Assessment report: Lord Advocate and Procurators Fiscal - 3 December 2024

Home
Publications
Assessment report: Lord Advocate and Procurators Fiscal - 3 December 2024

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Executive Summary
Authority Background
Assessment Process
Model Plan Elements: Checklist
Keeper’s Summary
Keeper’s Determination
Keeper's Endorsement

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came fully into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor record keeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Executive Summary

This report sets out the findings of the Keeper’s assessment of Lord Advocate and Procurators Fiscal by the Public Records (Scotland) Act 2011 Assessment Team following its submission to the Keeper on 30 December 2022.

The assessment considered whether the RMP of Lord Advocate and Procurators Fiscal was developed with proper regard to the 15 elements of the Keeper’s statutory Model Records Management Plan (the Model Plan) under section 8(3) of the Act, and whether in this respect it complies with it and the specific requirements of the Act.

The outcome of the assessment and the Keeper’s decision on whether the RMP of Lord Advocate and Procurators Fiscal complies with the Act can be found under section 7 of this report with relevant recommendations.

3. Authority Background

The Lord Advocate: The Lord Advocate, also known as His Majesty’s Advocate, is the senior Scottish Law Officer. The following are the Lord Advocate’s main functions:

Head of the systems for the investigation and prosecution of crime and investigation of deaths

Principal legal adviser to the Scottish Government

Representing the Scottish Government in civil proceedings

Representing the public interest in a range of statutory and common law contexts

All prosecutions on indictment run in the name of the Lord Advocate.

Lord Advocate: role and functions - gov.scot (www.gov.scot)

The Procurators Fiscal: A procurator fiscal is a public prosecutor in Scotland. They are responsible for the investigation of crimes and have the power to impose fiscal fines. The police and other reporting agencies send the procurator fiscal reports of crimes, and they decide whether to begin criminal proceedings or take alternative action. The procurator fiscal has a duty to investigate all sudden, suspicious, accidental, unexpected, and unexplained deaths and any death occurring in circumstances that give rise to serious public concern.

Crown Office and Procurator Fiscal Service (copfs.gov.uk)

4. Keeper’s Assessment Process

The RMP was assessed by the Public Records (Scotland) Act Assessment Team on behalf of the Keeper. Assessors used the checklist elements listed in section 5, to establish whether Strathclyde Partnership for Transport’s RMP was developed with proper regard to the elements of the Model Plan and is compliant with the Act. The assessment also considered whether there was sufficient supporting evidence of such compliance.

Key

The Keeper agrees this element of an authority’s plan.

The Keeper agrees this element of an authority’s plan as an ‘improvement model’. This means that he is convinced of the authority’s commitment to closing a gap in provision. He will request that he is updated as work on this element progresses.

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Keeper may choose to return the RMP on this basis.

5. Model Plan Elements: Checklist

Lord Advocate and Procurators Fiscal

(Scheduled as two separate authorities) The RMP covering these two authorities ‘in common’ is submitted by the Crown Office & Procurator Fiscal Service described as ‘COPFS’ in the assessment.

