Decision Notice 121/2026: Playground risk assessments

Authority: Aberdeenshire Council
Case Ref: 202501232
 

Summary

The Applicant asked the Authority for risk assessments relating to a named primary school within the local authority area.  The Authority initially failed to respond to the request but later disclosed one risk assessment and notified the Applicant that it held no further information. 

The Commissioner investigated and found that the Authority held no information which fell within the scope of the request.  He also found that the Authority should have responded to the request under the EIRs, rather than FOISA, but he did not require it to take any action.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 47(1) and (2) (Application for decision by Commissioner).

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definition of “the Act”, “applicant” and “the Commissioner” and paragraphs (a), (b), (c), and (f) of the definition of “environmental information”) (Interpretation); 5(1), (2) (Duty to make environmental information available on request); 13 (Refusal to make information available); 16 (Review by Scottish public authority); 17(1), (2)(a) and (b) (Enforcement and appeal provisions).

Background

1. On 30 May 2025, the Applicant made a request for information to the Authority.  He asked for:

All finalised versions of the playground risk assessment documents for [named school] during the 2024–2025 (up to and including 19 May 2025) academic year.  To include:

i) Any formally published versions of the playground risk assessment.

ii) Any internally circulated finalised versions that were in effect at any point during the academic year up to and including 19-May-2025.

The Applicant specified that his request was limited to finalised documents only and did not include draft versions or documents under review.

2. The Authority failed to respond to the request.
3. On 3 July 2025, the Applicant wrote to the Authority requesting a review of its failure to respond. 
4. The Authority advised the Applicant on 24 July 2025 that it was working to complete his request as soon as possible.  It apologised for the delay in response and for the lack of updates.
5. The Authority notified the Applicant of the outcome of its review on 25 July 2025.  The Authority stated that there had been a technical breach due to its failure to respond within the statutory timescale.  The Authority also stated that it was disappointed to note that the information requested had not yet been located and that efforts to find it were still ongoing. The Authority commented that it would reconsider the requirement for review when the information was located.
6. On 25 July 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.   By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because it had breached the statutory timescales and had not located the information and provided it to him.

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 
8. On 9 September 2025, the Authority was notified in writing that the Applicant had made a valid application, and the case was allocated to an investigating officer.
9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions. 
10. On 13 October 2025, prior to the start of the investigation, the Authority disclosed a Playground Risk Assessment to the Applicant and stated that this was all the information it held.

Commissioner’s analysis and findings

11. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

FOISA or EIRs?

12. "Environmental information" is defined in regulation 2(1) of the EIRs.  Where information falls within the scope of this definition, a person has a right to access it under regulation 5(1) of the EIRs, subject to various restrictions and exceptions contained in the EIRs.
13. The Applicant asked for information about playground risk assessments at a specified, named school.  Although he did not express dissatisfaction that his request was dealt with by the Authority under FOISA, rather than in terms of the EIRs, the Commissioner must consider whether the correct legislation (FOISA or the EIRs) was used.  The first question, therefore, is whether the information requested is environmental information.
14. The Authority submitted that it had not considered whether the requested information was environmental information at any point during its processing of the request.  Having considered the issue as a result of the Commissioner’s investigation, the Authority concluded that it was not environmental information because it did not relate to the state of the elements of the environment, nor factors affecting the elements of the environment.
15. The Commissioner has carefully considered the Authority’s view, the subject matter of the Applicant’s request, and the definition of environmental information given in regulation 2(1) of the EIRs. The Commissioner notes that the request asks for information about risk assessments carried out on built structures (those contained within a playground, including playground equipment and surfacing) in an outdoor environment which is open to the elements and to factors affecting the environment, and the measures that have been considered in relation to the safety of that environment when being used by children.
16. Given this, he is satisfied that the information falls within the definition of environmental information in regulation 2(1) of the EIRs, specifically paragraphs (a), (b), (c) and (f) of that definition.
17. The Commissioner, therefore, finds that the Authority failed to identify environmental information, in terms of regulation 2(1) of the EIRs.  In doing so, the Authority failed to comply with regulation 5(1) of the EIRs.

Section 39(2) of FOISA - environmental information

18. The exemption in section 39(2) of FOISA provides that, in effect, environmental information (as defined by regulation 2(1) of the EIRs) is exempt from disclosure under FOISA, thereby allowing any such information to be considered solely in terms of the EIRs.
19. In this case, as noted above, the Authority did not agree that the request fell to be considered under the EIRs and instead responded solely under FOISA.
20. The Commissioner finds that the Authority would have been entitled to apply the exemption in section 39(2) of FOISA to the request, given his conclusion that the information requested was properly classified as environmental information.
     
