Contents
1. Public Records (Scotland) Act 2011
2. Executive Summary
3. Authority Background
4. Assessment Process
5. Model Plan Elements: Checklist
6. Keeper’s Summary
7. Keeper’s Determination
8. Keeper's Endorsement
1. Public Records (Scotland) Act 2011
The Public Records (Scotland) Act 2011 (the Act) received Royal assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came fully into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.
The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor record keeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.
The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.
2. Executive Summary
This report sets out the findings of the Keeper’s assessment of the RMP of Highlands and Islands Enterprise by the Public Records (Scotland) Act 2011 Assessment Team following its submission to the Keeper on 26th June 2022.
The assessment considered whether the RMP of Highlands and Islands Enterprise was developed with proper regard to the 15 elements of the Keeper’s statutory Model Records Management Plan (the Model Plan) under section 8(3) of the Act, and whether in this respect it complies with it and the specific requirements of the Act.
The outcome of the assessment and the Keeper’s decision on whether the RMP of Highlands and Islands Enterprise complies with the Act can be found under section 7 of this report with relevant recommendations.
3. Authority Background
Highlands and Islands Enterprise is the Scottish Government's economic and community development agency for the north and west of Scotland. HIE's purpose is to generate sustainable economic growth across the Highlands and Islands. As a Scottish Government agency, HIE’s role is to lead regional growth and development, to seek investment opportunities, and to ensure that the Highlands and Islands derives maximum benefit from existing and emerging opportunities. HIE operates across offices throughout the Highlands and Islands, including area offices, serving local businesses and communities from the Outer Hebrides to Moray and from Shetland to Argyll.
Supporting businesses & communities | HIE
4. Keeper’s Assessment Process
The RMP was assessed by the Public Records (Scotland) Act Assessment Team on behalf of the Keeper. Assessors used the checklist elements listed in section 5, to establish whether Highlands and Islands Enterprise’s RMP was developed with proper regard to the elements of the Model Plan and is compliant with the Act. The assessment also considered whether there was sufficient supporting evidence of such compliance.
Key:
|
G
|
The Keeper agrees this element of an authority’s plan.
|
|
A
|
The Keeper agrees this element of an authority’s plan as an ‘improvement model’. This means that he is convinced of the authority’s commitment to closing a gap in provision. He will request that he is updated as work on this element progresses.
|
|
R
|
There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Keeper may choose to return the RMP on this basis.
|
5. Model Plan Elements: Checklist
|
Element
|
Present
|
Evidence
|
Notes
|
|
1. Senior Officer
|
G
|
G
|
The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority.
Highlands and Islands Enterprise (HIE) identified the Director of Finance and Corporate Services, as the individual with overall responsibility for records management within the authority. Since submission the individual identified has left this post. HIE has confirmed separately (November 2024) that Adrian Kitson, Head of Executive Office, now holds overall corporate responsibility for records management within the authority. The post reports directly to the Chief Executive. A copy of the Head of Executive Office’s job description has been provided which outlines the post’s information governance responsibilities. This is a draft document as the full job description is under review. Following organisational changes, the Information Governance Team (see element 2) now sit within the Executive Office Team in HIE. It is further confirmed that all relevant polices are being reviewed in light of changes to the organisation’s structure. Once updated, HIE have committed to submitting relevant policies and a published job description when finalised to the Keeper as evidence.
The Head of Executive Office is the Chair of the Information, Security and Fraud Governance Group (ISFGG) (see key group under General Comments below). Representatives from the Information Governance and Corporate Information teams are part of the ISFGG. A copy of the Terms of Reference for this group has been provided (dated May 2021, date of next review January 2023) and it has been stated separately (March 2025) that these are under review and updates will be provided through the Progress Update Review process.
The roles and responsibilities of the ISFGG are outlined in the Records Management Policy (page 2).
The ISFGG reviewed the Records Management Plan (RMP) on 19 April 2022 and the submission was approved by the Leadership Team on 7 May 2022.
The Head of Executive Office is HIE’s Senior Information Risk Officer (SIRO). This is confirmed by the job description provided.
The Keeper agrees that Highlands and Islands Enterprise have identified an appropriate individual to this role as required by the Act.
|
|
2. Records Manager
|
G
|
G
|
The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and that this staff member has appropriate corporate responsibility, access to resources and skills.
The individuals identified in the RMP held interim responsibility while recruitment for an Information and Records Manager and Head of Information Governance was carried out.
It has been confirmed separately that, since submission of the RMP (June 2022), both these posts have been successfully recruited. David Highet is the Information and Records Project Manager and Fiona Eardley is the Head of Information Governance.
David Highet, Information and Records Project Manager is the individual with operational responsibility for records management in the organisation. A copy of the job description for the post of Information and Records Project Manager has been provided separately. This post reports to Fiona Eardley, Head of Information Governance. The Head of Information Governance reports to the Head of Executive Office (see element 1).
Both posts are part HIE’s Information Governance Team. The Records Management Policy (page 3) outlines the roles and responsibilities of the Information Governance Team.
The Information and Records Manager (this post in now Information and Records Project Manager) is the policy owner of the Records Management Policy (document control sheet) The Information and Records Project Manager is the author of the combined Records Retention Schedule and Business Classification Scheme documents and updated staff guidance which have been provided separately (see elements 4 and 5).
The Keeper agrees that Highlands and Islands Enterprise have identified an appropriate individual to this role as required by the Act.
|
|
3. Policy
|
G
|
A
|
The Act requires an authority to have an appropriate policy statement on records management.
HIE have a Records Management Policy (dated 22 January 2020, date of next review 2022), a copy of which has been provided. The Policy was approved by the ISFGG (see element 1 and key group under General Comments below). It has been confirmed separately (November 2024) that HIE’s Records Management Policy is currently under review and proposed changes to the scope have been outlined. The Keeper can be updated when the review of this key policy has been completed. The can be done through the voluntary Progress Update Review (PUR) process, Progress Update Reviews - National Records of Scotland (NRS).
The Records Management Policy states ‘‘Highlands and Islands Enterprise (HIE) is reliant on records management to support its functions and activities. Effective records management will help ensure that we have the right information at the right time to inform decision making. It will provide evidence of what we do and why, therefore protecting the interests of HIE, its staff and all who interact with HIE. HIE will create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time. To support this policy HIE will continue to develop procedures, guidance, and training to all staff and will monitor compliance with them.’’ The Keeper agrees this statement.
