- Cross-cutting Environmental Governance
- 31 January 2024
1. Executive summary
1.1
The Scottish Environment Protection Agency (SEPA) regulates businesses and individuals that carry out activities that could pollute or otherwise negatively affect the environment. SEPA provides permission to carry out such activities as long as certain rules are followed and issues licences, permits, registrations and exemptions in this connection.
1.2
SEPA must maintain, and make available to the public, information about these activities in the form of public registers. There are 16 public registers (collectively referred to as ‘the Public Register’) which SEPA is under a duty to maintain.
1.3
Environmental Standards Scotland (ESS) received a representation relating to the way SEPA maintained a particular public register. During the consideration of the representation, ESS engaged with SEPA about the status and availability of all 16 public registers. ESS found that the public registers are not fully available and maintained as required by legislation. This is largely as a result of a major cyber-attack on SEPA in December 2020. ESS made recommendations for improvement which SEPA accepted and agreed to implement.
1.4
SEPA has provided ESS with an explanation of the work carried out so far and its plans for making relevant information progressively available, with the ultimate goal being a new, fully online, Public Register. ESS concluded that the measures being taken and the timescales proposed by SEPA are reasonable.
1.5
ESS accordingly considers that informal resolution has been achieved and will continue to monitor and publicly report on SEPA’s progress against the agreed plan.
- Cross-cutting Environmental Governance
- 31 January 2024
2. Background to the representation
2.1
On 6 June 2023, ESS received a representation from a Non-Governmental Organisation (NGO) alleging that SEPA was failing to discharge its statutory duty to maintain a particular public register as required by Regulation 64(1) of the Pollution Prevention and Control (Scotland) Regulations 2012 (‘the 2012 Regulations’). Under the 2012 Regulations, SEPA must maintain a public register containing a variety of information, such as applications for permits, details of permits, appeals and enforcement notices.
2.2
Before approaching ESS, the NGO had raised its concerns with SEPA. SEPA upheld the complaint, providing the following information:
- SEPA’s Public Register remained affected by a cyber-attack which it suffered in December 2020
- SEPA is rebuilding the Public Register in phases and will keep the public updated on progress. In the interim, SEPA is working to make more information available either by request or online
- prior to the cyber-attack the Public Register was not fully online and there is no legal obligation for it to be
- information regarding the particulars of any application made to SEPA for a permit from January 2021 is available on request (subject to data protection and confidentiality considerations)
- other information may also be available on request
2.3
The outcome sought in the representation was for SEPA to discharge fully its duty under the 2012 Regulations by a reasonable deadline. Due to the following factors, ESS considered the case to be within its remit:
- the representation relates to a public authority – SEPA
- the representation relates to environmental law – the 2012 Regulations
- the alleged failure as set out in the representation may constitute a failure to comply with environmental law
2.4
ESS also considered the matters raised fell within its ‘significance criteria’ as the representation suggested long standing non-compliance with legal duties which could undermine public confidence.
- Cross-cutting Environmental Governance
- 31 January 2024
3. Public registers
3.1
Access to environmental information is important for ensuring public participation and achieving sustainable development, as it gives greater opportunity for the public to inform the decision-making process and empowers them to become involved in matters which affect the quality of their lives.[1] Increased access to environmental information, and in particular on regulated activities, allows for greater transparency and accountability.
3.2
The Aarhus Convention[2] specifically recognises that “in the field of the environment, improved access to information and public participation in decision-making enhance the quality and the implementation of decisions, contribute to public awareness of environmental issues, give the public the opportunity to express its concerns and enable public authorities to take account of such concerns”.
3.3
Public registers are an important means by which the public can access environmental information and understand and influence the decisions being made which could affect the environment. The legislation requiring public registers is outlined in the annex to this report. In most cases, the legislation requires the information on the register to be available for inspection at all reasonable hours, free of charge, in any form.
3.4
The particulars for each register vary: for example, the Water Environment (Controlled Activities) (Scotland) Regulations 2011 (’the CAR regulations’) lists 25 particulars that must be contained within the register. Other registers have far fewer requirements.
