Decision 242/2025:  Risk registers

Authority: Scottish Prison Service
Case Ref: 202500563
 

Summary

The Applicant asked the Authority for copies of specified risk registers.  The Authority withheld the risk registers on the grounds that disclosure would, or would be likely to, inhibit the free and frank provision of advice.  The Commissioner investigated and found that the Authority was entitled to withhold most of the information in the risk registers but not all of it.  He required the Authority to disclose the wrongly withheld information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 30(b) and (c) (Effective conduct of public affairs); 47(1) and (2) (Application for decision by Commissioner).

Background

1. On 21 January 2025, the Applicant made a request for information to the Authority.  He asked for a copy of "the most up to date version of SPS's Corporate Risk Register and also the most up to date risk register pertaining to Low Moss Prison."   
2. The Authority responded on 18 February 2025.  It withheld the information requested under the exemptions in sections 30(b) and 30(c) of FOISA.
3. On 10 March 2025, the Applicant wrote to the Authority requesting a review of its decision. He stated that he was dissatisfied with the decision because the Authority had previously disclosed a risk register to him and he did not consider that any of the exemptions cited applied.
4. The Authority notified the Applicant of the outcome of its review on 7 April 2025, fully upholding its original decision.
5. On 15 April 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He stated he was dissatisfied with the outcome of the Authority’s review for the same reasons set out in his requirement for review. 

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 8 May 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to the sensitivity of the information withheld.   

Commissioner’s analysis and findings

9. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 30(b)(i) – substantial inhibition to free and frank provision of advice

10. Section 30(b)(i) of FOISA provides that the information is exempt if its disclosure would, or would be likely to, inhibit substantially the free and frank provision of advice.  The exemption is subject to the public interest test in section 2(1)(b) of FOISA.
11. In applying this exemption, the chief consideration is not whether the information constitutes advice, but whether the disclosure of that information would, or would be likely to, inhibit substantially the provision of advice. The inhibition in question must be substantial and therefore of real and demonstrable significance.
12. As with other exemptions imparting a similar test, the Commissioner expects authorities to demonstrate a real risk or likelihood that actual inhibition will occur at some time in the near (certainly the foreseeable) future, not simply that inhibition is a remote or hypothetical possibility. For inhibition to be likely, there would need to be at least a significant probability of it occurring.

The Applicant’s comments

13. The Applicant expressed concern that the Authority had not clearly distinguished between the grounds for relying upon the three distinct exemptions.  However, regardless of the exemption cited, he considered it unclear why these risk registers could not be disclosed given that the Authority had previously disclosed a risk register to him.

The Authority’s comments

14. The Authority explained that the previous risk register the Applicant referred to was older, less comprehensive and addressed the circumstances of the COVID-19 pandemic, which were substantially different from the current circumstances addressed by this risk register.  It said that it had advised the Applicant of these differences at the time it disclosed the previous risk register.
15. The Authority submitted that if contributors were aware that the advice and information in the risk register was to be made public, it would inhibit transparent, proactive, honest, free and frank advice, which is essential for effective risk management.
16. The Authority said that some risks, such as those relating to establishment security, operational stability, or cyber security could expose sensitive information that could be mis-used if made public.  In addition to these concerns, it argued that contributors may fear that the honest disclosure of advice in relation to weaknesses or vulnerabilities could damage the Authority’s reputation, erode stakeholder confidence and substantially prejudice the perception of the Authority by the public.
17. The Authority therefore submitted that knowing that risk registers could be made public could significantly prejudice the risk management process by creating a chilling effect on the Authority’s risk management approach.  It argued that this could lead to the sanitisation or downplaying of risks, underreporting of emerging threats, loss of early warning signs and ineffective risk mitigation.   It considered that this would have the effect of undermining the purpose of a risk register as its effectiveness and value relies entirely on the open and honest provision of advice in relation to risk identification and to therefore contribute to accurate risk assessment.
18. The Authority acknowledged that some of the information contained within the corporate risk register may appear to be factual in nature or similar to matters reported publicly.  However, it explained that the risk register as a whole was not simply a collection of publicly known facts.
19. The Authority said that the risk registers represent a structured and strategic internal assessment of risks, incorporating evaluations of potential impact, likelihood, internal controls, mitigation planning, and prioritisation.  It argued that disclosure of such information could therefore reveal the Authority’s internal judgements, strategic thinking and level of concern regarding specific risks – regardless of whether elements of those risks are already in the public domain.
20. The Authority also acknowledged that some of the information contained within the corporate risk register may appear to be high level or administrative, but submitted that even information of this nature can reveal the Authority’s strategic priorities, weaknesses or concerns.
21. While individual entries may seem innocuous, in aggregate, the Authority submitted that the corporate risk register provided a comprehensive picture of the Authority’s risk landscape and resilience.  It argued that this consolidated view was inherently sensitive and could be misinterpreted or misunderstood if taken out of its intended internal governance context.
22. The Authority therefore argued that even high level or administrative entries in a risk register should be protected from disclosure as they could reveal strategic or operational vulnerabilities, expose organisational risks and could directly assist those with malicious intent.