21. As there is a separate statutory right of access to environmental information available to the Applicant, the Commissioner also accepts that, in this case, the public interest in maintaining this exemption and handling the request in line with the requirements of the EIRs outweighs any public interest in disclosing the information under FOISA.

Information held by the Authority

22. Having found that FOISA was not the correct legislation for dealing with this request, the Commissioner will now consider whether further information falling within scope of the Applicant’s request was held by the Authority and should have been provided to him under the EIRs.
23. Paragraph 50 of The Commissioner’s guidance on regulation 10(4)(a) of the EIRs (Information not held) is clear that whether a public authority should hold information which it does not hold is not a matter for the Commissioner to decide.
24. As noted in paragraph 10, on 13 October 2025, the Authority provided the Applicant with a playground risk assessment for the named school and notified him that it held no further information falling within the scope of the request.

The Applicant’s comments 

25. The Applicant was dissatisfied with the Authority’s position.
26. The Applicant noted that he had received a risk assessment from the school’s head teacher on 26 May 2025 which he considered to have been disclosed outwith the Freedom of Information (FOI) process and which he referred to as “RA#1”.  The Applicant subsequently received another risk assessment (this time under FOI, in answer to his request) on 13 October 2025 which in the Applicant’s opinion was a different risk assessment to the one he received on 26 May 2025.  He referred to this as “RA#2”. 
27. The Applicant submitted that RA#1 and RA#2 were different documents, because different meta-data was associated with each, and he contended that the Authority held both (at the time of the request).   He was dissatisfied that only one of the documents had been provided under the FOI process and argued that both should have been.
28. The Applicant added that it would be fair to assume that the Authority held previous risk assessments, further to those he had received, because carrying out risk assessments was a legal requirement under UK Health and Safety law and was also required under the Authority’s own internal risk management policy requirements. 
29. The Applicant stated that he further assumed that the risk assessment would have been based on a previous version.  Given there was an April 2025 version (RA#1), he considered (based on his own experience) that these risk assessments would be updated based on new learning, etc. from prior versions.
30. The Applicant also submitted that there was evidence to show that there was an established update/review process applied in the authority, hence RA#2 being different from RA#1.

