We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

XL Bully dog exemption and insurance details: EIR Review

Published
9 December 2025
Directorate
Justice Directorate
Topic
Law and order, Public sector
FOI reference
EIR/202500483462 Review of 202500481540
Date received
5 September 2025
Date responded
29 September 2025

Information request and response under the Environmental Information (Scotland) Regulations 2004.

Information requested

Original request 202500481540

The Certificate of Exemption Scheme was presented publicly as a system designed to protect the public by ensuring that exempted dogs are subject to strict conditions and compulsory third-party liability insurance. However, your response means that in practice a victim is unable to verify whether an attacking dog was properly exempted or insured.

You say information is withheld as “personal data” under regulation 11(2) of the Environmental Information (Scotland) Regulations 2004. You also say this is not subject to a “public interest test”. This position leaves a victim in a predicament - they are told that compulsory insurance exists to protect them, yet they are denied access to the very details required that may help pursue a claim. Police Scotland and local authorities apply the same personal data rules which leaves no straightforward route for a victim to confirm the exemption or insurance status of a dog.

While I acknowledge the importance of protecting personal data, it is worth noting that under Articles 6(1)(d), 6(1)(e) and 6(1)(f) of the General Data Protection Regulation, processing of personal data is lawful where it is:

  • necessary in order to protect the vital interests of the data subject or of another natural person (6(1)(d));
  • necessary for the performance of a task carried out in the public interest or in the exercise of official authority (6(1)(e)); and
  • necessary for the legitimate interests of a third party (6(1)(f)) – i.e. such as a victim seeking to confirm that a dog which caused injury was properly exempted and insured -- provided those interests are balanced appropriately against the rights of the data subject.

I do not consider that Article 6 has been considered at all in your response - https://www.legislation.gov.uk/eur/2016/679/article/6

For what it is worth the name and address of the dog owner are known to my client – they simply need confirmation of the Certificate of Exemption details. When a victim suffers serious injury caused by an XL Bully it is essential to establish whether a Certificate of Exemption is in place to help know if any third party insurance cover will respond.

I would ask the Scottish Government to reflect on whether an adequate response to the original request has been provided here. Confirmation of exemption and insurance status would go some way to balancing data protection rights of the dog owner with the protection of the public, which is the stated purpose of the XL Bully scheme.”

Response

Following a review of the original response and the points raised, I can confirm that the decision is partially upheld. The reasoning is set out below.

I have reconsidered the applicability of the above exceptions against each of the documents in response to your original request 202500481540:

Request for Information
Freedom of Information (Scotland) Act 2002 (“the 2002 Act”)
The UK General Data Protection Regulation (UK GDPR)

“On 08/07/2025, our client was attacked by XL Bullys at… …Please confirm whether these particular XL Bully dogs were covered by a valid Exemption Certificate under the Dangerous Dogs Act 1991 and provide us with a copy of same. We would also be grateful if you could advise how the compulsory insurance requirements are monitored, and whether the details of the public liability insurer can be confirmed to us. This request is made under and in terms of the UK GDPR and Freedom of Information (Scotland) Act. We look forward to receiving the information requested.”

Certificate of Exemption and Insurance Details

The original response applied Regulation 11(2) of the Environmental Information (Scotland) Regulations (EIRs), which exempts personal data of third parties where disclosure would contravene the data protection principles under Article 5(1) of the UK GDPR. This exemption is correctly applied and is absolute, meaning it is not subject to the public interest test.

While you have cited Articles 6(1)(d), (e), and (f) of the UK GDPR as potential lawful bases for disclosure, these do not override the requirement to assess whether disclosure would be fair, lawful, and necessary under Article 5(1). In this case:

  • Article 6(1)(d) (vital interests) Recital 46 provides further guidance, that vital interests are intended to cover only interests that are essential for someone’s life. This lawful basis is limited in its scope, and generally only applies to matters of life and death, which are not evidenced here.
  • Article 6(1)(e) and 6(1)(f) require a balancing of interests. However, the Scottish Government is not the enforcement authority for the Dangerous Dogs Act 1991, and there are alternative lawful routes (e.g. via Police Scotland or civil proceedings) to obtain such information. Disclosure by the Scottish Government would not meet the necessity test under these provisions.

In addition, when considering FOISA and EIR requests, the Scottish Government require to treat all requests as if the information were being released to the public at large, not just to the individual requester. Therefore, prior knowledge does not override the exceptions.

However, we can confirm that a Certificate of Exemption exists for the dogs in question, but we are unable to provide a copy which would allow identification due to the data protection restrictions set out.

Therefore, the decision to refuse disclose of the Certificates of Exemption is modified. Copies of the Certificates of Exemption are included as Annexes to this response with regulation 11(2) applied, which exempts personal data of third parties.

The Scottish Government understand the importance of this information for your client. However, the appropriate route for confirming exemption and insurance status may be through civil proceedings, where disclosure can be managed under a different legal framework which allows for consideration of individual circumstances.

The original response explained that the Scottish Government does not hold records of individual insurance providers and is not responsible for monitoring compliance with insurance requirements. This is correct. However, under Regulation 10(4)(a) of the Environmental Information (Scotland) Regulations 2004 where information is not held, a formal notice should have been issued. This was not included in the original response.

Accordingly, the review is upheld in part to reflect that copies of the Certificates of Exemption should have been provided with regulation 11(2) applied, and to advise that a Regulation 10(4)(a) notice should have been provided in respect of the request for details of the public liability insurer and monitoring arrangements.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

EIR 202500483462 - Information released - Annex
File type
PDF
File size
100.8 kB

Contact

Please quote the FOI reference
Central Correspondence Unit
Email: contactus@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Back to top