Privacy notice - FOI and Environmental Information

Freedom of Information and Environmental Information - Collecting and retaining personal information.

Loretto will be the "data controller" of the personal information that you provide to us in respect of your information request.

Our Data Protection Officer is Ranald Brown who can be contacted on

What we need

The personal information we require from you to process your request for information under the Freedom of Information (Scotland) Act 2002(FOI) or the Environmental Information (Scotland) Regulations 2004 (EIR) includes but may not be limited to:

  • your full name
  • your contact details (phone, email and/or correspondence address)
  • details of anyone authorised to act on your behalf if applicable.

You are giving us your personal information to allow us to process your information request and to provide you with a response under the Freedom of Information (Scotland) Act 2002 or the Environmental Information (Scotland) Regulations 2004. We will also need to process your personal information if you ask us to review the way that we have handled your request for information or if you make an appeal to the Scottish Information Commissioner. We also use your information to verify your identity where required, contact you by post, email or telephone and to maintain our records.

Why we need your personal information – legitimate interest

We are not listed as a public body under the Freedom of Information (Scotland) Act 2002 although we do act in the spirit of the Act.

If you make a request which we interpret to fall under FOISA then we will require to process your personal information to respond to request for information and to respond to your request for review of our response. Where you provide us with more sensitive personal information about you we will process this information for reasons of substantial public interest as set out UK data protection Regulation.

Other uses of your personal information

We may ask you if we can process your personal information for additional purposes.

Where we do so, we will provide you with an additional privacy notice with information on how we will use your information for these additional purposes.

Who we share your personal information with

We are also legally obliged to share certain data with other public bodies, such as HMRC and will do so where the law requires this. We will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and appropriate. Your information is also analysed internally to help us improve our services.

Where you make an appeal to the Scottish Information Commissioner we are legally obliged to share your information with them.

We may transfer information about you to other Wheatley Group subsidiaries for purposes connected to your request for information or the management of the company’s business.

How we will communicate with you

As you have requested information from us we need to communicate with you. This will usually be in writing or by telephone, but is more commonly becoming electronic.

We will only discuss your request with those authorised (temporarily or permanently) by you.

How we protect your personal information

Your personal information is stored on our paper and IT filing systems which may be copied for testing, backup, archiving and disaster recovery purposes. Access to your information is limited to those who require it to provide services to you. All data is held within the UK.

If any of your personal information is transferred out with the European Union or the European Economic Area by any of our contractors we will ensure that there are adequate safeguards in place to protect your personal information in accordance with the General Data Protection Regulations and the Data Protection Act 2018.

How long we keep your personal information

We will only keep your personal information for as long as necessary to process your information request and to safeguard us in the event of any claims, complaints, litigation, enquiries or investigations following. Unless you ask us not to, we will delete your personal information relating to your information request in accordance with the following timescale:

  • FOI request – 2 years from response date
  • FOI Appeal to SIC – 5 years from response date
  • EIR Request – 2 years from response date
  • EIR appeal to SIC – 5 years from response date.

We have a data retention policy that sets out the periods for retaining and reviewing all information that we hold. You can request a copy by contacting us at

Your rights

You can exercise any of the following rights by writing to us at

Your rights in relation to your personal information are:

  • you have a right to request access to the personal information that we hold about you by making a "Subject Access Request"
  • if you believe that any of your personal information is inaccurate or incomplete, you have a right to request that we correct or complete your personal information
  • you have a right to request that we restrict the processing of your personal information for specific purposes
  • if you wish us to delete your personal information, you may request that we do so.

Any requests received by Loretto will be considered under applicable UK Data Protection Legislation. If you remain dissatisfied, you have a right to raise a complaint with the Information Commissioner's Office at

The accuracy of our information is important to us - please help us keep our records updated by informing us of any changes to your email address, telephone numbers and other details.

Changes to our privacy notice

Our privacy notice is regularly kept up to date and this version was updated on 17 December 2018. The latest full version is always available from our website.