The Policy specifically mentions the Act (page 1). It defines who the Policy applies to, and that it encompasses records in all formats. It notes the records management training and staff guidance in place and includes links to supporting policies (pages 1-2). It outlines roles and responsibilities of staff and specifically those with records management duties (pages 2-3).
As noted above, the Policy provides links to supporting policies. These include an Information Management Policy, Retention Policy and a Social Media Policy. These documents have not been supplied as evidence to support the RMP. It has been confirmed separately that these policies are being updated to reflect organisational changes and will be provided through the PUR mechanism once review and update are completed.
A screenshot has been provided showing HIE staff can access the Records Management Policy and supporting policies and guidance through the staff Information Governance SharePoint site.
It has been confirmed separately that a new guidance page has been created by HIE’s Information and Records Manager on the staff intranet. This provides Client and Project File Guidance. A screenshot has been provided.
The Keeper agrees that Highlands and Islands Enterprise has a formal records management policy statement as required by the Act. However, it has been confirmed that the Policy is now under review. The Keeper requires sight of the updated Records Management Policy before fully agreeing this element. This element is therefore agreed under improvement model terms.
|
|
4. Business Classification
|
G
|
G
|
The Keeper of the Records of Scotland (the Keeper) expects that the public records of an authority are known and are identified within a structure.
The Records Management Policy (page 1) states ‘‘HIE will create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time.’’ It also states (page 2) that all HIE staff should ‘‘Work with Information Governance Team to review and evaluate records storage out with EDRMS to ensure records management controls are applied to all our corporate information.’’
The introduction to the RMP states ‘‘The scope of the RMP applies to all records irrespective of the technology used to create and store them or the type of information they contain.’’ HIE public records are created and managed in the following systems:
Digital (EDRMS) - HIE utilise an Electronic Document and Records Management System (EDRMS) to create, store and manage the majority of their public records. The Keeper is familiar with the system in use and its functionality, as it is currently used by National Records of Scotland (NRS). The Keeper can agree this is an appropriate system for the management of digital records.
Digital (Shared drives) - Some business areas continue to use shared drives to store large documents or manage their processes. HIE explain the limited and controlled continued use of shared drives and provide an example of how shared drives are currently used by the Procurement team (RMP page 5). It has been explained separately that a review of shared drive usage which shows an ongoing decrease in use has taken place. The Keeper has been provided with an extract demonstrating this.
Digital (Line-of-business systems) - HIE use a bespoke system to store and manage certain digital records, MyHIE. This system is integrated with the EDRMS (RMP page 5), and staff guidance is available (screenshot of ‘Project and File Guidance’ provided separately). The Records Management Policy (page 2) states that all HIE staff should ‘‘Work with Information Governance Team to review and evaluate records storage out with EDRMS to ensure records management controls are applied to all our corporate information.’’ The Keeper can agree public records created and stored in line-of-business systems are manged appropriately in line with the RMP.
Email and other systems (e.g. OneDrive, MS Teams) – Staff instruction and guidance on saving email records in the EDRMS is available, for example screenshot of intranet and RMP, page 12. The use of OneDrive, for working papers before these are saved to the EDRMS, and to support MS Teams use, is explained in the RMP (page 12). HIE have explained separately that new guidance has been created and is in place. A screenshot of the SharePoint site, ‘What goes where’, has been provided separately. It lists different systems, what records are created in them, any automatic retention in place, and where to store records (including when to save records to the EDRMS). HIE have further explained they are at the pilot stage of Objective EDRMS Gov365 for full Microsoft Teams integration which will capture any records and govern them in EDRMS automatically. The Keeper welcomes these developments and can be updated as they progress through the voluntary Progress Update Review (PUR) mechanism.
Hardcopy (onsite and offsite) - HIE create and mange hardcopy paper records. The EDRMS is used to manage these records and track their location. Hardcopy records stored offsite are also managed in the same way on EDRMS through the capture of metadata (RMP page 7 and screenshot from intranet). HIE explain that physical files are represented in the EDRMS and include metadata such as the file location within the business classification scheme. File custodians (see comments on local records management below) maintain hardcopy records (onsite) and monitor access (RMP page 9).
HIE use a third-party service provider for the offsite storage and management of hardcopy records. The RMP (page 7) explains, ‘‘The physical records held at Invergordon for the duration of their retention period are requested by Information Governance Champions around the time that they are scheduled for review.’’ The Legacy Clean-up Plan (slide 29) (see element 5) states ‘‘Electronic archive boxes are created and files are assigned to them when the closed and physical files are sent offsite.’’ Details of this arrangement have been provided separately along with supporting documents, Offsite Records Storage Framework and Scope of Requirements and Tender Guidance (July 2021) and Award Criteria Tender Response Form [Redacted].
HIE have explained separately that a new Business Classification Scheme (BCS), arranged by function, is contained in the new Retention Schedules as a separate tab (see element 5). Copies for different business areas have been provided. They were issued in December 2023 and have been approved by the ISFGG.
HIE have explained separately that, in September 2024, the file plan was restructured in the EDRMS to reflect organisational structure, and the new business classification scheme organised by function. HIE have explained how business areas were consulted through the process and how updates were communicated to staff. Screenshots showing the file plan in Objective Nexus have been provided.
HIE also maintain an Information Asset Register (IAR). A copy of the IAR has been provided. It includes digital and hardcopy records. It captures information including:
Information Asset Owner, Information Asset Manager, Name of information asset, Business purpose, Business classification reference, Location, Retention period and trigger and Record of Processing Activity entry reference. It also includes a guidance tab, which outlines what is required under each heading in the register; and tabs for Record of Processing Activity (ROPA) cover sheet, GDPR ROPA, and special category data. Heads of service are required to confirm the information in the IAR.
This is reviewed annually. The next scheduled review was due in November 2022. It has been explained separately that due to staffing and structural changes this review is still to be completed. Updates such as these can be provided through the voluntary Progress Update Review (PUR) mechanism.
It has been confirmed separately that new guidance pages have been created by HIE’s Information and Records Manager on the staff intranet. These provide Project and Client File guidance, and What goes where guidance, outlining systems in use, what information to be saved, any built-in retention and when to move into EDRMS (for example, if evidence of a business decision, approval, business information, then save to EDRMS). Screenshots have been provided.
It has further been confirmed separately that HIE are at the pilot stage of Objective EDRMS Gov365 full Microsoft Teams integration which will capture any records and govern them in EDRMS automatically. Updates on ongoing projects can be provided through the PUR mechanism.
