL may undertake. The designation order only extends FOISA to “housing services” as defined in the Housing (Scotland) Act 2010, which would include activities in support of:

  • the prevention and alleviation of homelessness,
  • the management of housing accommodation (but only where RSL has issued a Scottish secure tenancy or short SST)
  • the provision and management of sites for gypsies and travellers

Other activities undertaken by RSLs – such as factoring for owner-occupiers, repairs and maintenance for non-tenants and care services – would not be in scope. Identifying how much of the organisation is subject to FOISA will be an ongoing challenge for RSLs.

GDPR Implications

And there is a double whammy for RSLs. Under section 7 of the Data Protection Act 2018, schedule 1 of FOISA is the basis in Scotland for designating public authorities under GDPR. Therefore, from November, RSLs will be subject to the obligation, under Article 38 and 39 of GDPR, to designate and provide appropriate support for a Data Protection Officer. While many larger RSLs have already done so, this is going to be a challenge to resource for smaller associations.

So, in preparation for November, RSLs should “Act Now” to:

  • Gain senior management support and buy-in for the compliance tasks;
  • Identify and designate a Data Protection Officer if they haven’t already done so;
  • Designate a lead officer for FOISA compliance;
  • Develop procedures and guidance for staff, including a log for tracking requests and templates for responses;
  • Ensure training is in place: Specific compliance training for DPOs and FOI leads and awareness training for all staff;
  • Review records management procedures to ensure appropriate retention periods are applied and records are retrievable;
  • Inform tenants and the wider public of their rights, including having a guide to information on their website.

FREE WEBINAR

Our FOISA expert, Frank Rankin, is delivering a free webinar for RSLs in Scotland to bring them up to speed with FOISA and what they need to do now before the implementation date. Book now as places are limited.

Act Now can support RSLs with our range of public training courses, including the only FOISA practitioner certificate course and our GDPR practitioner course, geared towards supporting DPOs. We can also provide in-house training and consultancy support.

GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!

 

Scottish Information Commissioner’s Annual Report 2016/17

edinburgh-castle_thumb.jpg

Last month, Margaret Keyse, the Acting Scottish Information Commissioner, published her annual report for 2016/17.  Amongst other laws, Ms Keyse enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

The report reveals that during 2016/17:

  • Public awareness of FOISA remained at its highest ever level, at 85%.
  • The Office of the Scottish Information Commissioner (OSIC) met or exceeded most of its investigation performance targets (10 out of 12).
  • It issued its first ever Enforcement Notices.
  • It carried out 15 level 4 interventions with authorities to address practice concerns.
  • It launched an online appeal service, making it possible for requestors to make appeals online, and receive real-time help and advice, at any time of day.
  • It responded to its 20,000th enquiry since 2005.

Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI ,based at Dundee University.

The next course starts in Edinburgh in February 2018. If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations.

Extension of Freedom of Information in Scotland

file351272130459

Following a consultation last year by the Scottish Government, the Freedom of Information (Scotland) Act 2002 (FOISA) was recently extended to cover more organisations.

The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2016, S.I. 2016/139, came into force on 2nd March 2016. It is made under Section 5 of FOISA. It comes into force on 1st September 2016.

The Order extends coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited. These bodies also become subject to the Environmental Information (Scotland) Regulations 2004 in relation to any requests they receive for environmental information.

This is the second order brought forward under Section 5 of FOISA; the first came into force on 1 April 2014 and covers arms-length culture, sport and leisure trusts established by local authorities.

Freedom of Information in Scotland seems to sail in much more calmer waters than in the rest of the UK where the FOI Act comes under intense scrutiny (some say “attack’) from politicians from time to time. The Independent Commission on Freedom of Information was established by the Cabinet Office in July last year to examine the operation of the FOI Act and whether it required any changes. Its recent report says FOI is working well and does not need major changes. However, it does make twenty-one recommendations.

Think you know about FOISA? Have a go at the FOISA test.

 Looking for a FOISA qualification? Our Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 is the only certificated course specially designed for FOI practitioners in Scotland. It is endorsed by the Centre for FOI based at Dundee University