The Commissioner’s view

23. While the Commissioner notes the Applicant’s comments on the previously disclosed risk register, it is important for public authorities to treat each request for information on a case-by-case basis.  That information is disclosed in one case should not be taken to imply that information of a particular type will be routinely disclosed in future.  The circumstances of each case, including the content of the specific information under consideration, must be taken into consideration and (where required) the public interest in each case assessed on its own merits.
24. The Commissioner recognises that risk registers are important and valuable tools that enable organisations to identify potential risks and to evaluate their approach to those risks, highlighting areas where further action may be required to mitigate identified risks.
25. Such analysis contributes significantly to the effective conduct of public affairs, by making public authorities better able to avoid situations which would disrupt or harm their operations.  The Commissioner acknowledges that, for risk registers to be effective, they must be based on an honest assessment of the challenges faced by an organisation and how they can be overcome.
26. The Commissioner notes that risk registers will often contain information of particular relevance to a public authority’s ability to respond to unexpected or rapidly changing situations.  He recognises that this complicates the identification of material that is genuinely sensitive and material that is suitable for disclosure. He also acknowledges that, given the nature of the Authority, it is likely to be targeted by organised criminal organisations with the motivation to identify and exploit vulnerabilities.
27. Having considered these factors, and all the arguments put to him by the Applicant and Authority, the Commissioner is satisfied that disclosure of the majority of the withheld information would have the effect of substantially inhibiting the ability of the Authority’s staff to provide and record free and frank advice.
28. Given the information in the risk register for Low Moss Prison (presented as a PDF file) is necessarily more specific and granular than the information in the corporate risk register, the Commissioner agrees that the Authority was entitled to withhold the risk register for Low Moss Prison in its entirety.
29. However, for some of the material in the Authority’s corporate risk register (presented as an Excel spreadsheet), the Commissioner is not satisfied that disclosure would, or would be likely to, substantially prejudice the free and frank provision of advice.  Specifically:

• Some of the information contained in the second and fourth sheets/tabs in the corporate risk register

• All of the information contained in the sixth and seventh sheets/tabs in the corporate risk register

30. Regarding the second and fourth sheets/tabs, these contain columns that name risks identified by the Authority.  The Commissioner notes that the specificity of these risks varies substantially.  However, for the higher-level risks – many of which could be anticipated by an informed observer – he does not agree that disclosure would, or would be likely to, substantially inhibit the Authority’s ability to receive and record free and frank advice.  (For the avoidance of doubt, where the risks named in these columns are more specific and detailed, he does accept that disclosure would, or would be likely to, inhibit the provision of free and frank advice.)
31. Regarding the sixth and seventh sheets/tabs, these provide high level information on the Authority’s risk management approach.  Given the high-level and corporate nature of the information in these sheets, the Commissioner does not consider that disclosure would, or would be likely to, substantially inhibit the Authority’s ability to receive free or frank advice.
32. Consequently, the Commissioner is satisfied that the exemption in section 30(b)(i) of FOISA applies to most of the withheld information other than the information outlined in paragraph 29.
33. The Commissioner must go on to consider the application of the public interest test in section 2(1)(b) of FOISA in relation to the information he has found to be exempt under section 30(b)(i).  He will consider whether the other exemptions applied by the Authority apply to the information he has found not to be exempt under section 30(b)(i) of FOISA later in his decision. 