The Keeper agrees that Highlands and Islands Enterprise retains all its public records in controlled systems which are structured in a clear manner, and which can be used by staff to manage public records where appropriate.
|
|
5. Retention schedule
|
G
|
G
|
The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule.
The Records Management Policy (page 1) states ‘‘HIE will create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time.’’
Since submission HIE have provided copies of updated combined Retention Schedules and Business Classification Schemes relating to different business areas. It has been explained that in developing these the Information and Records Project Manager met with team leads across the organisation. These were approved by the ISFGG, implemented in March 2024, and are due for review in 2026. The Keeper commends the involvement of business areas in the development of retention periods.
An example entry in a Retention Schedule may be:
Reference - 1.002.001
Function – Corporate Governance
Activity/Records Series - Audit
Description/Example Record Types – Audit Committee Papers
Trigger - event that prompts start of retention period – Date published
Retention Period - Permanent
Disposal Action – Archive NRS
Authority - Statutory
Citation/Notes - Audit Committee papers including final reports presented, retain internal copy for 10 years before transfer to Archive
Edit History
The responsibility for the application of the retention schedule to records (hardcopy and digital), closing files to trigger retention, and reviewing files at end of their retention period sits with Information Asset Managers (see comments on local records management below). Content Administrators support teams in managing records in line with the retention schedule (Records Management Policy pages 2-3). The RMP (page 7) explains that where a decision is made to retain records beyond the allocated period of retention the responsible officer is required to provide a reason for this action.
As noted under element 4, HIE also have an IAR which includes retention periods.
For the different formats featured in HIE’s records management systems see element 4 above.
Details of automatic retention in place for systems, such as One Drive and MS Teams, is outlined in guidance available on the staff intranet. A screenshot showing this SharePoint site, ‘What goes where’, has been provided separately. It also advises staff on when to save records from these systems to EDRMS.
The RMP explains that in 2019/20 a physical records file review programme was carried out to ensure appropriate retention periods were allocated and secure records destruction was implemented for records beyond their allocated retention period. HIE were planning to undertake a similar ‘legacy clean-up’ for electronic records in 2022, after this was approved by the Leadership Team. A copy of the Legacy Clean-up Plan dated March 2022 has been provided.
An update on work since April 2022 has been provided (November 2024). HIE now have a new automated workflow in place in EDRMS that identifies files with no activity after 2 years and closes them, initiating retention. System disposal schedules have been updated in EDRMS to reflect new retention schedules and applied to files. Figures of the number of files closed and disposed of since 2022 have been provided and demonstrate the considerable work undertaken. Screenshots have been provided to support this.
HIE have guidance in place for staff around use of the retention schedule (RMP page 6). It has been explained separately that staff guidance on retention schedules is now provided through a SharePoint intranet page which links to the retention schedules and EDRMS. A screenshot showing this has been provided. Further updated guidance, created by the Information and Records Manager, has been provided separately and contains a link to HIE’s Retention Schedules (Project and Client Guidance SharePoint intranet site screenshot). Also, dynamic SharePoint lists now allow users to filter by document type to see where a record is to be stored and in what format. A sample list has been provided separately.
Staff receive records management training that includes a module titled ‘Record Lifecycle 3 – Review and Retention’ (see element 12).
The Keeper agrees that Highlands and Islands Enterprise has a schedule providing retention decisions for the record types created while pursuing its functions.
|
|
6. Destruction Arrangements
|
G
|
G
|
The Act requires that public records are destroyed in a timely, controlled and secure manner.
The Records Management Policy (page 1) states ‘‘HIE will create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time.’’
The RMP (page 7) states ‘‘HIE aims to review and destroy records at the end of retention periods as set out in HIEs Retention schedule following HIE procedures.’’
The following destruction arrangements are in place:
Digital (EDRMS) – The system is use has built in destruction functionality and records details of records destroyed. The Corporate Systems Support Officer and Content Administrators identify records at the end of their retention and review prompts are sent to Information Asset Owners before approval and deletion (RMP page 7). See comments at element 5 on new automated workflow in place in EDRMS and updated systems disposal schedules.
Digital (Shared drives) – The Corporate Systems Support Officer, Content Administrator and Information Asset Owners identify, review, approve and delete records as with the EDRMS. As noted at element 4, HIE have explained separately that rationalisation of moving records out of shared drives has progressed and have provided details of this work. They note ‘‘Anything that is considered a public record has or will be migrated to EDRMS with all redundant, obsolete, and trivial information deleted off shared drives only i.e. not public records. Remaining information is still being worked through and will follow the same process. Files moved to Objective EDRMS have destruction audit trails built into the system.’’
Digital (Line-of-business systems) – As noted at element 4, the Keeper can agree public records created and stored in line-of-business systems are manged appropriately in line with the RMP.
Email and other systems (e.g. OneDrive, MS Teams, Objective Connect) – As noted at element 5, details of automatic retention in place for these systems is outlined in guidance on the HIE intranet. This includes, for example, automatic deletion in MS Teams after 3 months. A screenshot showing the SharePoint site, ‘What goes where’, has been provided separately.
Hardcopy (onsite and offsite) – The EDRMS is used to manage hardcopy records, and a record of deletion (metadata stub) is generated and retained. A third-party contractor provides confidential waste units and containers for bulk uplift and destruction of hardcopy records.
The RMP states physical records stored offsite which are due for review at the end of their retention period are requested by Information Governance Champions. Those for destruction are securely destroyed by the contracted third-party provider. Details arrangements in place have been provided separately along with supporting documents, Offsite Records Storage Framework and Scope of Requirements and Tender Guidance (July 2021) and Award Criteria Tender Response Form [Redacted].
Hardware – A third party contractor provides a service for the secure destruction of hardware.
The Retention Schedule for Information Governance (provided separately along with other updated combined retention schedules and business classification schemes – see elements 4 and 5) shows record disposal certificates and records destroyed register of destruction are retained permanently.
Evidence has been provided separately to demonstrate operational destruction arrangements. This includes a screenshot showing physical file part destruction EDRMS metadata stub, and destruction certificates for physical records and hardware from third party providers.
Back-ups – A third-party contractor provides IT services for HIE corporate systems and technology products. The maximum length of time back-up copies of destroyed electronic records are available has been outlined (RMP page 7).