3.5
SEPA also has a duty under Regulation 4(1) of the Environmental Information (Scotland) Regulations 2004 to make environmental information progressively available to the public by electronic means.[3] This duty includes information on “authorisations with a significant impact on the environment and environmental agreements or a reference to the place where such information can be requested or found.”
[1] Access to environmental information: guidance for public authorities and interested parties, 2004 (https://www.gov.scot/publications/access-environmental-information-guidance-scottish-public-authorities-interested-parties-guidance/)
[2] United Nations Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters, 1998 (https://unece.org/DAM/env/pp/documents/cep43e.pdf)
[3] The Environmental Information (Scotland) Regulations 2004, Regulation 4 (https://www.legislation.gov.uk/ssi/2004/520/regulation/4/made)
- Cross-cutting Environmental Governance
- 31 January 2024
4. Initial engagement with SEPA
4.1
Following assessment of the representation, on 4 July 2023 ESS approached SEPA seeking information on the following points:
- how the public have historically been able to access the registers
- how many of the registers are actively maintained and up to date
- the reasons for why any registers are not actively maintained/up to date; and plans to secure compliance in relation to these registers
- whether SEPA can provide on request information that should be held on a public register
4.2
On 9 August 2023 SEPA responded, explaining again that it had suffered a serious and complex cyber-attack which had destroyed its digital infrastructure and initially meant that SEPA was unable to access the information held within it. SEPA also explained that, prior to the cyber-attack, the public were able to access the Public Register, or parts of it, in the following ways:
- in person at a SEPA office by means of a digital Public Register (a digitisation of most of the previously held hard copy public registers for the main regimes which SEPA regulates). The digital Public Register was not online but accessible via computer in a SEPA office
- by email or phone request – any documentation stored in the Public Register could be accessed by the public remotely by means of a link provided by SEPA
- Waste Carriers and Controlled Reservoir Registers, and much of the public register information relating to the 2012 Regulations were available on the SEPA website
- public registers for Packaging Waste, Waste Electrical and Electronic Equipment and Batteries and Accumulators were (and are) accessed via the National Packaging Waste Database (not impacted by the cyber-attack)
- some public register information for Contaminated Land is available on the SEPA website and was not impacted by the cyber-attack
4.3
SEPA described the post-cyber-attack position as follows:
- all Public Register information received or issued since January 2021 is saved digitally and can be made available to the public on request
- the previously used digital Public Register is not accessible. As a result, a significant amount of pre-January 2021 information is not available digitally
- SEPA is progressively recovering this information where duplicates were held on back-up drives and hard copy files, but there remains a large number of documents which have not been, and may never be, recovered. SEPA does hold key data on all authorisations, including authorisation number, location, responsible person, activity, and numeric conditions. Since the attack, SEPA has internally collated the bulk of key records for higher-risk sites (around 6,000 sites)
- for lower risk sites (around 170,000 sites) SEPA search for Public Register information as and when required. Whilst key information is held for all 170,000 authorisations, SEPA does not necessarily hold the authorisation documents
- most recovered information has not yet been verified and SEPA gives a disclaimer when responding to requests for Public Register information that the information provided may not be complete or accurate
4.4
SEPA also provided ESS with a high level plan to make Public Register information progressively available online, initially on its current website before the construction of a new online Public Register.
4.5
ESS recognised that SEPA was aware of its duty to maintain the public registers but considered that there was insufficient detail within the plan to restore the public registers. In ESS’ view, a more detailed plan with timescales to which SEPA could be held to account would provide reassurance to both ESS and the public. On 1 September 2023, ESS invited SEPA to resolve matters informally.
- Cross-cutting Environmental Governance
- 31 January 2024
5. Informal resolution process
5.1
During the informal resolution process ESS sought a response to the following:
- what actions have been taken since the cyber-attack to address the matter of public registers and, since then, how has SEPA dealt with the information received in this connection?
- in relation to the information SEPA previously indicated it intends to make public prior to the creation of the new website:
- how has SEPA determined how this information should be prioritised?
- where will this information be published?
- what are the expected timescales for publication?
- what information will still be outstanding from the registers?
