39.—(1) In these Regulations, “sensitive information” means information which is not reasonably accessible to the public and which is–
(a)information the disclosure of which to the public would, or would be likely to, adversely affect national security;
(b)information the disclosure of which to the public would, or would be likely to, adversely affect public safety;
(c)information, disclosure of which to the public would or would be likely to prejudice the commercial interests of the person to whom that information relates; or
(d)information which is personal data, within the meaning of section 1(1) of the Data Protection Act 1998(1) if the condition in paragraph (2) or (3) is satisfied.
(2) The condition in this paragraph is–
(a)in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the Data Protection Act 1998, that the disclosure of the information to a member of the public would contravene–
(i)any of the data protection principles; or
(ii)section 10 of that Act (right to prevent processing likely to cause damage or distress); or
(b)in any other case, that the disclosure of the information to a member of the public would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held by public authorities) were disregarded.
(3) The condition in this paragraph is that by virtue of any provision of Part IV of that Act the information is exempt from section 7(1)(c) of that Act (data subject’s right of access to personal data).
(4) In determining for the purposes of paragraph (2) whether anything done before 24th October 2007 would contravene the data protection principles, the exemptions in Part III of Schedule 8 to the Data Protection Act 1998 are to be disregarded.
40.—(1) A certificate signed by a member of the Scottish Executive certifying that disclosure of information to the public would adversely affect national security is conclusive evidence of that fact.
(2) A certificate under paragraph (1) may be given in relation to specific information or to information of a specified kind and may be expressed to have prospective effect.
(3) A document purporting to be a certificate under paragraph (1) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.
(4) A document which purports to be certified by or on behalf of a member of the Scottish Executive as a true copy of a certificate issued by a member of the Scottish Executive under paragraph (1) shall in any legal proceedings be sufficient evidence (or in England and Wales evidence) of that certificate.
41.—(1) Paragraph (4) applies to a Category 1 responder or a Category 2 responder (referred to in this Part of the Regulations as the “requesting responder”) to the extent that it is satisfied that the conditions in paragraphs (2) and (3) are satisfied.
(2) The condition in this paragraph is that the requesting responder reasonably requires information which is held by a Scottish Category 1 responder or a Scottish Category 2 responder–
(a)in connection with the performance of a duty under section 2(1)(a) to (d) or section 4(1); or
(b)in connection with the performance of another function which relates to an emergency.
(3) The condition in this paragraph is that the requesting responder is satisfied that–
(a)the information is not held by the requesting responder; and
(b)it is not reasonable to seek to obtain the information by other means.
(4) To the extent that this paragraph applies, the requesting responder may make a request for the information to a Scottish Category 1 responder or a Scottish Category 2 responder (referred to in this Part of the Regulations as “the receiving responder”).
42.—(1) In this Part of the Regulations, a reference to a “request for information” is a reference to such a request which–
(a)is in writing;
(b)states the name of the requesting responder and an address for correspondence;
(c)describes the information requested; and
(d)states the reason why the requesting responder requires the information in connection with the performance of a duty under section 2(1)(a) to (d) or section 4(1) or in connection with the performance of another function which relates to an emergency (as the case may be).
(2) For the purposes of paragraph (1), a request is to be treated as made in writing where the text of the request–
(a)is transmitted by electronic means;
(b)is received in legible form; and
(c)is capable of being used for subsequent reference.
43.—(1) Subject to paragraphs (2) and (4), the receiving responder must comply with a request for information.
(2) To the extent that the receiving responder is satisfied that–
(a)the request for information relates to sensitive information of the kind specified by paragraph (1)(a) of regulation 39 and disclosure to the requesting responder would, or would be likely to, adversely affect national security;
(b)the request for information relates to sensitive information of the kind specified by paragraph (1)(b), (c) or (d) of regulation 39 and disclosure to the requesting responder would, or would be likely to, adversely affect the confidentiality of the information,
the receiving responder must not comply with the request for information.
(3) If a receiving responder refuses to comply with a request in the circumstances specified in paragraph (2)(b), it must give reasons.
