Yesterday, the Scottish Government began a consultation on legislation to formally designate Registered Social Landlords (RSLs) as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”). The draft Order being consulted on proposes a commencement date of 1st April 2019.
This is not an unexpected development in the field of information law. In December 2016 the Scottish Government consulted on the principle of designating RSLs as public authorities for the purposes of FOISA. It has been widely anticipated that RSLs would be designated as a public authority for the purposes of FOISA.
A designation as a public authority for the purposes of FOISA will have ramifications for RSLs beyond the obvious need to comply with FOISA and being under the regulatory oversight of the Scottish Information Commissioner. It will also have implications for RSLs in respect of how they implement the General Data Protection Regulation (“GDPR”), which becomes applicable from 25th May 2018.
There are a number of aspects of the GDPR which are directed towards public bodies. The Data Protection Bill currently before the UK Parliament defines what a public body is for the purposes of the GDPR. Clause 6 of the Bill provides that a body which is designated as a Scottish public authority for the purposes of the FOISA is a public body. This will mean that RSLs will have to appoint a Data Protection Officer; even although many of them would not have had to before this decision was taken by the Scottish Government.
It also has implications for the grounds upon which they can legitimately process personal data. Processing of personal data for the purpose of pursuing a legitimate interest of the controller is permissible under the GDPR. However, the GDPR goes on to provide that public bodies cannot rely upon legitimate interest as a ground of processing in performance of their tasks. Therefore, any RSL that has been preparing for the GDPR on the basis that they will be able to process personal data on the legitimate interests ground will have to re-evaluate its processing of personal data ahead of its designation as a public authority for the purposes of FOISA.
It is worthy of note, simply for interest, that the Data Protection Bill proposes giving the Secretary of State the power to make regulations which state that a public body is not in fact a public body for the purposes of the GDPR. However, there has been no indication that the Secretary of State intends on making use of this power or how the power is intended to be used; therefore, it is probably advisable not to work on the basis that a RSLs will be declared not to be public bodies for the purposes of the GDPR.
Another possible implication for RSLs is in relation to the Environmental Information (Scotland) Regulations 2004 (“the EIRs”). The Scottish Information Commissioner has already previously decided that RSLs are public authorities for the purpose of these regulations, which govern access to environmental information. The Housing (Amendment) (Scotland) Bill may have implications for the basis upon which the Commissioner concluded that RSLs were a public authority for the purposes of the EIRs. If it does, there may be a gap where RSLs are not public authorities for the purposes of EIRs. Once they become designated as a public authority for the purposes of FOISA, they will automatically become a public authority for the purposes of the EIRs as well.