As noted at element 5, HIE have provided an update (November 2024) on the Legacy Clean-up Plan. Figures of the number of files closed and disposed of since 2022 have been provided and demonstrates the considerable work undertaken. Screenshots have been provided to support this. HIE have further noted ‘‘The previous Legacy Clean up plan for files was successful and continued in the form of systematic closure of files using a workflow in Objective, this allowed files to be destroyed that were identified as being past their retention disposal schedule. HIE is committed to moving all corporate records to EDRMS, identifying, and disposing of all those that have reached retention in both physical and virtual formats.’’
A copy of staff training slides titled Module 08 Record Lifecycle 5 File Disposal and Resentence has been provided separately. This demonstrates staff guidance and training in place around the destruction of HIE’s public records.
The Keeper agrees that Highlands and Islands Enterprise has processes in place to irretrievably destroy their records when appropriate.
|
|
7. Archiving and Transfer
|
G
|
G
|
The Act requires that all Scottish public authorities identify a suitable repository for the permanent preservation of any records considered suitable for archiving. A formal arrangement for transfer to that repository must be in place.
HIE has identified National Records of Scotland (NRS) as the proper repository for their public records identified as suitable for permanent preservation (RMP page 8).
NRS is an accredited archive and fully adheres to the Keeper’s Supplementary Guidance on Proper Arrangements for Archiving Public Records.
At the time of the Keeper’s last agreement in 2015, HIE and NRS had an operational arrangement in place for the transfer of records and were in the process of putting in place an updated Memorandum of Understanding (MoU). The RMP notes that at the time of submission HIE were working towards an updated agreement. HIE have confirmed separately that this is now in place. A copy of the Agreement For The Transfer of Records between The Keeper of the Records of Scotland and Highlands and Islands Enterprise (Version 1.10, August 2023) has been provided.
HIE have retention schedules in place which identify records selected for permanent preservation and transfer to NRS. It has been explained that all HIE’s records for transfer to NRS have been identified in the new retention schedules, which were sent to HIE’s Client Manager at NRS before agreeing and signing the new Transfer Agreement.
HIE have been transferring records to NRS for a number of years and an established process for the transfer of hardcopy records is in place. The RMP confirms this will continue.
The NRS Web Archive Service capture the HIE website, Archive Timeline (nrscotland.gov.uk). This arrangement is part of the Transfer Agreement.
The Keeper agrees that Highlands and Islands Enterprise has arrangements in place to properly archive records when appropriate.
|
|
8. Information Security
|
G
|
G
|
The Act requires that public records are held in accordance with information security compliance requirements.
HIE recognise this and state ‘‘HIE will create and manage records efficiently, make them accessible where possible, protect and store them securely and dispose of them safely at the right time.’’ (Records Management Policy page 1)
HIE explain that a third-party provider is contracted to supply information services and systems. A copy of the contractor’s Cyber Security Programme for 2021/22 has been provided.
The contract in place relates to HIE and three other public authorities, all of which are scheduled under the Act and have RMPs agreed by the Keeper. It is further explained that ‘‘As the contract is aligned to the four organisations so is the Security Policy.’’ (RMP page 9).
HIE have an Information Security Policy (dated March 2021, version 3), a copy of which has been provided. It states, ‘‘The intention is to ensure robust security of our IT equipment and systems while applying appropriate and proportionate controls that support and reinforce our established culture of openness, trust and integrity which we recognise as essential to the success of HIE and its subsidiaries.’’ (policy summary, Information Security Policy).
The Information Security Policy includes sections and information on workplace security covering the physical security of premises, paper records, and hardware (section 5.6), social media (section 1.4), data sharing and collaboration tools (sections 1.5 and 5.7), managing security of email and instant messaging (section 5.5), applications (section 5), and security breach reporting (section 7). It also has sections on the retention and disposal of records and records management (sections 1.9 and 1.10).
The Information Security Policy (section 1.7) states ‘‘HIE handle and store information in many forms (electronic, hard copy, verbal and multimedia) and from many sources (client, contractors, employee, partner organisation) and HIE staff must ensure that information is appropriately protected by adhering to the Principals of Information classification…’’ HIE also have in place an Information Security Classification and Data Handling Policy (dated January 2021), a copy of which has been provided.
The Information Security Policy contains links to a suite of associated polices and guidance. Some of which have been provided as part of the evidence pack (Records Management Policy, Information Classification and Data Handling Policy, and Data Protection Policy). Other links listed, including the Social Media Policy, Data Breach Management Policy, Information Security – process for access to physical files whilst homeworking, and IT Password Protection Policy, have not been provided. HIE have confirmed separately that these policies are in the process of being consolidated and updated to form a new suite of policies. HIE have noted that these can be provided once finalised.
A screenshot of the Information Governance staff SharePoint site has been provided showing HIE staff can access the Information Security Policy and associated policies and guidance.
Staff are provided with guidance on reporting information security breaches, for example in section 7 of the Information Security Policy and section 4 of the Information Security Classification and Data Handling Policy.
The RMP explains how secure access to digital systems is managed through usernames and passwords, and the audit trail (see element 11) and access privilege functions within the EDRM system. Laptops are encrypted and use of removable media (pen drives) is not permitted.
As described at element 4, physical records, those stored onsite and offsite, are logged on the EDRMS. The RMP explains that staff are assigned as file custodians of physical records to monitor access. The security of premises and hardcopy records are noted in section 5.6 of the Information Security Policy. Copies of Offsite Records Storage Framework and Scope of Requirements and Tender Guidance (July 2021) and Award Criteria Tender Response Form [Redacted] have been provided separately. These documents outline security arrangements in place at the third-party offsite storage site in use.
Staff training is in place and a copy of the HIE Information Governance Training Programme has been provided. This shows the module name and month to be completed for Information Governance Champions and Content Administrators and all staff. The programme comprises 13 modules, one of which is titled ‘Managing data breaches.’ See element 12 for further comment.
HIE intend to carry out further training around security (RMP, page 9). The Keeper welcomes this commitment and would be interested to hear about this training as it is rolled out. Updates can be provided through the voluntary PUR mechanism.
HIE have an Information, Security and Fraud Governance Group (ISFGG) (see comments at element 1). The Terms of Reference for this group have been provided.