(4) To the extent that the receiving responder is satisfied that a request for information relates to sensitive information which has been directly or indirectly supplied to the receiving responder by a body which deals with security matters, the receiving responder must not comply with the request unless that body has given its consent to the provision of the information to the requesting responder; such consent may contain conditions.
44. The receiving responder must respond to the request for information–
(a)before the end of such reasonable period as may be specified by the requesting responder; and
(b)at such place as may be reasonably specified by that responder.
45.—(1) Except where required to do so under another provision of these Regulations, a general responder must not publish or disclose to any person sensitive information which–
(a)it has received under or by virtue of a provision of these Regulations; or
(b)it has received under or by virtue of a provision in regulations made by a Minister of the Crown under Part 1,
unless paragraph (2) or (6) applies.
(2) This paragraph applies, subject to paragraph (3), if consent for the publication or disclosure has been given by–
(a)in relation to sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 39 the originator of the information or (if different) a member of the Scottish Executive;
(b)in relation to sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 39, the person to whom the information relates.
(3) Paragraph (2) does not apply to information of the kind specified by paragraph (1)(a) of regulation 39 if a member of the Scottish Executive has issued a certificate in writing indicating that publication or disclosure of the information would adversely affect national security.
(4) Consent under paragraph (2) may–
(a)identify the information to which it applies by means of a general description;
(b)be expressed to have prospective effect; and
(c)may include conditions.
(5) In paragraph (2), “originator of the information” means–
(a)if the information has been directly or indirectly supplied to the responder by a body which deals with security matters, that body;
(b)if sub paragraph (a) does not apply, the information takes the form of a document and that document has been created by a public authority, that public authority;
(c)otherwise, the person who supplied the information to the responder.
(6) This paragraph applies if–
(a)the information is sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 39;
(b)the information is not sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 39;
(c)the responder is satisfied that the public interest in publishing or disclosing the information outweighs the legitimate interests of the person to whom that information relates; and
(d)the responder has informed the person to whom the sensitive information relates of its intention to publish or disclose the information and its reasons for being satisfied of the matter specified in sub paragraph (c).
46.—(1) Subject to paragraph (2), sensitive information which a general responder has received–
(a)under or by virtue of a provision of these Regulations; or
(b)under or by virtue of a provision in regulations made by a Minister of the Crown under Part 1,
may only be used by that responder for the purpose of performing the function for which, or in connection with which, the information was requested.
(2) Sensitive information may be used for purposes other than those specified in paragraph (1) if consent for such use is given by–
(a)in relation to sensitive information of the kind specified by paragraph (1)(a) or (b) of regulation 39, the originator or (if different) a member of the Scottish Executive; or
(b)in relation to sensitive information of the kind specified by paragraph (1)(c) or (d) of regulation 39, the person to whom the information relates.
(3) Consent under paragraph (2) may–
(a)identify the information to which it applies by means of a general description;
(b)be expressed to have prospective effect; and
(c)may include conditions.
(4) In paragraph (2), “originator of the information” means–
(a)if the information has been directly or indirectly supplied to the responder by a body which deals with security matters, that body;
(b)if sub paragraph (a) does not apply, the information takes the form of a document and that document has been created by a public authority, that public authority;
(c)otherwise, the person who supplied the information to the responder.
(5) In this regulation, “use” does not include publication or disclosure.
47.—(1) This regulation applies to sensitive information–
(a)received by a Scottish Category 1 responder under or by virtue of any provision of these Regulations;
(b)received under or by virtue of any regulations made by a Minister of the Crown under section 6(1)or 15(3); or
(c)has been created by a responder in discharging its duties under the Act, these Regulations or regulations made by a Minister of the Crown.
(2) Each Scottish responder must have in place arrangements for ensuring that the confidentiality of sensitive information to which this regulation applies is not adversely affected.
(3) The arrangements specified by paragraph (2) must include arrangements for ensuring that–
(a)sensitive information is clearly identifiable as such;
(b)only those persons who–
(i)are involved in the performance of a duty under section 2(1) or 4(1) or other function that relates to an emergency, and
(ii)as a result, need to have access to sensitive information,
have access to sensitive information;
(c)sensitive information is stored in a secure manner; and
(d)sensitive information is transferred (including transferral by electronic means) in a secure manner.