Guidance on legislation and regulation with which digital services may be required to comply.


This catalogue lists legislation and regulation related to the delivery of an online service by or on behalf of Scottish public sector organisations. For each item an introduction is provided as well as links to related guidance and standards.

Please note this document is currently in draft status and may be subject to change. We are happy to receive feedback on this document via the channels in the footer.

This information is provided as a starting point for Scottish public sector organisations who wish to provide services online but they will have to seek their own advice about the risks and other relevant legal considerations as they apply specifically to the services they seek to provide. It is not an exhaustive list of legal considerations relevant to such services and shall not be taken as legal advice.




Equality Act 2010

The Equality Act 2010 legally protects people from discrimination in the workplace, in the provision of goods, facilities and services and in relation to the exercise of public functions.

It replaced previous anti-discrimination laws with a single Act, making the law easier to understand and strengthening protection in some situations. It sets out the different ways in which it’s unlawful to treat someone, and defines the grounds on which such treatment is unlawful (protected characteristics).

The Public Sector Equality Duty came into force across Great Britain on 5 April 2011. In Scotland it is supplemented by a set of Specific Duties set out in Regulations1, which apply to public authorities listed in the Regulations. It means that public bodies have to consider all individuals when carrying out their day-to-day work - in shaping policy, in delivering services and in relation to their own employees. The duties require the elimination of unlawful discrimination as well as the promotion of equality of opportunity between persons who share a protected characteristic and those who do not. This includes taking steps to meet the needs of persons who share a protected characteristic that may be different to the needs of those who do not.

Related Guidance:

Related Standards:

Information rights

Data Protection Act 19982

The Data Protection Act regulates the processing of “personal data”. In particular, the Act protects the rights of living, identifiable individuals whom the data is about (data subjects), mainly by placing duties on those individuals or organisations who decide how and why such data is processed (data controllers). “Processing” includes obtaining, recording, holding, using, disclosing and destroying such data.

Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act, and in particular that such processing does not contravene the data protection principles contained in the Act. Additional considerations apply to the processing of sensitive personal data. Failure to comply risks enforcement action, even prosecution, and compensation claims from individuals. Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. A data controller’s duties under the Act apply throughout the period when they are processing personal data - as do the rights of individuals in respect of that personal data.

Data subjects have certain rights to access data about them that is held by the data controller by way of a subject access request.

Related Guidance:

Privacy and Electronic Communications (EC Directive) Regulations 2003

The Regulations are most concerned with electronic marketing, including by way of calls, texts and emails. However, they also regulate the use of “cookies” and similar technologies that track information about people accessing a website or other electronic services by storing information on devices used to access the website or other service.

The main obligation on service providers under the relevant regulation is to inform users of the use of cookies or similar technologies, the purpose or their use, and to seek users’ consent.

Related Guidance:

Freedom of Information (Scotland) Act 20022

The Freedom of Information (Scotland) Act 2002 provides public access to information held by public authorities.

It does this in two ways:

  • public authorities are obliged to publish a scheme setting out the information it routinely publishes (“publication scheme”); and
  • members of the public are entitled to receive information from public authorities on request.

The Act covers any recorded information that is held by a Scottish public authority (excluding UK-wide public authorities based in Scotland), publicly-owned company, and certain arms-length organisations set up by local authorities in Scotland. Information held by UK-wide public authorities based in Scotland (e.g. BBC Scotland and The Forestry Commission) is covered by the Freedom of Information Act 2000.

Public authorities include, broadly, government departments, local authorities, the NHS, state schools and Police Scotland. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings. There are a number of exemptions in the Act to the general entitlement to receive such information.

The Scottish Information Commissioner regulates the Freedom for Information (Scotland) Act 2002. However, the UK Information Commissioner’s Office (ICO) has regulatory power under the Freedom of Information Act 2000 in respect of UK public authorities based in Scotland.

Related guidance:


Climate Change (Scotland) Act 2009

The Climate Change (Scotland) Act 2009, sets out targets to reduce Scotland’s greenhouse gas emissions by at least 42% by 2020 and 80% by 2050, compared to a 1990-1995 baseline.

To ensure the delivery of these targets, the Act also requires that the Scottish Ministers set annual targets for Scottish emissions from 2010 to 2050, and publish a report on proposals and policies setting out how Scotland can deliver annual targets for reductions in emissions once emissions targets are fixed.

In particular, part 4 of the Act places duties on public bodies relating to climate change. The duties in the Act (section 44) require that a public body must, in exercising its functions, act:

  • in the way best calculated to contribute to delivery of the Act’s emissions reduction targets;
  • in the way best calculated to deliver any statutory adaptation programme; and
  • in a way that it considers most sustainable.

Related guidance:

The Waste Electrical and Electronic Equipment Regulations 2013 (WEEE)

The EC WEEE directive regulates the treatment of electrical and electronic equipment as waste - it was made law in the UK in 2007. WEEE obligations do not cover all aspects of waste and asset disposal (e.g. data removal and destruction, and the transportation of waste for disposal). These additional costs can sometimes be offset by the residual value of old equipment, but this needs to be negotiated with the supplier conducting the waste removal.

Also, some WEEE is defined as “special waste” which means it contains hazardous material and must be disposed of with a fully completed consignment note by a registered waste carrier, the Scottish Environment Protection Agency (SEPA) Website contains more information on the identification and disposal of “special waste”.

The WEEE regulations have interdependencies with the Scottish Landfill Tax which comes into force in April 2015, and also with Scotland’s Zero Waste Plan so all three documents should be read together.

Related guidance:

Consumer rights

Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013

The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 set out the rights of consumers in relation to contracts for goods and services, including distance contracts. The Regulations apply to services provided by ‘any government department or local or public authority’, but there are exceptions for social services, healthcare services and certain transport services.

The Regulations require traders (including providers of public services) to provide in a clear and comprehensible manner certain information relating to, among other things:

  • the identity of the provider;
  • the main characteristics of the goods and/or services provided;
  • the arrangements and timescales for their provision (including, where appropriate, the duration of the contract);
  • the price (if any) and payment methods;
  • any right to cancel.

The Regulations further provide for a right of withdrawal from the contract, with certain exceptions.

Related Guidance:

  1. The Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012 

  2. Some content in this section is re-used from the Information Commissioner’s Office website, licensed under the Open Government Licence.  2