HIE have arrangements in place in case of a cyber attack, including a Cyber Security Plan (see element 10). This document is noted in the RMP (page 11), but has not been provided. The Keeper understands this is a sensitive document, as the RMP states, and has not ben provided for this reason. As such, the Keeper can accept a statement from the person named at element 1 that this Plan is in place and operational. HIE have provided (March 2025) emails containing a statement of explanation of arrangements in place from HIE’s Information Systems Manager, and endorsed by the SIRO, who is named as senior officer under element 1.
As noted above, HIE use a third-party provider for information systems and services. The contract in place relates to HIE and three other authorities. The Keeper notes that HIE have achieved joint Cyber Essentials + certification along with the three other public authorities:
Certificate number: fe7e7fe7-a845-417b-9f19-ab4b5b36285a
Certificate level: Cyber Essentials Plus
Date issued: 14 September 2023
The Keeper agrees that Highlands and Islands Enterprise have procedures in place to appropriately ensure the security of their records as required by the Act.
|
|
9. Data Protection
|
G
|
G
|
The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law.
HIE is registered as a data controller with the Information Commissioner’s Office (ICO) (registration reference Z6346473).
The RMP explains that HIE have appointed an external Data Protection Officer from a consultancy company.
HIE have a Data Protection Policy (dated January 2023, version 3.0), a copy of which has been provided.
The Data Protection Policy explains the principles of data protection and how HIE comply with them (section 6). It includes roles and responsibilities (section 5), use of Data Protection Impact Assessments (DPIAs) (section 7), storage and retention of personal data (section 9), data breach management (section 10), training (section 13) and monitoring (section 14).
The RMP explains that since changes to data protection legislation in 2018, HIE undertook a review of data protection guidance, and both the Data Protection Policy and Privacy Notice were updated.
HIE have a Privacy Notice published on their website, Privacy Policy | Highlands and Islands Enterprise | HIE. A copy of this document has also been provided. It includes details of how to exercise personal data rights, including how to make a Subject Access Request (SAR). HIE also have additional separate privacy notices, including a Privacy Notice for staff and contractors, a copy of which has been provided.
HIE have a framework for data protection risk recording and for data protection compliance monitoring in place which were created and are used by the DPO (RMP page 10). Copies of the documents HIE DPIA Process and Data Protection Risk Reporting have been provided.
HIE maintain a Register of Processing Activities (ROPA) which forms part of the IAR, a copy of which has been provided (see element 4).
At the time of submission HIE were developing a Data Protection Maturity Framework. A copy of a Project Initiation – Data Protection By Design Maturity Model document has been provided. The Keeper appreciates that this provides an indication of planned work. It has been confirmed separately that this is still to be finalised and that HIE will provide an update through the PUR mechanism.
Staff training is in place and a copy of the HIE Information Governance Training Programme has been provided, along with a sample training module. The sample training module comprises slides for the module HIE Information Governance 2. Introduction to Data Protection (version 01, dated May 2022).
The Keeper has been provided with a screenshot of a staff SharePoint site showing access to a suite of information management policies and guidance, including the Data Protection Policy. It has been confirmed separately that HIE are in the process of consolidating and updating certain policies. HIE note that these can be provided once finalised.
The Keeper agrees that Highlands and Islands Enterprise have arrangements in place that allow them to properly comply with data protection legislation.
|
|
10. Business Continuity and Vital Records
|
G
|
G
|
The Keeper expects that record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning.
HIE have a Business Continuity Policy Statement (dated February 2020) and a Business Continuity Operation Manual (version 1.1, dated May 2020, date of next review July 2022). Copies of both documents have been provided. The RMP (page 11) states ‘‘This manual includes arrangements for vital records.’’
HIE’s Director of Finance and Corporate Services (named at element 1 in the submitted RMP) is the author of the Business Continuity Policy Statement. This postholder is listed as the reviewer and authoriser of the Business Continuity Operation Manual. An update from HIE has confirmed this individual and post no longer has strategic responsibility for records management. The Head of Executive Office now has responsibility for records management and is also HIE’s SIRO (see update at element 1).
The Business Continuity Operation Manual underpins the Business Continuity Management System (BCMS). It outlines the scope of the manual (‘‘All activities and departments based within HIE directly managed sites are within scope of the BCMS’’) and references sites not within the scope at which HIE is a sub-tenant and which will follow a similar format but be driven by the landlord.
The Business Continuity Policy Statement notes ‘‘This policy applies generally to all employees, departments and activities of Highlands and Islands (HIE) and generally at all HIE office locations.’’ It also states that each site will have its own Business Continuity Plan (BCP). It lists policy objectives and commits to ‘‘a process of continual improvement of the BCMS through exercises, implementing lessons learnt from incidents, audits and document review.’’
Under this element the Keeper can, as an alternative to sight of a BCP due to sensitivity issues, accept a statement from the person named at element 1 or SIRO confirming that operational BCPs are in place and that they feature records recovery. HIE have provided (March 2025) emails containing a statement of explanation of arrangements in place from HIE’s Information Systems Manager, and endorsed by the SIRO, who is named as senior officer under element 1.
It confirms arrangements are in place through HIE’s main IT partner and system vendors, and notes annual testing is in place. It further confirms inhouse arrangements and that Business Continuity Playbooks for all systems are in place. These playbooks are in the process of being finalised on completion of review and Director approval. HIE have noted they will provide one of these Playbooks once finalised. This can be done through the voluntary PUR mechanism.
HIE have arrangements in place in the event of a cyber attack, including a Cyber Security Plan (RMP page 11) (see element 8).
The IAR includes a column which identifies the business continuity recovery priority type and time period for recovery for record types (see element 4). For example, ‘Priority 1 - Within 2 hours’.
Sections 6 and 7 of the Business Continuity Operation Manual relate to competencies of business continuity personnel, staff training and embedding awareness for staff. It notes that desk-based awareness training will be carried out every year, that all staff will receive induction training on business continuity when they start in post, and that a record of training will be maintained. There is also training in place for staff with specific business continuity responsibilities.
Business continuity exercises are carried out annually to test arrangements and a post exercise report produced. This process is outlined in section 8 of the Business Continuity Operation Manual. Section 5 notes that a management review will be carried out twice a year or when an incident occurs.
The Business Continuity Operation Manual (section 4.5) outlines arrangements for vital hardcopy records at particular locations. Arrangements around offsite storage of hardcopy public records are outlined in the documents, Offsite Records Storage Framework and Scope of Requirements and Tender Guidance (July 2021) and Award Criteria Tender Response Form [Redacted], which have been provided separately.
