22nd October 2019

HR Issues – Data Transparency & Protection

Under a Month for Housing Associations to Meet Freedom of Information Requirements

Subject to Scottish Parliament approval, Registered Social Landlords (RSLs) and their subsidiaries in Scotland will fall under the Freedom of Information (Scotland) Act 2002 (FOI(S)A) as of 11th November this year. The change was recommended earlier this year by the Information Commissioner, citing the Grenfell Tower fire of 2017 as evidence that Housing Associations could improve their diligence in information-keeping.

What is the FOI(S)A?

Generally speaking, this is a piece of legislation that requires public authorities to:

  • disclose information following a request from a member of the public
  • maintain a ‘publication scheme’ which allows information to routinely be made publicly available
  • provide reasonable advice and help to members of the public wishing to exercise their right to Freedom of Information

What information must be made accessible?

The FOI(S)A can potentially relate to any information that the RSL or public authority has stored, although there are some (complicated!) exemptions which might justify the information being withheld. Decisions on what information is exempt will likely involve liaison with the Information Commisioner’s Office (ICO), and members of the public are eligible to appeal decisions to withhold requested information.

What do these changes mean for RSLs?

By coming under the FOI(S)A legislation, RSLs are therefore also defined as ‘public authorities’ under GDPR, making it mandatory for them to have appointed a designated Data Protection Officer (DPO). This could prove a significant challenge for many RSLs, due to extra salary expenses for an in-house DPO, or lack of capacity of current staff to assume additional responsibilities.

However, the consequences of failing to appoint a DPO before 11th November are arguably greater – this could result in a Tier 2 fine under GDPR, which is equivalent to the greater figure of €10m or 2% of annual turnover.

Furthermore, meeting FOI requirements also means RSLs must respond to information requests within 20 working days. Implementing a series of preparatory steps would be beneficial for RSLs to enhance readiness when the changes do come into force next month.

What steps can RSLs take to prepare?

Hopefully RSLs are well underway in their preparations for the impending changes to the FOI requirements. If not, we have outlined some key steps below. While all of these are important; we have separated the action points into levels of priority. Please note, however, that RSLs should aim to achieve a high proportion of all of the following in order to successfully handle the changes.

Immediate Priority:

  • Consider your current capacity to comply with the changes, and identify actions required to comply with these.
  • Consult with senior management about impending FOI(S)A requirements, and the need to appoint a DPO. This is important because it represents a financial and time-based investment.
  • Appoint a DPO who can take on FOI responsibilities.
  • Design and implement a publication scheme which promises to make certain types of information available (e.g. policies and procedures, financial statements, etc.).

Medium Priority:

  • Identify which information could be implicated under an FOI request, including which exemptions might be applicable.
  • Consider any modifications which could be made to existing data protection documentation and processes to better comply with FOI requirements, including the mechanism for responding to subject access requests.
  • Ensure staff have been trained to recognise and appropriately respond to FOI requests.
  • Inform tenants (and the wider public) of how to make an FOI request.

Lower Priority:

  • Assess the scope of the information which your organisation currently holds.
  • Make tenderers and current suppliers aware that the information they provide might be covered by FOI(S)A.
  • Identify whether it is appropriate to have a ‘clear out’ of retained information before 11th
  • Prepare template responses for FOI requests.
  • Consider FOI (and especially confidentiality) when entering into contracts.

How can Navigator help you?

If the idea of appointing an in-house DPO – or handling FOI in general – seems daunting, please do not hesitate to get in touch. Navigator can provide an out-sourced DPO service, which saves you money on in-house salary costs but, perhaps more importantly, gives you peace of mind in the knowledge that data protection and FOI issues will be handled by an experienced EU GDPR Practitioner.

For more information about our out-sourced DPO services, click here.

Alternatively, you can contact us by email at or on 0333 2400 308.

22nd October 2019