25-26/016

We refer to your request for information dated 06 June 2025 which we have handled under the Freedom of Information (Scotland) Act 2002 (FOISA).

Specifically, you asked for a “copy of the current GTCS Risk Register” as you expected it to “have been updated” following a review by the Professional Standards Authority. You clarified on 19 June 2025 that the “whole risk register” was within the scope of your request. Thank you for providing us with this clarification.

For context, please note that GTC Scotland reviewed our strategic risk framework during the 2023-24 Registration Year. In February 2024, our Council reflected the risk appetite for each risk as well as the targeted net score to manage and mitigate the specific risk. As such, the record is a living document which is continually updated as work progresses, and new actions are recorded within the document.

We have provided the information as a record labelled “FOI 25-26-16-Records" accompanying this response.

Where we have redacted portions of the above record in black, we consider it is exempt under section 30(c) of FOISA. We consider that releasing the records would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

While there is a clear public interest in the transparent operation of public authorities it is necessary for their proper functioning that risk assessment be considered internally without public scrutiny. We need to consider all forms of risk in a private space so that these can be properly developed and reviewed. Releasing unredacted versions of these records would prejudice the risk assessment process.

If these records were to be placed in the public domain by disclosing it to you under FOISA, we consider that would prejudice the process substantially. The consideration of risk requires a private space while it remains ongoing. Disclosure would have a significantly adverse impact upon employees involved in this type of work who need to assess entries on the register and carry out their roles in relation to its management. We consider the public interest in withholding this information outweighs the public interest in disclosure.

We have also redacted in red some of the information under section 38(1)(b) of FOISA (read with section 38(2A)(a)) because we consider that individuals could be identified by the data and that disclosure of this into the public domain would be a breach of the first data protection principle. Such disclosure would be unfair in terms of the UK GDPR (Article 5(1)(a)) and therefore unlawful. The exemption in section 38(1)(b) is not subject to the public interest test under FOISA.

You may contact informationgovernance@gtcs.org.uk if you are dissatisfied with this response, to request GTC Scotland conduct a review of it. You should describe the original request and explain your grounds of review. You have 40 working days from receipt of this response to submit a review request. When the review process has been completed, if you are still dissatisfied, you may use the Scottish Information Commissioner’s guidance on making an appeal to do so.