Decision 198/2021: Environmental monitoring - failure to respond

Public authority: Scottish Environment Protection Agency
Case Ref: 202100530

Summary

The Applicant asked the Scottish Environment Protection Agency (SEPA) for information about the creation of an enforcement unit to review data and to carry out "enhanced environmental monitoring". The Applicant asked for:

1. the status of investigations being conducted by the "enforcement unit";

2. details of unexpected inspections;

3. the companies subjected to inspections; and

4. what enforcement action had resulted from inspections.

This decision finds that SEPA failed to respond to the request within the timescales allowed by the Freedom of Information (Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations 2004 (the EIRs). The decision also finds that SEPA failed to comply with the Applicant's requirement for review within the timescale set down by FOISA and the EIRs.

The Commissioner requires SEPA to issue a review response in line with FOISA and the EIRs.

Background

1. The Applicant made an information request to SEPA on 18 November 2020.

2. Although the request was acknowledged on 18 November 2020, and clarification sought on 15 December 2020 (which the Applicant provided the same day), SEPA did not respond to the information request.

3. On 19 January 2021, the Applicant wrote to SEPA requiring a review in respect of its failure to respond.

4. The Applicant did not receive a response to his requirement for review.

5. On 26 April 2021, the Applicant wrote to the Commissioner stating that he was dissatisfied with SEPA's failures to respond and applying to the Commissioner for a decision in terms of section 47(1) of FOISA. The enforcement provisions of FOISA apply to the enforcement of the EIRs, subject to specified modifications - see regulation 17.

6. On 6 May 2021, SEPA was notified in writing that an application had been received from the Applicant and was invited to comment on the application.

7. SEPA responded to the Applicant on 16 June 2021. It acknowledged that it had failed to respond to the request in accordance with regulation 5(1) of the EIRs. SEPA provided information in response to part 1 of the request and, in response to parts 2 and 3, informed the Applicant that it was unable to provide a complete response due to the impact of the cyber-attack. (SEPA was subject to a serious and complex cyber-attack on 24 December 2020, which significantly impacted its contact centre, internal systems, processes and communications.) With respect to part 4 of the request, SEPA informed the Applicant that work was ongoing to collate information that remained available.

8. The Commissioner received submissions from SEPA on 28 June 2021. These submissions are considered below.

9. On 2 September 2021, SEPA provided the Applicant with an update, stating that it had made considerable progress in redacting correspondence and associated attachments for part 4 of the request, and anticipated that it would take some more time to complete. SEPA stated that an updated response would be issued in relation to parts 3 and 4 of the request, but it could not provide a specific timeline.

10. On 30 September 2021, SEPA issued a further response to the Applicant. SEPA provided an updated response to parts 1, 3 and 4 of the request, and disclosed a wide range of information, in redacted form, in relation to parts 3 and 4 of the request. SEPA stated that, due to the impact of covid-19 and the cyber-attack, the responses to parts 2, 3 and 4 of the request remained incomplete.

Commissioner's analysis and findings

11. It is apparent from the terms of the request that at least some of the information caught by it will be environmental information as defined by regulation 2(1) of the EIRs. In Decision 218/2007 Transport Scotland[1], the Commissioner confirmed at paragraph 51 that where environmental information is concerned, there are two separate statutory frameworks for access to that information and, in terms of the legislation, an authority is required to consider the request under both FOISA and EIRs.

12. As noted above, SEPA was subject to a cyber-attack on 24 December 2020, which had a major impact on the way it worked. Only recently has it been able to access its email system.

13. SEPA explained that it received an increase in the number and complexity of information requests in 2020. It acknowledged that this request was received before the cyber-attack, but explained that, even if it had been able to respond, the majority of information was stored in hard copy in offices, but, as buildings were closed due to the Covid pandemic, no-one could access the information. It also noted that, regardless of SEPA's Covid-19 and cyber- attack limitations, this request would have been a challenge to complete within the timescales.

14. SEPA acknowledged that the response of 16 June 2021 was not a full, substantive response. It explained a full response cannot be provided until its information recovery is complete in terms of what has been recovered and what may have been lost permanently. SEPA explained that relevant data could not be collated until it was sure that all systems had been searched. SEPA commented that it had tried to provide as full a response as possible with the resources available at this time.

15. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information. This is subject to qualifications which are not relevant in this case. The same timescale is laid down by regulation 5(2)(a) of the EIRs (although, if the request is both voluminous and complex, the authority can extend the 20 working day timescale by a further 20 working days - that did not happen here).

16. It is a matter of fact that SEPA did not provide a response to the Applicant's request for information within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA and regulation 5(2)(a) of the EIRs.

17. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review. Again, this is subject to qualifications which are not relevant in this case. The same timescale is laid down by regulation 16(4) of the EIRs.

18. It is a matter of fact that SEPA did not provide a response to the Applicant's requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA and regulation 16(4) of the EIRs.

19. While the Commissioner acknowledges the very challenging environment SEPA has found itself in since the cyber-attack, he has no discretion in this case to find that there has not been a breach of the above provisions where the relevant timescales are not met. Here, there is no doubt that the request was received by SEPA (prior to the cyber-attack) and that the requirement for review was received in January 2021 in the "Access to Information mailbox" (which was inaccessible at that time as a result of the cyber-attack). The Commissioner has no option but to find that SEPA failed to comply in the relevant timescales.

20. In responding to a request under FOISA, an authority is required either to disclose the information within 20 working days or apply a provision in Part 1 or exemption in Part 2 of FOISA.

21. Similarly, in responding to a request under the EIRs, an authority is required either to make the information available or apply an exception in regulation 10 (or 11) of the EIRs.

22. The Commissioner has considered the review response issued to the Applicant on 30 September 2021. The response does not state definitively whether all information has been disclosed (or made available) or whether SEPA has applied a provision in Part 1 or exemption in Part 2 of FOISA (or an exception in regulation 10 or 11 of the EIRs). Consequently, the response of 30 September 2021 fails to comply with both FOISA and the EIRs.

23. The Commissioner therefore requires SEPA to provide a revised review outcome to the Applicant confirming whether all information has been disclosed under section 1(1) of FOISA (or made available in line with regulation 5 of the EIRs) or whether SEPA has applied a provision in Part 1 or exemption in Part 2 of FOISA (or an exception in regulation 10 or 11 of the EIRs).

Decision

The Commissioner finds that the Scottish Protection Environment Agency (SEPA) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2020 (FOISA) and with the Environmental Information (Scotland) Regulations (the EIRs) in dealing with the information request made by the Applicant. In particular, SEPA failed to respond to the Applicant's request for information and requirement for review within the timescales laid down by sections 10(1) of 21(1) of FOISA and regulations 5(2) and 16(4) of the EIRs.

The Commissioner requires SEPA to issue a compliant review response, by 26 January 2022.

Appeal

Should either the Applicant or SEPA wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If SEPA fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that SEPA has failed to comply. The Court has the right to inquire into the matter and may deal with SEPA as if it had committed a contempt of court.

Daren Fitzhenry
Scottish Information Commissioner
10 December 2021

---