The Authority’s comments

31. The Authority provided the Commissioner with a FOI audit form detailing the searches which it undertook for information within scope of the request.  
    This form contained the dates of searches, the names of staff undertaking searches, the criteria of searches and the locations where searches were carried out.
32. In addition, it stated that the school’s acting headteacher had searched for information by: 
    1. Searching all hard copy and electronic folders/files held at the school.
    2. Instructing school administration staff to search all hard and electronic folders/files.
    3. Engaging with the Cluster Business Manager and the Facilities Operations Coordinator to confirm they held no information.
    4. Engaging with the Quality Improvement Manager, to determine whether it would be possible to search the personal electronic folders/files of a former member of staff.
33. The Authority explained that these staff were consulted as they were all part of the school and might have had further insight or knowledge of where the relevant information may have been held, in light of it not being held centrally.
34. The Authority stated that its IT department was contacted to help with the search of electronic records held by the former member of staff (referenced above) which were not immediately available. The Authority went on to explain why these electronic records were not immediately available.  The Commissioner will not detail these submissions here, but he has taken them into account. 
35. In terms of whether it would be expected to hold the information, the Authority stated that it would expect a risk assessment to be carried out and recorded where the service felt that a significant risk was present.  It noted that the process of this risk assessment would be to eliminate the risk wherever possible or, if not possible, to reduce the risk to a low level.  It acknowledged that there was a legal duty for all risk assessments carried out by the Authority to be recorded and that there was internal corporate guidance and service-specific guidance in place relating to risk assessments. 
36. The Authority acknowledged that it would have expected a risk assessment (prior to that provided to the Applicant in May 2025) to have been instructed and recorded in line with the guidance.  It stated that while it could not confirm whether this was not instructed, or not recorded, or both, it believed that the searches it had carried out confirmed that no such risk assessment (pre-dating May 2025) was held.
37. The Authority submitted that upon realising that no risk assessment was held, the acting headteacher ensured that a risk assessment was carried out in line with the Authority’s duties.
38. The Authority confirmed that it had found no evidence to suggest that information relating to the risk assessment had been mislaid, deleted or destroyed.
39. It stated that there was no previous version of the risk assessment, which was shared with the Applicant on 26 May 2025, and that this version (RA#1) was the same as that provided through the FOI process on 13 October 2025 (RA#2).  It commented that any differences between the two documents were limited to metadata, which could vary due to factors such as file creation, modification or sharing processes.  The Authority submitted that it had compared the two versions (RA#1) and (RA#2) and concluded the documents were the same.
40. The Authority commented that the document metadata was updated after the document was saved for inclusion in the Authority’s response to the information request (i.e. that was the reason for the different metadata in the two versions of the document).
41. The Authority also submitted that the risk assessment provided to the Applicant on 26 May 2025, which was labelled “April 2025 Updated”, was initially dated April 2025 because that was the expected completion date.  However, it stated that the final version was not created until 25 May 2025 and that the reason for this was the ongoing search for documentation within the school as part of the acting head teacher’s work to address gaps in the school’s record keeping. 
42. The Authority stated that the service was not in a position to complete the work and finalise the risk assessment until May 2025.  It argued that this date was evidenced by the file properties and it provided a screenshot of these file properties to the Commissioner.
43. The Authority explained that the risk assessment was labelled “Updated” because the acting headteacher was led to believe a risk assessment was already in place when he took on the task (although the Authority subsequently came to the view that this was not the case).
44. In answer to further questions from the Commissioner, the Authority stated that the risk assessment process had begun in April however, due to other matters which required to be prioritised, it was not possible for the formal risk assessment to be created and completed until the end of May.
45. The Authority further explained that the assessment process was active in April, when it was in what it described as “a working phase involving observation and assessment”, but that the formal risk assessment was only created and completed as a standalone document in May.
46. The Authority stated that the reference to “April” within the risk assessment was an error by the author which reflected the start and proposed timescale (of the process), rather than the actual date when the risk assessment was completed, as should have been the case.
47. Furthermore, it acknowledged that this had confused matters in this case.  It stated that it was satisfied that this was the only risk assessment it held in respect of the playground equipment, with this being put in place by the then-acting headteacher as a result of him identifying various gaps within the school’s own records.
48. The Authority acknowledged that the creation date of 25 May 2025, technically meant that the risk assessment fell outwith the scope of the request, which specified information up to and including 19 May 2025. However, it took the view that the risk assessment should have been provided as it was conducted during the school year.
49. The Authority later added that it did not believe there had been an earlier version of the risk assessment, and that if amendments or additions were required to this type of document these would tend to be made dynamically with the original version being overwritten until such time as the assessment or document was deemed finalised.

The Commissioner’s view

50. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining this, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority.  He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.
51. The Commissioner acknowledges the Applicant’s view that he would have expected further risk assessments to be held (in addition to the risk assessments disclosed in May and October 2025) and he acknowledges that the Authority too would have expected information to be held.
52. The Commissioner would emphasise that, as set out in paragraph 23 it is not a matter for him to address whether particular information should have been held, only what, if anything, was held.
53. The Commissioner has considered the Authority’s responses to his questions about searches and the details it provided of the searches undertaken.  He accepts that these searches were reasonable and proportionate in relation to the information requested.  He considers that the searches were carried out by employees who, in the circumstances, would have been able to identify all of the relevant information, including both school and IT staff.
54. He has also carefully considered the Authority’s explanation for the apparent discrepancy in the dates relating to the risk assessment which was dated April but which the Authority submitted was not in fact created until 25 May.  The Commissioner considers that, by the close of the investigation, the Authority had provided an adequate explanation for the apparent discrepancy between the date on the body of the document and the metadata relating to the same document and he is satisfied, given all of the submissions, that no earlier version of the document is held. 
55. He has also considered the Applicant’s comments on the two risk assessments he received from the Authority, the first outwith FOI on 26 May 2025 (which the Applicant referred to as RA#1) and the second on 13 October 2025 (referred to as RA#2).  Both were dated “April 2025 Updated”.
56. The Commissioner has carefully considered the wording of these documents to determine whether they could be considered to be the same, or different, documents.  The only difference in the substance of the documents appears to be a typographical error on page 5 which has crept into the October 2025 version.  Otherwise, it appears that the substantive text of both documents is the same.
57. The metadata of the document disclosed in May 2025 shows it was created on 25 May 2025 and was last modified on 26 May 2025.
58. The metadata of the document provided in October 2025 shows that document was created on 2 September 2025 and modified on 13 October 2025.
59. The Commissioner considers, on the evidence presented, that the original risk assessment was not created until 25 May 2025, six days after the date specified in the request (which stated “up to and including 19 May 2025”). 
60. He also considers that the risk assessment provided to the Applicant in October 2025 was essentially the same document (notwithstanding the one minor difference referenced) as that provided to him on 26 May 2025.  He is satisfied that the October 2025 risk assessment (RA#2) does not fall within the scope of the request, for the same reason that the original May 2025 risk assessment (RA#1) does not fall within the scope of the request, as both documents were created after 19 May 2025 – the date specified by the Applicant in his information request. 
61. The Commissioner is satisfied, on the balance of probability and given the evidence and details of searches carried out, that the Authority held no information falling within scope of the request (which specified a cut-off point of 19 May 2025) at the time it received the Applicant’s information request.
62. Given this, the Commissioner must find that the Authority failed to notify the Applicant under regulation 13 of the EIRs, that it did not hold this information, and in doing so, it failed to comply with the EIRs. 