The public interest

34. The “public interest” is not defined in FOISA but has been described as “something which is of serious concern and benefit to the public”, not merely something of individual interest. The public interest does not mean “of interest to the public” but “in the interest of the public”, i.e. disclosure must serve the interests of the public.

The Applicant’s comments

35. The Applicant noted that a substantial number of prisoners were currently detained.  He therefore considered that the issues identified in the risk registers, especially issues associated with overcrowding, were likely to impact a large number of individuals.
36. The Applicant highlighted various specific issues that he was aware of and commented that there was a clear public interest in ensuring that these issues were fully addressed.

The Authority’s comments

37. The Authority noted that there is a public interest in transparency, including around financial decisions. It also considered that publishing details of its risk management strategies may provide reassurance to the public.
38. However, it considered this would be outweighed by the chilling effect this would have on the Authority’s discussions and decision making, and the risks of mis-representation and misunderstanding.

The Commissioner’s view

39. The Commissioner agrees that there is a substantial public interest in transparency and in public scrutiny of issues such as those highlighted by the Applicant.
40. However, he considers that there is a greater public interest in ensuring that the Authority receives free and frank advice to inform its approach to risk management and ensure that.
41. Accordingly, the Commissioner has concluded that the Authority was entitled to withhold the majority of the withheld information in terms of section 30(b)(i) of FOISA.

Section 30(b)(ii) – free and frank exchange of views

42. The Commissioner has already accepted that the Authority was entitled to withhold, under section 30(b)(i) of FOISA, the majority of the information the Authority withheld under section 30(b)(ii).  He will therefore not consider this information again under this exemption and will only consider the information to which he found the exemption in section 30(b)(i) did not apply.
43. Section 30(b)(ii) of FOISA provides that information is exempt if its disclosure would, or would be likely to, inhibit substantially the free and frank exchange of views for the purposes of deliberation.  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.
44. As in the case with the exemption contained in section 30(b)(i) of FOISA, the chief consideration when applying the exemption in section 30(b)(ii) is not whether the information constitutes opinions or views, but whether disclosure of the information would, or would be likely to, inhibit substantially the free and frank exchange of views for the purposes of deliberation.  The inhibition in question must be substantial and therefore of real and demonstrable significance.

The Commissioner’s view

45. The Authority confirmed that there was no substantive difference between its position regarding the applicability of the exemption in section 30(b)(i) of FOISA and the exemption in section 30(b)(ii) other than that one exemption related to the provision of advice and the other related to the exchange of views.
46. The Commissioner therefore finds that, for the same reasons that he does not accept that the exemption in section 30(b)(i) of FOISA applies to this information, the exemption in section 30(b)(ii) also does not apply to this information.  In other words, he does not accept that disclosure of the information to which he found the exemption in section 30(b)(i) of FOISA did not apply would result in the inhibiting effect on the exchange of views required for the exemption in section 30(b)(ii) to be engaged. 

Section 30(c) – Substantial prejudice to the effective conduct of public affairs

47. The Commissioner has already accepted that the Authority was entitled to withhold, under section 30(b)(i) of FOISA, the majority of the information that the Authority also withheld under section 30(c). Therefore, he shall not consider this information again under this heading and shall only consider the information he has not already agreed was appropriately withheld.
48. Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs". This exemption is subject to the public interest test in section 2(1)(b) of FOISA.
49. The word "otherwise" distinguishes the harm required from that envisaged by the exemptions in sections 30(a) and (b).  This is a broad exemption, and the Commissioner expects any public authority applying it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure.
50. There is no definition of "substantial prejudice" in FOISA, but the Commissioner considers the harm in question would require to be of real and demonstrable significance.  The authority must also be able to satisfy the Commissioner that the harm would, or would be likely to, occur: therefore, the authority needs to establish a real risk or likelihood of actual harm occurring as a consequence of disclosure at some time in the near (certainly the foreseeable) future, not simply that the harm is a remote possibility.