At the time of the Keeper’s last agreement in 2015, this element was agreed under ‘improvement model terms’. A gap in provision was identified and a plan was in place to close it. This has clearly been done with the development of a Business Continuity Policy Statement, Business Continuity Operation Manual, and BCPs for each HIE site.
The Keeper agrees that Highlands and Islands Enterprise have an approved and operational business continuity process and that information management and records recovery properly feature in the authority’s plans.
|
|
11. Audit trail
|
G
|
G
|
The Keeper expects an authority to have processes in place to track public records in such a way that their location is known and changes recorded.
The Records Management Policy (page 1) states, ‘‘Effective records management will help ensure that we have the right information at the right time to inform decision making.’’
The following processes are in place for tracking the location of and changes to public records in HIE:
Digital (EDRMS) – The system in use has built in version control and audit trail functionality and a powerful search function. The Keeper is familiar with this system. In order to be able to locate records using the search function, consistent naming conventions are necessary. HIE have Document Naming Convention guidance in place. This guidance document has been provided separately.
A screenshot of the staff Information Governance SharePoint site has been provided showing a link to Document Naming Convention guidance.
Digital (Shared Drives) - A small number of records remain on shared drives, which require manual processes to mange version control and naming conventions. The naming of records is vital in ensuring they can be located, and changes tracked in shared drives. The RMP notes that a review of shared drive use was planned for late 2022. An update on this work has been provided separately. (see element 4).
Digital (OneDrive) - The RMP (page 12) explains OneDrive is in use for working copies prior to documents being saved to the EDRMS, and to facilitate use of MS Teams. The RMP explains ‘‘OneDrive has security controls and auditing and reporting features as standard.’’
Digital (Line-of-business systems) - HIE use a bespoke customer relationship management system, MyHIE. This system is integrated with the EDRMS (RMP page 5). The RMP states it has automatic audit trail and workflow capabilities. As noted at element 4, the Keeper can agree public records created and stored in line-of-business systems are manged appropriately in line with the RMP.
Hardcopy (onsite and offsite) - Physical records, both those stored onsite and offsite, are recorded as virtual files in the EDRMS and tracked and managed this way. HIE have separately provided a screenshot of an EDRMS Virtual File, showing the audit section. The tracking of hardcopy public records held at a third-party offsite storage provider, including arrangements for recalling records to HIE, is outlined in documents provided separately (Offsite Records Storage Framework and Scope of Requirements and Tender Guidance (July 2021) and Award Criteria Tender Response Form [Redacted]).
At the time of the Keeper’s last agreement in 2015 the Keeper graded this element amber as a gap in provision was identified (not all staff were saving records in the EDRMS). It is clear that HIE have guidance in place to instruct staff creating and managing records in the EDRMS and that the use of shared drives is now limited.
The Keeper agrees that Highlands and Islands Enterprise has procedures in place that will allow them to locate their records and assure themselves that the located record is the correct version.
|
|
12. Competency Framework for records management staff
|
G
|
G
|
The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported.
The RMP (page 4) states ‘‘A records management policy statement underpins effective management of HIE’s records and information It demonstrates to employees and stakeholders that managing records is important to HIE and serves as a mandate for the activities of the records manager.’’ The Keeper agrees this statement and welcomes the acknowledgement of supporting the work of the records manager.
The Records Management Policy (page 1) states ''Training is provided, to meet the role and level of responsibility of staff to define the records management standards of practice ...''
As noted at element 2, there have been personnel changes since the time of submission. HIE have provided an update separately confirming these changes and organisational changes around where the Information Governance team sits. David Highet, Information and Records Project Manager is the individual with operational responsibility for records management in the authority and reports to Fiona Eardley, Head of Information Governance. A copy of the job description for the post of Information and Records Project Manager has been provided separately.
These posts are supported by HIE staff with records management responsibilities additional to their substantive posts, namely Information Governance Champions and Content Administrators (see local records management under General Comments below). These staff members provide records management advice in local business areas, receive training tailored to these roles and are supported by information governance staff (RMP page 13).
Staff receive induction training (Records Management Policy page 1) and a programme of information governance training. This training programme, which comprises 13 modules, was approved by the HIE Leadership Team in March 2022 (RMP page 13). A copy of the HIE Information Governance Training Programme has been provided. This shows the module names and month to be completed for Information Governance Champions and Content Administrators in one table and all staff in another table. A sample training module has been provided. This comprises slides for HIE Information Governance 2. Introduction to Data Protection (version 01, dated May 2022).
Staff receive training in business continuity planning (see element 10). Desk-based awareness training is be carried out every year, all staff receive induction training on business continuity when they start in post, and a record of training will be maintained. There is also training for staff with specific business continuity responsibilities (Business Continuity Operation Manual, sections 6 & 7).
A screenshot of the staff Information Governance SharePoint site has been provided. It provides staff with links to guidance and policies. It also includes links to webinar training. Further updated guidance, created by the Information and Records Manager, has been provided separately in the form of screenshots.
HIE have explained separately how changes and updates to records management policies, procedures, and guidance are communicated to staff. This is done through a monthly forum on Microsoft Teams aimed at Information Governance Champions and Content Administrators and is hosted by the Information Governance Team. In addition, HIE note ‘‘Further staff training is provided to specific teams or individuals on a regular basis as is required, as well as all company communications via the staff intranet Information Governance pages and Viva Engage channels. There is also a Teams chat for the Information Governance Champions and Content Administrators group where minor issues can be raised, and updates are communicated which they can then relay to colleagues. Staff can also contact the Corporate Systems mailbox for specific individual issues or queries which is monitored daily.’’ The Keeper commends HIE on this comprehensive programme of updates and training.
The Keeper agrees that the individual identified at element 2 has the appropriate responsibilities, resources and skills to implement the records management plan. Furthermore, the Keeper agrees that Highlands and Islands Enterprise consider information governance training for staff as required.
|
|
13. Assessment and Review
|
G
|
G
|
Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review.
HIE state ‘‘Regular assessment and review of records management systems will give HIE a clear statement of the extent that its records management practices conform to the Records Management Plan as submitted and agreed by the Keeper.’’ (RMP page 14)
The Records Management Policy states ‘‘To support this policy HIE will continue to develop procedures, guidance, and training to all staff and will monitor compliance with them.’’
