Scotland · FOISA & UK GDPR

Scottish FOI and data protection, in one platform

AccessPoint runs Freedom of Information (Scotland) Act 2002 requests and UK GDPR data subject requests together — the 20-working-day clock, the Scottish Information Commissioner, breach notification, and DPIAs — inside your own Microsoft 365 tenant.

Scotland at a glance

FOI response deadline
20 working days (FOISA section 10)
DSAR response deadline
One month, extendable by two further months for complex or numerous requests
FOI fees
No fee where projected costs are £100 or under; authorities may charge above £100 and need not comply above the £600 upper limit
Breach notification
To the ICO within 72 hours where feasible (Article 33 UK GDPR)
Impact assessments
DPIA required for high-risk processing (Article 35 UK GDPR)
Oversight
Scottish Information Commissioner (FOISA); ICO (data protection)
Languages
English, with Gaelic and other languages configurable

Built for Scotland

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

FOISA request lifecycle

Intake to disclosure on the 20-working-day clock, with the FOISA exemptions, the public-interest test, the fee rules, and Commissioner-ready records, all built on Microsoft 365.

UK GDPR subject access

Run DSARs on the one-month clock with the two-month extension, identity verification, and third-party redaction — beside your FOISA requests, not in a separate system.

The Scottish configuration

FOISA is a separate statute with its own regulator; AccessPoint ships the Scottish configuration — not the UK one — so the exemptions, fees, and Commissioner all match the law that applies to you.

72-hour breach notification

Log a personal data breach, assess the risk to rights and freedoms, and get a live checklist of what must reach the ICO within 72 hours and the individuals affected.

The Scottish Information Commissioner

Track applications to the Commissioner, whose decision notices are enforceable, with an investigation workspace and a guided disposition; appeals run to the Court of Session.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud and no offshore processing.

A separate Scottish regime

Scotland has its own FOI law and its own Commissioner. AccessPoint ships the Scottish configuration, not the UK one.

The Freedom of Information (Scotland) Act 2002 is a distinct statute for Scottish public authorities, enforced by the Scottish Information Commissioner — not the UK FOIA 2000 or the UK ICO. Its exemptions, fee rules, and 20-working-day clock differ from the UK Act. Personal data, though, is still governed UK-wide by the UK GDPR and Data Protection Act 2018 under the ICO. AccessPoint runs both correctly: FOISA requests under the Scottish regime and data subject requests under UK data protection, on one platform in your own tenant.

FOISA, 20 working days Scottish exemptions and fee rules, Commissioner-ready.
Scottish Commissioner Enforceable decision notices, with appeal to the Court of Session.
UK data protection DSARs, breach, and DPIAs under the ICO, UK-wide.

Configured out of the box

Installing the sco-foi-dp configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • FOISA 2002 and the UK GDPR / DPA 2018 as the legal-authority spine
  • The 20-working-day FOISA clock on the Scottish working-day calendar
  • The FOISA exemption catalogue with the public-interest test
  • The FOISA fee rules — the £100 lower and £600 upper cost limits
  • Data-subject request types — access, rectification, erasure, restriction, portability
  • Article 33 and 34 breach-notification rules for the ICO on the 72-hour clock
  • Article 35 DPIA questionnaires and the Article 30 ROPA register
  • Scottish Information Commissioner application grounds and dispositions
  • Correspondence templates in English, extendable to Gaelic and other languages

Scotland Questions

Is FOISA the same as the UK Freedom of Information Act?

No. The Freedom of Information (Scotland) Act 2002 is a separate statute covering Scottish public authorities, enforced by the Scottish Information Commissioner, with its own exemptions and fee rules. AccessPoint ships the Scottish configuration — not the UK FOIA 2000 — while personal data is handled under the UK-wide UK GDPR and DPA 2018.

What is the FOISA response deadline?

20 working days (section 10). AccessPoint calculates it on the Scottish working-day calendar, tracks the fee position against the £100 lower and £600 upper cost limits, and applies the exemptions with the public-interest test.

How are the two regulators handled?

FOISA applications go to the Scottish Information Commissioner, whose decision notices are enforceable and appealable to the Court of Session on a point of law; data-protection complaints go to the ICO. AccessPoint tracks each on its own clock with an investigation workspace and a guided disposition.

Where does Scottish data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, documents, assessments, and audit history never leave your control — no third-party cloud, no vendor access, and no offshore processing.

Run Scottish FOI and Data Protection in One Platform

Try AccessPoint free for 30 days, pre-configured for Scotland. No credit card required.

Start Free Trial