Information regarding Multi Agency Working: FOI review

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

Your request, reference 202100220747
Per a recent article in The Telegraph, local councils and NHS have engaged in multi agency working to vaccinate 16 and 17 year old’s without an underlying health condition in the England.

1. Please advise in Scotland if multi agency working of this nature, i.e, Local Authority Council’s, NHS Scotland (and any other government agency) are a personal entity?

2. Is there a central complaints procedure for multi agency working that allows for the ‘service user’ not to have to make individual complaints to to each agency or authority?

Your review request, reference 
Whilst I am grateful for the information contained in the response to my request I have to state that I am dissatisfied with the response to my Freedom of Information request.

My request, whilst not explicitly stating this, related to the concept of a legal entity as it pertains to the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) that became UK law on 25 May 2018. As the response stands it appears that an organisation that is a single legal entity could in fact be regarded as two separate legal entities as far as the Data Protection Act 2018 is concerned depending on the function that the organisation is performing.

I believe that an Internal Review is required to clarify the legal position and I will expand on the issues based on the initial response to my request.

In response to my request it is stated that:
Whilst the IJB brings together Health Boards, Local Authorities and other partners, it is its own statutory body, constituting a separate legal entity to Local Authorities and Health Boards.

Based on this response it is possible to imagine a scenario where there is a requirement to provide a specific type of care services for the elderly. The Health Board (e.g. NHS Lothian) for the area could come together with a local authority (e.g. East Lothian Council) together with another partner such a third sector organisation that has specialist expertise in elderly healthcare (e.g. Age Concern Scotland) and as such the response to this request would suggest that the “merged" unit of Council-Health Board-Third Sector Organisation would become a single legal entity in its own right.

Based on this example the “merged" unit of Council-Health Board-Third Sector Organisation would be regarded as a single legal entity and thus a single Data Controller for the purposes of the Data Protection Act 2018. Based in this logic a Data Subject could submit a Data Subject Access Request (DSAR) under Article 15 of the General Data Protection Regulations (GDPR) for the information recorded on them and each of the three organisation would be regarded as a single Data Controller.

Another example may illustrate the point. The IJB may be tasked with “vaccinating” all 12 to 17 year olds with the Pfizer/BioNTech mRNA therapy in a single local authority area and the local authority council and the local health board come together as its own IJB. Based on the response to this request the joint body of the local authority council-local health board would then become a single statutory body and thus legal entity and would therefore together be responsible for recording the informed consent for all of the medicated 12 to 17 years olds that have received the experimental mRNA therapy. A 12 year old Data Subject could then submit a DSAR to either the local authority council or the local health board and the two organisations would be viewed as a single legal entity under the definitions of a Data Controller under the Data Protection Act 2018.

In the internal review response would you please confirm that the combined organisation of two or more individual legal entities becomes a single legal entity under the definitions of the Data Protection Act 2018?


I have concluded that the original decision should be confirmed, with slight modifications. I note that your request for a review was not because you were dissatisfied with the handling of your request but with the explanation provided.

As stated in the previous response by my colleagues on the 02 August, the Public Bodies (Joint Working) (Scotland) Act 2014 (the Act) required Local Authorities and NHS Boards to work together to form partnerships, known as Integration Authorities (IAs). There are 31 Integration Authorities in Scotland.

Integration Authorities can follow one of two models in the Act, these are:

  • A ‘Lead Agency’, where one of the authorities (NHS or Local Authority) would be responsible for planning and delivering specified integrated health and social care functions (used only by Highland IA);
  • A ‘Body Corporate’, whereby a new legal entity called an Integration Joint Board (IJB) is responsible for planning, commissioning and overseeing the delivery of the integrated health and social care functions that are delegated to it by the Local Authority and Health Board.

To further clarify the point raised in your request for a review, these bodies are set up under statute which is not specific to individual cases. More information on this and Data (Subject) Access Requests is publicly available at the following website: Integration Joint Board: roles, responsibilities and membership - (

It is not for the Scottish Government to provide legal advice to the general public, and you may wish to seek this independently.

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at


Please quote the FOI reference
Central Enquiry Unit
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road

Back to top