Reviewing the implementation of the RMP is the responsibility of the Head of Information Governance (see element 2) supported by the Information Governance Team. The Head of Information Governance ‘‘leads on the implementation of the Information Governance Strategy and manages the activities required for undertaking the assessment against each element of the Plan.’’ (RMP page 14) As noted at element 2, the Information and Records Project Manager, who has operational responsibility for the RMP, reports directly to the Head of Information Governance.
The Information, Security and Fraud Governance Group (ISFGG) is responsible for implementing the Information Governance Strategy which includes implementation and monitoring of the RMP. The ISFGG meets every two months. Representatives from the Information Governance and Corporate Information teams are part of the ISFGG. A sample agenda for the ISFGG (dated April 2022) has been provided. Standing agenda items include information governance and records management, this includes reviewing and monitoring delivery of the Information Governance Work Plan.
A copy of the Information Governance Work Plan 2022-23 has been provided. HIE have separately provided updates (November 2024) on work outlined in this plan and evidence to support this. This includes new retention schedules (element 5), shared drive rationalisation extract (element 4), file plan restructure (element 4) and auto close workflow (element 5 and 6).
HIE use an EDRMS to manage the majority of their digital records. Hardcopy records are also managed through the EDRMS. Reports are run monthly by the Information Governance team who liaise with Content Administrators and Information Governance Champions to ensure records management processes are being followed.
The RMP explains that a Business Improvement and Internal Audit (BIIA) team, which reports directly to the HIE Chief Executive, produce an annual BIIA plan and carry out individual audit assignments. The Keeper welcomes the use of internal audit and can be updated on such work if information governance or records management are the subject of an internal audit assignment.
An organisational governance statement is prepared annually to be included with the annual accounts. Each business area is required to prepare an individual report which feeds into this overarching statement. The Keeper has been provided with a copy of Report to Accountable Officer on internal control environment, 2021/22 (dated April 2022). It relates to areas covered by the ISFGG, and was prepared by the chair of the ISFGG. The report provides an overview of the work the ISFGG carried out that reporting year, includes key areas of risk and/or improvement opportunities, and areas highlighted in business unit internal control checklists. It addresses records management provision within the authority and areas requiring action.
Data protection monitoring, and reporting to the ISFGG (quarterly) and HIE board (annually), is explained in the Data Protection Policy (sections 6 and 14).
Many documents submitted in the evidence package supporting the RMP include a document control sheet showing the date of next review. For example, the Records Management Policy – date of next review: 2022 and ISFGG Terms of Reference - date of next review January 2023. HIE have explained separately that several polices are in the process of being reviewed and updated, including the Records Management Policy. The Keeper would be pleased to be notified when this work is completed and can be updated through the PUR process.
HIE submitted a Progress Update Review to the Keeper in 2021. The Keeper commends the authority for utilising this voluntary mechanism to provide information on records management arrangements.
The Keeper agrees that Highlands and Islands Enterprise have made a firm commitment to review their RMP as required by the Act and have explained who will carry out this review and by what methodology. HIE have demonstrated how implementation of their RMP has been reviewed since the Keeper’s last agreement in 2015. Furthermore, the Keeper agrees that supporting policy and guidance documents have appropriate review periods allocated.
|
|
14. Shared Information
|
G
|
G
|
The Keeper expects a Scottish public authority to ensure that information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled.
The RMP (page 15) states ‘‘Under certain conditions, information given in confidence may be shared. Most commonly this relates to personal information, but it can also happen with confidential corporate records.’’ and ‘‘Opportunities for better client and organisational outcomes from enhanced data sharing arrangements are recognised as being important for HIE to make use of.’’
HIE state it has adopted the ICO Data Sharing Code as its framework for managing data sharing. Data sharing agreements are used, and a sample Data Sharing Agreement (dated 2019) has been provided.
The RMP explains that HIE use non-disclosure agreements. A copy of the HIE Non-Disclosure Agreement Process has been provided.
In conjunction with other enterprise support agencies, HIE have been involved in the development of a Data Sharing Charter. The aim of this is ‘‘to provide a clear framework for appropriate, proportionate information sharing to support those organisations common goals.’’ (RMP page 15) A copy of the Scottish Enterprise Support and Culture Data Sharing Charter has been provided.
When the Keeper last agreed HIE’s RMP in 2015 it was under ‘improvement model terms for this element. The Keeper noted at that time, ''Highlands and Islands Enterprise do not currently have an approved and operation data sharing protocol.'' It is clear HIE have progressed this and closed the identified gap in provision.
As outlined at element 8, HIE have information security policies and procedures in place. Section 1.5 of the Information Security Policy relates to data sharing. The Security Classification and Data Handling Policy (section 3) lists among its key principles, ‘‘HIE is committed to maximising appropriate information sharing and collaboration to pursue our objectives. HIE will create an appropriate environment for appropriate data sharing which will be reflected in our Data Sharing Policy, protocols and guidance.’’ Section 9.0 (Handling Guidelines) of the Security Classification and Data Handling Policy outlines how information sharing should be carried out internally and externally.
HIE use Objective Connect to securely share records with external bodies. There is a link to Objective Connect staff guidance on the staff Information Governance SharePoint site, a screenshot of which has been provided. The screenshot also shows links to associated polices and guidance.
HIE have explained separately that their information policies are currently being updated. A copy of ‘HIE Data Sharing Agreement – template’ has been provided separately to further support compliance with this element.
Routine staff training is in place and a copy of the HIE Information Governance Training Programme has been provided. This details the modules to be undertaken by staff, which includes module 4 ‘Sharing Information (including Objective Connect)’.
The Keeper can agree that Highlands and Islands Enterprise properly considers records governance when undertaking information sharing programmes.
|
|
15. Public records created or held by third parties
|
G
|
G
|
The Public Records (Scotland) Act 2011 (PRSA) makes it clear that records created by third parties when carrying out the functions of a scheduled authority should be considered ‘public records’ - PRSA Part 1 3 (1)(b).
The RMP (page 16) explains, ‘‘HIE delivers some of its functions through third party suppliers and includes, in these contracts, clauses to support legislative and good practice requirements for managing information.’’
The RMP (page 16) further explains ‘‘To support this arrangement we, through the Invitation to Tender process, specified our information management requirements. The selected contractor is also obliged to ensure individual agreements are put in place between the advisor and the client to ensure data is managed appropriately.’’