Handling of the requirement for review

63. Regulation 16(4) of the EIRs gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review.  This is subject to qualifications which are not relevant in this case. 
64. The Applicant stated in his application to the Commissioner that he was dissatisfied with the Authority’s failure to respond to his requirement for review within the statutory 20 working days.
65. The Commissioner has observed that the Authority’s Review Panel issued its review outcome (what it termed its “decision”) on 25 July 2025. 
66. The Commissioner notes that the Applicant made his requirement for review on 3 July 2025.  Given that the Authority responded to this requirement for review on 25 July 2025, the Commissioner considers that this was well within the 20 working days specified in the legislation, and he does not therefore find this to be a breach of regulation 16(4) of the EIRs.
67. Regulation 16(3) of the EIRs, provides that when an authority receives “representations” from an Applicant in the form of a requirement for review, it must:
    1. consider them and any supporting evidence produced by the applicant; and
    2. review the matter and decide whether it has complied with these Regulations
68. In its review outcome, the Authority informed the Applicant that it was disappointed that the information had not yet been located, that efforts to find it were ongoing, and that it would reconsider the requirement for review when the information was produced.
69. It is clear to the Commissioner, that the review outcome (“decision”) issued by the Authority on 25 July 2025, did not comply with the requirements of regulation 16(3) of the EIRS.
70. Furthermore, the Commissioner would like to draw the Authority’s attention to the requirements of regulation 16(5) of the EIRs, which states that:

“Where the Scottish public authority decides that it has not complied with its duty under these Regulations, it shall immediately take steps to remedy the breach of duty.”

71. The Commissioner notes that the Authority did not respond to the request until 13 October 2025 (when it provided the Applicant with (RA#2) and notified him that no further information was held).  He therefore considers that the Authority did not fully “remedy” this breach of duty until 13 October 2025, several months after its original “decision” on the review outcome was issued. 
72. The Commissioner finds that the Authority’s review outcome of 25 July 2025 was not a compliant review in terms of regulation 16(5) of the EIRs, because it did not immediately take steps to remedy the breach of duty and thereby respond to the Applicant’s request.

Timescales 

73. It is a matter of fact that the Authority did not respond to the Applicant's request within the timescale allowed by the EIRs.  For this reason, the Commissioner must find that the Authority failed to comply with regulation 5(2) of the EIRs. 
74. As noted above, the Authority did respond to the Applicant’s requirement for review within the 20 working days set out in the EIRs, but the review outcome did not comply with the requirements of regulation 16(5). 

Decision 

The Commissioner finds that the Authority failed to comply with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by the Applicant. 

In particular, he finds that the Authority:

• failed to identify the requested information as environmental information, and in doing so it failed to comply with regulation 5(1) of the EIRs
• failed to respond to the request within the timescales given, and in doing so it failed to comply with regulation 5(2) of the EIRs
• failed to give the Applicant notice the information he had requested was not held, and in doing so it failed to comply with regulation 13 of the EIRs
• failed to issue a review outcome that complied with regulation 16(5) of the EIRs.

As the Commissioner has found that the Authority does not hold any information falling within the scope of the Applicant’s information request, he does not require the Authority to take any action in respect of these failures in response to the Applicant’s application.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Jennifer Ross
Deputy Head of Enforcement

9 May 2026