- in relation to the new website and full online Public Register; an indication of timescales for each stage of this process
5.2
On 26 September 2024, SEPA provided the following response:
- SEPA has focused on bringing together the key data on authorisations (e.g. the authorisation number, location and authorisation holder). SEPA has been working on this for two years
- SEPA has been collating the Public Register documents needed for higher-risk sites included in the inspection and monitoring programme (6,000 sites). For other, low risk sites (around 170,000 sites) the key information is held, but not necessarily the authorisation documents. High risk sites are the larger sites where SEPA carries out the majority of its day-to-day regulation. Low risk sites would cover small sites such as private septic tanks
- SEPA has met with consultancies who make the most requests for public register information to understand what information it should prioritise making publicly available without the need to make a request
- SEPA has prioritised publication in terms of: information legally required to be online, most often requested, related to the most environmentally significant sites regulated by SEPA, or otherwise easily made available online
- essentially, the last two years have involved interim planning and building – re-collating key data, recovering documentation for high risk sites, and arranging how to make this publicly available whilst work is carried out to ultimately build a full online Public Register on a new website
5.3
SEPA subsequently agreed to provide ESS with a plan on how it intended to make this information available, including a website update. After further discussion, SEPA provided the following plan for future publication of information:
- information will be placed on SEPA’s website about the work that has been ongoing over the last few years and the short-term plans for publication of information, and some information on longer term plans (by November 2023)
- Controlled Reservoirs Register data (by November 2023)
- a list of 98% of authorisations and key data associated with them (location, authorisation holder etc) (by 31 January 2024)
- key authorisation documentation for ‘Part A’ PPC activities under the 2012 Regulations and related environmental reports, including pre cyber-attack information (by 31 January 2024)
- a list of key authorisation conditions under the CAR Regulations, the 2012 Regulations and Waste Regimes (aim by March 2024)
- all recently received or issued authorisation documentation (by 31 March 2024 onwards)
- build public register page on SEPA’s new ‘beta’ website (Q2 2024 onwards)
- launch of a new online Public Register on SEPA’s new ‘beta’ website (Q4 2024 onwards) and progressively publish Public Register information and other regulatory data to 2027
- all planned activities (other than the ongoing publication of new information as it is received) to be completed by mid-2027
- SEPA noted that certain technical dependencies could mean timescales change slightly
5.4
ESS can confirm that, at the time of publication of this report, the first two actions agreed have been completed.
- Cross-cutting Environmental Governance
- 31 January 2024
6. Conclusion
6.1
Although the representation related to SEPA’s alleged failure to meet its duties in respect of a particular public register, ESS considered SEPA’s duties more broadly in relation to all of the registers it is required to maintain.
6.2
ESS recognises the impact of the December 2020 cyber-attack and accepts that the recovery of Public Register information has been, and continues to be, a major undertaking for SEPA. The work that SEPA has carried out so far has been to re-establish a means of having key documentation identified and available to the public on request.
6.3
In terms of compliance with environmental legislation, and in recognition of the challenges which SEPA has faced, the outcome sought by ESS is for the Public Register to be restored and made available to the public in a reasonable timescale. To achieve this, it is essential that SEPA is clear on the steps required to achieve this and that its plan is implemented fully and on schedule. ESS welcomes SEPA’s commitment to publish all Public Register information online, on a purpose-built website.
6.4
In terms of planning, a key point identified at the outset was how SEPA determines the priority levels for the information it intends to publish. ESS is satisfied that SEPA has reasonably considered prioritisation and is working within a structured framework in this regard. Its stepped approach to publishing information takes into account risk and priority to ensure it is collating and publishing the information that is of most importance in terms of its regulatory duties, and what is most likely to be sought by interested parties. In terms of timescales, SEPA has agreed dates by which major milestones will be completed and to which SEPA can be held to account. In ESS’ view, this constitutes a proportionate and realistic pathway to achieving compliance.
6.5
The evidence ESS requires to see is the relevant information being published on schedule. On the basis of the plans and timescales agreed by SEPA, ESS considers that informal resolution has been achieved in that there are now defined steps towards progressive publication of the required information within a reasonable timescale. Allowing for slight changes in timescales, ESS will monitor SEPA’s performance two months after each step is due to be implemented and update publicly on progress every six months from the date of this report being issued.