HIE have separately provided a copy of an example Tender Scope of Requirements (dated July 2021) and Terms and Conditions - Offsite Records, example of agreement in place. Included under ‘Tender Guidance’ is a section on information governance (page 17), which details requirements around the management of public records and the application of HIE’s Record Management Policy, Retention and Disposal Schedule, Information Management Policy, Information Classification and Data Handling Policy, Information Security Policy and Information and Records Management Handbook. Section 7 of the Terms and Conditions - Offsite Records, example of agreement in place, relates to protection of information and section 3 (paragraph 5.11.2) specifically mentions the Act.
HIE have also separately provided a link to HIE’s published privacy notice (which includes information on business suppliers and bidders (https://www.hie.co.uk/legal/privacypolicy/), a Data Sharing Agreement template, and an example Terms and Conditions agreement relating to the storage of offsite records.
The example Tender Scope of Requirements and example Terms and Conditions provided relate to the provision of offsite records storage. The Keeper understands records storage to be a service that HIE have procured rather than the contracting out of a function of the authority (functions of a public authority are what it was set up to do). However, the RMP (page 16) is clear that HIE deliver some of its functions through third-party suppliers and note that ‘‘The largest of these third party contracts delivers specialist advice to clients.’’
The Keeper agrees that Highlands and Islands Enterprise has properly considered the management of records created by third parties who carry out any functions of the authority.
|
General notes on submission:
The assessment carried out is on the reviewed plan submitted on 22 June 2022. The RMP was reviewed by the HIE Information, Security and Fraud Governance Group (ISFGG) on 19th April 2022 and the submission was approved by the HIE Leadership Team on 7th May 2022.
Due to the length of time between submission and assessment by the PRSA team, this assessment and subsequent report incorporates new and updated evidence and statements supplied by HIE in November 2024 and March 2025.
The Keeper strongly advises HIE to make relevant updates to their Records Management Plan to ensure it represents the current arrangements in place and is an effective business tool for the authority.
The Keeper previously agreed the RMP of Highlands and Islands Enterprise in March 2015, Highlands and Islands Enterprise - Assessment Report.
Highlands and Islands Enterprise provided a Progress Update Review (PUR) to the Keeper’s PRSA team in 2021, NRS - Progress Update Review (PUR) Final Report by the PRSA Assessment Team for Highlands and Islands Enterprise November 2021.
The RMP mentions the Act and is based on the Keeper’s, 15 element, Model Plan Model Records Management Plan - National Records of Scotland (NRS).
The RMP (page 2) states that the HIE leadership team ‘‘recognises records management as an important corporate responsibility.’’ The Keeper fully agrees with and welcomes this statement.
The Records Management Policy (page 1) states ‘‘Highlands and Islands Enterprise (HIE) is reliant on records management to support its functions and activities. Effective records management will help ensure that we have the right information at the right time to inform decision making. It will provide evidence of what we do and why, therefore protecting the interests of HIE, its staff and all who interact with HIE.’’ The Keeper agrees with this statement and the acknowledgement of the importance of records management.
Key Group - Information Security and Fraud Governance Group:
This group approves key documentation including the Records Management Policy (see element 3). It meets at least quarterly, with additional meetings as necessary. Representatives from the Information Governance and Corporate Information teams are part of this group.
The Terms of Reference for this group state ‘‘This group has a key role to support HIE in ensuring its governance environment for information management, information assurance, systems security and fraud is appropriate. This group has accountability for ensuring, in relation to systems and information, that HIE complies with legislation, manages the governance of information throughout HIE, develops staff understanding of information governance, has appropriate supportive policies and ensures collaboration opportunities with partner organisations are taken. The group will also take a lead in seeking assurance from HIE’s group companies and supply chain regarding their arrangements for sound information governance and security.''
The RMP (page 2) notes that ‘‘HIE recognises the function of records management as part of the wider delivery of information governance. Alongside information and records management policies, Freedom of information and data protection policies are owned by the Information Governance Team. The ISFGG is the forum by which all these information management issues across HIE are addressed.’’
Local Records Management:
It clear throughout this submission that the Information and Records Project Manager, the Information Governance Manager and the Information Governance Team at HIE are supported through the use local champions in the delivery of the authority’s records management provision. These local roles are outlined throughout this submission. They include:
· Information Asset Owners (IAO) – Senior staff involved in managing business areas. They are responsible to the SIRO (named at element 1) and delegate day-to-day tasks around management, access, transfer, use, and disposal to Information Asset Managers.
· Information Asset Managers (IAM) – Staff members who are responsible for day-to-day management of information assets. This includes storage, access controls and disposition.
· Content Administrators – This forms part of an existing staff members’ role. Content Administrators receive additional information and records management training to be able to provide support to local business areas. They provide information management support, including file creation, naming conventions, retention schedules, applying security rights, file review and closure, and transfer of records to offsite storage. HIE have further noted separately ‘‘Content Administrators are members of staff that have elevated system access for performing certain tasks such as sentencing files and carrying out workflows in EDRMS, they receive specific training and system updates from Information Governance to help them perform this role.’’
· Information Governance Champions – This forms part of an existing staff members’ role. IG Champions receive additional training to be able to support their team in ‘‘in managing their information responsibilities in corporate information and data repositories and responses to IG team requests e.g. FOIs.’’
· File Custodians - They are ‘‘are responsible for their own information and retaining correct Records (Corporate Value) including the securing of loose filing in correct date order and managing virtual files in EDRMS. ‘’
6. Keeper’s Summary
Elements 1 to 15 that the Keeper considers should be in a public authority records management plan have been properly considered by Highlands and Islands Enterprise Policies and governance structures are in place to implement the actions required by the plan.
Elements that require development by Highlands and Islands Enterprise are as follows.
7. Keeper’s Determination
Based on the assessment process detailed above, the Keeper agrees the RMP of Highlands and Islands Enterprise.
- The Keeper recommends that Highlands and Islands Enterprise should publish its agreed RMP as an example of good practice within the authority and the sector.
This report follows the Keeper’s assessment carried out by,
Pete Wadley, Public Records Officer
Liz Course, Public Records Officer
8. Endorsement of Report by the Keeper of the Records of Scotland
The report has been examined and is endorsed under the signature of the Keeper of the Records of Scotland as proof of compliance under section 1 of the Public Records (Scotland) Act 2011, and confirms formal agreement by the Keeper of the RMP as submitted by Highlands and Islands Enterprise In agreeing this RMP, the Keeper expects Highlands and Islands Enterprise to fully implement the agreed RMP and meet its obligations under the Act.
Laura Mitchell, Deputy Keeper of the Records of Scotland
