Checklist for compliance with DPA when handling FOI Requests

Checklist for compliance with DPA when handling FOI Requests

The Freedom of Information (Scotland) Act 2002 has created a general right of access to all recorded information that is held by the University. Whilst the Act is intended to promote openness and accountability within universities, some information may be exempt from disclosure. Section 38 provides exemption from disclosure with respect to personal data as defined in data protection legislation.


The University is committed to a policy of adhering to the basic principles of the GDPR, and protecting the rights and freedoms of individuals with respect to the processing of their personal data. The handling of personal data by the University, in the context of Freedom of Information Requests, must conform to this policy.


Please work your way through all the points, unless you conclude after point 1 that data protection legislation does not apply to the requested information. Further information on the issues below are covered in the A to Z topics. If you are unsure at any stage, you must consult the Data Protection and Freedom of Information Office to ensure compliance with data protection legislation.

  • Check that you know what is meant by personal data and special category data. If the information requested does not contain such data then it is not subject to data protection legislation.
  • If the request is focused on information about the requester, then the request must be considered as a Subject Access Request and passed immediately to the Data Protection and Freedom of Information Office for processing.
  • If the request is focused on information about both the requester and other individuals, then the request might have to be treated as two separate requests - one as a Subject Access Request under data protection legislation and the other as a Freedom of Information request. In these circumstances you must consult both the Data Protection and Freedom of Information Office and your Freedom of Information Coordinator.
  • The UK Information Commissioner, the regulator of data protection legislation and of the UK Freedom of Information Act, has ruled that if a Subject Access Request is made under data protection legislation then it is not possible to refuse the release of information by using any of the exemptions of the Freedom of Information (Scotland) Act. The exemptions may only be used in response to a Freedom of Information (Scotland) Act request.
  • If the information relates to the non-University private life of any individual(s) then it should not be released unless the individual(s) have consented to the release. If any one individual is not the sole focus of the information, then the document may be released but must be subject to redaction. If redaction is not sufficient to protect the rights of the individual(s) whose personal data is contained in a document, then the document must NOT be released.
  • If the information (a) does not contain special category data, (b) does not contain personal data related to non-University life, and (c) relates to the officially identified University role of any individual(s), such as a serving senior manager or officer of the University, then the information may be released subject to redaction of any details that might involve his/her rights. An example would be individual work email address or a work mobile phone number.
  • If the information has been supplied from outwith the University, for example within a procurement tender document or as an external examiner, you must consider (a) under what circumstances and/or expectations was the data supplied by the third-party, and (b) whether consent has previously been requested, given, or refused.
  • In all cases you must consider the expectations of the individual(s) about disclosure of the personal data. If in doubt, seek the consent of the individual or consult both the University's Data Protection Officer and your Freedom of Information coordinator.
  • In all cases you must consider whether the release of the personal data (a) still accords with data protection legislation requirements for fair and lawful processing of that information by the University, and (b) would cause unwarranted and substantial damage or distress to the individual.