This guidance sets out the support available to wholly owned subsidiary companies from the University in relation to freedom of information legislation, environmental information regulations and the right of subject access under data protection law. A wholly publicly owned company is one which is completely owned by one or more Scottish public authorities. A list of Scottish public authorities is published by the Office of the Scottish Information Commissioner (OSIC). Publication Scheme FAQs – Legal Guidance Freedom of Information There are 3 key areas wholly owned subsidiary companies have to address to comply with freedom of information legislation. Wholly owned subsidiary companies of the University are responsible for their own compliance with the Freedom of Information (Scotland) Act 2002 (FOISA). Compliance with FOISA is regulated by OSIC. There are 3 strands of being subject to FOISA: 1. Responding to requests Wholly owned subsidiaries must respond to requests for recorded information within 20 working days in accordance with the requirements of FOISA.The University provides guidance on FOISA, however this is aimed at University staff and our processes and procedures will not always be relevant to subsidiary companies.University freedom of information guidanceOSIC's guidance on FOISAIf you receive a request Information Compliance Services can provide advice. However, the assistance we are able to provide will be more limited than that available to the University. This is because the University is not legally responsible for responses.Subsidiary companies are asked to follow the University's quality assurance procedure before sending out a response.University subsidiary companies quality assurance procedure (University log in required) 2. Publishing information Subsidiaries must adopt a publication scheme and proactively publish information and a "Guide to Information" as specified by OSIC. All Guides to Information created by subsidiary companies should be linked to on the Corporate Services Group website.Corporate Services Subsidiary Companies webpageA publication scheme template and some guidance are available on our wiki.Publication schemes for subsidiary companies wiki 3. Records management Public authorities subject to FOISA are required to follow the Scottish Ministers’ Code of Practice on Records Management by Scottish Public Authorities under the Freedom of Information (Scotland) Act 2002. The Code of Practice forms a requirement to establish and maintain complete records management systems and procedures.Code of Practice on Records ManagementFor more information about records management, see the University's records management website.Records management website Further OSIC guidance about compliance Duties under FOI law guidanceBriefings and Guidance (FOISA and EIRS)Code of Practice on Discharge of Functions (FOISA and EIRS) Environmental Information Wholly owned subsidiary companies are responsible for their own compliance with the Environmental Information (Scotland) Regulations 2004 (EIRS). There are 3 strands of being subject to EIRS: 1. Responding to requests Wholly owned subsidiaries must normally respond to requests for recorded information within 20 working days in accordance with the requirements of EIRS.The University provides guidance on EIRS, however this is aimed at University staff and our processes and procedures will not always be relevant to subsidiary companies.University environmental information regulations guidanceOSIC’s guidance on EIRSIf you receive a request Information Compliance Services can provide advice. However, the assistance we are able to provide will be more limited than that available to the University. This is because the University is not legally responsible for responses.Subsidiary companies are asked to follow the University's quality assurance procedure before sending out a response.University subsidiary companies quality assurance procedure (University log in required) 2. Actively disseminating environmental information Subsidiaries must actively disseminate certain types of environmental information if they hold it. Information should be made easily available for example by publishing on their website and inclusion in the publication scheme. 3. Publishing a schedule of charges Subsidiaries may charge a reasonable fee for making environmental information available but only if it has published a schedule of charges. Right of Subject Access to Personal Data Wholly owned subsidiary companies are responsible for their own compliance with data protection legislation.The University provides guidance on all aspects of data protection compliance including responding to subject access requests, however this is aimed at University staff and our processes and procedures will not always be relevant to subsidiary companies.Data protection law gives people the right to see personal information which a subsidiary holds about them. They exercise this right by making a subject access request. Subject access requests should normally be responded to within one month. Data protectionSubject access requestsIf you receive a subject access request Information Compliance Services can provide advice. However, the assistance we are able to provide will be more limited than that available to the University. This is because the University is not legally responsible for responses.For advice on other aspects of data protection compliance, you should contact the University’s Data Protection Officer or refer to the information provided by the Information Commissioner’s Office (ICO).Information Commissioner’s Office This article was published on 2025-05-29