The Applicant’s comments

51. As stated above, the Applicant submitted that the Authority had not clearly distinguished between the grounds for relying upon the three distinct exemptions.  However, regardless of the exemption cited, he considered it unclear why these risk registers could not be disclosed given that the Authority had previously disclosed a risk register to him.

The Authority’s comments

52. The Authority argued that it, like other public bodies, relied on open, honest, and robust internal discussion to make informed decisions about complex and sensitive matters, such as prisoner management, security protocols and staffing.  If officials believed that their views or advice might be disclosed publicly, they may withhold honest opinions, avoid raising controversial or dissenting perspectives or soften criticism or concerns.   It argued that this could reduce the quality and effectiveness of internal deliberations, leading to weaker decision-making.
53. The Authority submitted that if this chilling effect were to occur, operational staff might not report potential issues or offer innovative suggestions for fear of public scrutiny, and senior officials may avoid documenting strategic concerns, limiting the creation of an evidence base for decisions.  It said that this would inhibit the Authority’s ability to operate responsively and transparently internally, ultimately undermining its operational effectiveness.
54. The Authority explained that it operates in a high-risk, high-scrutiny environment, where decisions involve matters such as managing violent or vulnerable prisoners, responding to threats to security and allocating scarce resources.  In this context, it considered open and honest discussions to be essential.  If those involved felt constrained in their communication, it could delay critical decisions, lead to insufficient consideration of operational risks, and result in reputational harm if incomplete or misunderstood advice were made public out of context.
55. The Authority also highlighted that its work depended upon interactions with external agencies and partners, including health services.  The disclosure of internal exchanges could damage trust between the Authority and its partners and lead to reluctance from other bodies to share sensitive operational insights.  It said that this could hinder coordinated responses to complex issues, such as prisoner welfare or emergency planning.
56. The Authority therefore submitted that free and frank provision of advice and exchange of views were vital to the effective and safe running of the Authority.  If the provision or exchange of either were substantially inhibited due to concerns about information being released, it could seriously prejudice the Authority’s’ ability to make sound decisions, maintain order and protect both staff and prisoners.  It argued that this would substantially prejudicing the Authority’s’ ability to conduct its public affairs effectively.

The Commissioner’s view

57. The Commissioner notes that the Authority’s submissions relate to concerns about the effects of inhibiting the free and frank provision of advice and the free and frank exchange of views.  He agrees that inhibition of this sort could, especially given the high-risk nature of the Authority’s work, lead to serious consequences.  He has taken these risks into account in his consideration of the public interest, above.
58. However, the word “otherwise” in section 30(c) of FOISA makes it clear that this exemption cannot be used to withhold information where the prejudice anticipated is substantial inhibition of the free and frank provision of advice or exchange of views.  In such cases, the exemptions in section 30(b) of FOISA should be applied instead.
59. While the Authority outlined various other potential harms, the Commissioner considers that these are focused on anticipated consequences of an inhibition to the free and frank exchange of advice or views.
60. To the limited extent that the Authority has outlined potential harms to the effective conduct of public affairs, the Commissioner does not agree that disclosure of the remaining information would, or would be likely to, prejudice substantially the conduct of public affairs. As previously stated, the remaining information relates either to high-level risks (many of which could be anticipated by an informed observer) or to high level information (which, in some instances, is corporate in nature) on the Authority’s risk management approach.
61. In the circumstances, the Commissioner therefore finds that the Authority was not entitled to rely on the exemption in section 30(c) of FOISA to withhold the remaining information.

Decision 

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

The Commissioner finds that by correctly withholding some of the requested information under section 30(b)(i) of FOISA, the Authority complied with Part 1.

However, by incorrectly withholding other parts of the requested information, the Authority failed to comply with Part 1. 

The Commissioner therefore requires the Authority to provide the incorrectly withheld information (which he will describe more specifically in the covering letter to this Decision Notice) to the Applicant, by 21 November 2025.  He will specify the information to be disclosed by the Authority.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement  

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

Euan McCulloch 

Head of Enforcement 

7 October 2025