⚠️ FOI: Communications between the Council, the ICO & WhatDoTheyKnow in relation to data breach.
Request to the Highland Council.
Sent: 14 December 2025
Due: 16 January 2026
Review Sent: 20 January 2026
Review Due: 17 February 2026
SICO App Sent: 19 February 2026
SICO Ref: 202600316
SICO App Validated: 7 April 2026
SICO Decision Notice: 078/2026
SICO Decision Date: 23 April 2026
SICO Deadline: 8 June 2023
Case ref: FS-Case-773522018
23 April 2026
Decision Notice 078/2026
Communications regarding specified data protection matters– failure to respond
Applicant: [redacted]
Authority: Highland Council
Case Ref: 202600316
Summary
The Applicant asked the Authority for communications relating to specified data protection matters.
This decision finds that the Authority failed to respond to the request within the timescale allowed by the Freedom of Information (Scotland) Act 2002 (FOISA). The decision also finds that the Authority failed to comply with the Applicant’s requirement for review within the timescale set down by FOISA.
Background
1. The Applicant made an information request to the Authority on 14 December 2025.
2. On the same day, the Authority acknowledged receipt of the Applicant’s information request. However, it did not respond to the information request.
3. On 20 January 2026, the Applicant wrote to the Authority requiring a review in respect of its failure to respond.
4. The Authority issued an acknowledgement on 13 February 2026, but it did not respond to the requirement for review.
5. On 19 February 2026, the Applicant wrote to the Commissioner, stating that she was dissatisfied with the Authority’s failure to respond and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
Investigation
7. Section 49(3)(a) of FOISA requires the Commissioner to notify public authorities of an application and to give them an opportunity to comment. The Commissioner did this on 7 April 2026.
8. The Authority did not provide the Commissioner with any submissions.
9. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information. This is subject to qualifications which are not relevant in this case.
10. It is a matter of fact that the Authority did not provide a response to the Applicant’s request for information within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA.
11. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review. Again, this is subject to qualifications which are not relevant in this case.
12. It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA.
13. The remainder of section 21 sets out the requirements to be followed by a Scottish public authority in carrying out a review. As no review has been carried out in this case, the Commissioner finds that the Authority failed to discharge these requirements: he now requires a review to be carried out in accordance with section 21.
14. The Commissioner recommends that the Authority considers whether it would be appropriate to apologise to the Applicant for its failure to comply.
Decision
The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in dealing with the information request made by the Applicant. In particular, the Authority failed to respond to the Applicant’s request for information and requirement for review within the timescales laid down by sections 10(1) and 21(1) of FOISA.
The Commissioner requires the Authority to issue a response, by 8 June 2026.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Jennifer Ross
Deputy Head of Enforcement
23 April 2026
Our Ref 202600316
Your Ref FS-Case-773522018
7 April 2026
Application for Decision by the Scottish Information Commissioner
Public Authority: Highland Council
I refer to your email of 19 February 2026, in which you applied for a decision from the Scottish Information Commissioner. Your application was about the failure of Highland Council to respond to your information request dated 14 December 2025, and your subsequent request for review of 20 January 2026.
I am satisfied that your application is valid in terms of the Freedom of Information (Scotland) Act 2002 (FOISA).
I will now carry out an investigation into the way in which Highland Council dealt with your information request. I will be your point of contact during the investigation.
My investigation will be limited to Highland Council’s compliance with the timescales in FOISA. At this stage, the Commissioner cannot investigate whether or not you should have received any of the information you asked for.
What happens next?
I will send Highland Council a copy of your application, and ask it to explain why it failed to reply to your information request and request for review. It will be told that the Commissioner is investigating your application, and will be given an opportunity to comment. I will keep you informed of any developments.
Once I have enough information to allow me to conclude whether Highland Council failed to comply with FOISA, I will consider what steps need to be taken.
If the authority issues a response
It is possible that Highland Council will respond to your request once I let it know that you have made an application to the Commissioner. If this happens, let me know:
if you still require a decision from the Commissioner or
if you are happy to withdraw the application. (Highland Council’s failure to respond to you on time will be recorded in our case handling system and may be taken into account for the purposes of future action under the Commissioner’s Enforcement Policy.)
If you become aware of any other matter which might affect the investigation, please let me know as soon as possible.
The decision
Once a decision has been reached, a copy of the decision will be sent to you and to Highland Council.
At the end of the investigation, we will publish the decision on our website. The published version will not name you or include other information which we think could lead to you being identified.
Information requests to the Commissioner
The Commissioner is a Scottish public authority for the purposes of FOISA and the EIRs and must respond to requests for any information he holds. This means it is possible (although very unlikely), that he will receive a request asking him to disclose your name or to disclose information about your case.
We can’t guarantee that your identity will automatically be withheld in response to an information request, but we will usually contact you to let you know and to give you a chance to comment.
More information about what we do with the personal information you give us can be found in our Privacy notice. If you would like me to send you a paper copy of the privacy notice, let me know.
Checking the status of your case
You can check the status of your case at any time by searching for your case reference on our website at https://www.foi.scot/current-investigations . The list of applications tells you what stage your case is at, from receipt and validation, through to allocation, investigation and decision approval and is updated daily. The list doesn’t include your name or any other information which would identify you.
Contact details
Please let me know if your contact details change at any point during the investigation.
If you have any queries about anything raised in this letter, please contact me.
Yours sincerely
Nick Murton
Freedom of Information Officer - Enforcement
________________________________________
Scottish Information Commissioner
Kinburn Castle, Doubledykes Road
St Andrews, KY16 9DS
20 January 2026
Dear Sir or Madam,
The following FOI requests are now overdue. If you could review these requests and provide a response at your earliest opportunity, I shall be grateful.
1. FS-Case-773522018
Communications between the Council, the ICO & WhatDoTheyKnow in relation to data breach. Due date: 16 January 2026.
2. FS-Case-773535625
Access Officers undertaking planning enforcement duties & RIPSA training. Due date: 16 January 2026
Thank you for your time & attention.
Kind regards.
14 December 2025
Please provide the following information:
1. All communications between the Council & the Information Commissioner’s Office in relation to case reference IC-308632-W9N2 wherein an infringement of Article 5(1)(f) GDPR was recorded in September 2024 and also later, an infringement of Article 31 GDPR in July 2025.
2. All internal communications between staff at the Council in relation to the above.
3. All communications between the Council and WhatDoTheyKnow / mySociety relating to the data breach that the ICO case reference above relates to.
Thank you for your time & attention.
Kind regards.