Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

16. Appendix 2. Statutory Framework

16.1 UK GDPR

Legislation to make provision for the regulation of the processing of information relating to individuals (personal data).

It sets out responsibilities for all data controllers processing personal data, and rights for data subjects.

Data protection legislation is not devolved.

Independent regulator - UK Information Commissioner

16.2 Freedom of Information (Scotland) Act 2002

An Act to make provision for the disclosure of information held by public bodies.

(No duty to create records but once a request is received, there are potential criminal sanctions for anyone who "with the intention of preventing the disclosure by the authority of the information, or part, to which the entitlement relates, alters, defaces, blocks, erases, destroys or conceals a record held by the authority"^[57])

Freedom of information is devolved.

Independent regulator – Office of the Scottish Information Commissioner

16.3 Public Records (Scotland) Act 2011

An Act to make provision for the management of records by certain authorities including the requirement for the Scottish Government to submit a Records Management Plan (RMP) to the Keeper of the Records of Scotland.