Registered Social Landlords (RSLs) in Scotland, and some subsidiaries of RSLs, are now defined as "Scottish public authorities" under the Freedom of Information (Scotland) Act 2002 (FOISA). RSLs will need to get to know and understand their statutory duties under FOISA, but it is also important to note that the extension of FOISA to RSLs has an impact on other pieces of legislation too.
This article looks at what being a Scottish public authority under FOISA means for RSLs in the context of the General Data Protection Regulation (EU) 2016/679 (GDPR), the Lobbying (Scotland) Act 2016 (the 2016 Act) and the Climate Change (Scotland) Act 2009 (the 2009 Act).
How does FOISA affect the GDPR?
Appointment of a DPO
There is a duty under the GDPR for all public authorities to appoint a data protection officer (DPO). Under the Data Protection Act 2018, "public authorities" are defined with reference to the application of FOISA. Accordingly, RSLs are now legally required to appoint a DPO under the GDPR.
The DPO's role is primarily to assist organisations monitor compliance with the GDPR and a DPO's duties include advising organisations on their obligations under the GDPR. A DPO can be an existing employee or appointed externally. Many of our RSL clients have appointed Harper Macleod LLP to act as their DPO, for example.
Lawful bases for processing personal data
The GDPR provides that organisations must lawfully process personal data by meeting at least one of the six lawful bases under the GDPR. These are: consent; contract; legal obligation; vital interests; public task; and legitimate interests.
Whilst all six lawful bases can still be applied by RSLs, there are restrictions on the use of certain lawful bases by public authorities. In particular:
- consent – whilst this lawful basis for processing personal data may be applied by public authorities, it should be used with caution. It is vitally important for RSLs to be able to show that affirmative consent has been freely, having regard to the potential wider power disparity between a public authority and an individual; and
- legitimate interests – this lawful basis can only be used when the processing of personal data is necessary for a legitimate reason other than the exercise of statutory functions as a public body. If an RSL is processing personal data in the exercise of its statutory functions, it would likely be more appropriate to rely on the 'public task' basis for such processing.
It is important to clarify that the restriction regarding the application of the "legitimate interests" basis by public authorities under the GDPR does not apply when a Scottish public authority is considering whether or not it would be lawful to disclose personal data under FOISA.
The application of FOISA to RSLs will not inherently change the way in which RSLs handle personal data, but RSLs need to ensure that they hire a DPO and apply greater scrutiny when considering on what lawful basis they are processing personal data.
How does FOISA affect lobbying?
On 12 March 2018, the 2016 Act came into force. The 2016 Act was introduced with the intention of bringing greater openness and transparency around lobbying Members of the Scottish Parliament (MSPs) and required certain organisations to record on the public Lobbying Register any instances of regulated lobbying.
Any organisations which were likely to have any face-to-face contact with MSPs and Members of the Scottish Government and were looking to inform or influence decisions made by the Scottish Government or the Scottish Parliament were encouraged to register with the Lobbying Register.
Given the role which RSLs play in local communities and the impact of public policy and public financing on their affordable housing activities, many RSLs registered in the Lobbying Register. Some have submitted returns over the past year or so, reporting on discussions with MSPs about various issues of significance to them and the communities they serve.
There is an exemption to the 2016 Act for communications made by or on behalf of a "Scottish public authority within the meaning of the Freedom of Information (Scotland) Act 2002". As from 11 November 2019, RSLs fall within that exemption, which means that RSLs will no longer have to register in the Lobbying Register or to record instances of 'regulated lobbying' in the Lobbying Register.
How does FOISA affect climate change?
The 2009 Act prescribes duties on public bodies relating to climate change and "public bodies" are defined with reference to the application of FOISA. Accordingly, RSLs will now be obliged to comply with specific duties contained within the 2009 Act.
The duties on a public body under the 2009 Act require that the public body must, in exercising its functions, act in a way: (a) best calculated to contribute to the delivery of the targets under the 2009 Act; (b) best calculated to help deliver any programme laid before the Scottish Parliament under the 2009 Act; and (c) that it considers is most sustainable.
In complying with the duties under the 2009 Act, RSLs, as public bodies, must also have regard to the Scottish Government's guidance "Public Bodies Climate Change Duties: Putting Them Into Practice" published in February 2011. The aim of the guidance is to assist public bodies to address climate change as a key strategic issue alongside its corporate policies. In particular, there is a step-by-step guide for public bodies to put the climate change duties into practice.
Get in touch
Harper Macleod LLP offers our RSL clients specific support regarding the GDPR and FOISA, including a DPO service. If you require advice on any issues raised in this article please get in touch with Kelly Fraser, Senior Associate, Harper Macleod LLP.