Element	Present	Evidence	Notes
1. Senior Officer	G	G	The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority. The Lord Advocate and Procurators Fiscal (COPFS) have identified Anthony McGeehan, Deputy Crown Agent, Operational Support, as the individual with overall responsibility for records management in the organisation. The Keeper is aware that, since submission, the individual holding the position of Deputy Crown Agent, Operational Support has changed to Lindsey Miller. The Keeper has stipulated that a change in personnel, as long as the role remains the same, does not invalidate a RMP. The assessment below is based on the principle that the corporate responsibility for records management role accepted by Mr McGeehan is now passed to Lindsay Miller. The Keeper acknowledges that the current version of the Records Management Manual (see element 3) which was submitted in September 2024, correctly shows Ms Miller as having overall responsibility for records management. The identification of the Deputy Crown Agent to this role is supported by a Covering Letter from Mr McGeehan and by the Records Management Manual (see element 3), for example section two: "Anthony McGeehan, Deputy Crown Agent Operational Support , is the senior manager who has overall strategic responsibility for the RMP. This includes responsibility for the implementation of the RMP and for the issue and authorisation of all corporate retention schedules." The Deputy Crown Agent, Operational Support is the COPFS SIRO. The Deputy Crown Agent Operational Support reports directly to the Crown Agent who acts a ‘Chief Executive’ of the Organisation. The Keeper agrees that Lord Advocate and Procurators Fiscal have identified an appropriate individual to this role as required by the Act.
2. Records Manager	G	G	The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and that this staff member has appropriate corporate responsibility, access to resources and skills. The Lord Advocate and Procurators Fiscal (COPFS) have identified Marianne Burnett, Records Management and Data Handling Manager, as the individual with day-to-day responsibility for implementing the RMP. The identification of the Records Management and Data Handling Manager to this role is supported by the Records Management Manual – see element 3 - for example section 2. Which formally states that “Marianne Burnett Information Governance Unit is the Records Manager, with overall day-to-day responsibility for the implementation of the RMP". The Manual lists the responsibilities of the Records Manager and the Keeper agrees that these are appropriate. The Keeper has therefore been provided with the job requirements of the records manager as required. As a specific example, the Manual notes, at sections 2.6 and 7.6, that the Records Manager is responsible for "developing strategies for the permanent preservation of selected records with the National Records of Scotland" and that “If offices consider that they hold information which should be transferred to NRS for permanent preservation, they should contact the Records Manager at Crown Office in the first instance” (see element 7). The Keeper agrees that the Lord Advocate and Procurators Fiscal have identified an appropriate individual to this role as required by the Act
3. Policy	G	G	The Act requires an authority to have an appropriate policy statement on records management. COPFS have a Records Management Manual which includes a formal policy statement. The Keeper has been provided with a copy of this Manual. This is the version approved by the Information Governance Unit and by the Head of Policy in December 2022. The Records Management Manual is published online at Records management manual \| COPFS The Records Management Manual is a vital piece of guidance for staff and a key piece of evidence supporting the RMP. A single manual may provide a stronger business tool than several separate pieces of guidance. The records management policy section of the Manual is specifically endorsed by Deputy Crown Agent Operational Support, Anthony McGeehan (see element 1) in a Covering Letter dated December 2022. The Keeper agrees that the RMP supports the objectives of the records management policy in the Manual. The general policy specifically supports the RMP at Manual section 1.8 The Records Management Manual specifically references the Public Records (Scotland) Act (for example at page 4). In ‘further developments’ section against element 3 of the RMP COPFS state: “As part of our Strategic plan COPFS announced a new Digital Strategy plan to improve our services systems and the way we work.”. The Keeper has been provided with a copy of this Strategy and the corresponding Delivery Plan. The Keeper notes that the authority is “currently working to produce the new Digital Strategy 2024/25 in Q4 (Jan – March 2025. This will include the scope of our Next Generation Case Management Systems and strategic direction.” (Statement from September 2024 sent separate from the RMP submission). The Keeper would be interested in receiving the updated Digital Strategy when available in order that they may keep the COPFS submission up-to-date. COPFS have provided the Keeper with a screen-shot from the COPFS Intranet ‘Connect’ that shows staff have access to the Records Management Manual. The Keeper agrees that the Lord Advocate and Procurators fiscal have a formal records management policy statement as required by the Act.
4. Business Classification	G	G	The Keeper of the Records of Scotland (the Keeper) expects that the public records of an authority are known and are identified within a structure. COPFS recognise this. It is the policy of COPFS that “All staff have a responsibility to manage records effectively throughout their lifecycle, including access, tracking and storage of records; the timely review of records, whether this be for permanent preservation, or confidential destruction or recycling and, where appropriate, their ultimate disposal” (Records Management Manual – see element 3 - section 1.9). COPFS staff are instructed in the Records Management Manual (section 3.5) that "Records should be arranged in a logical filing system, so that files and documents can be quickly located and retrieved and easily identified when the time comes for review or destruction." Identification of the public records of the authority COPFS divide their public records into two categories. The records of the authority are described as being either ‘case-related’ or ‘non-case-related’. Both record types appear in a combined fileplan/retention schedule which forms the Business Classification Scheme. The Keeper has been provided with a copy of this document and notes that it follows a functional pattern. This must remain a business decision for the authority, but the Keeper acknowledges that a functional system, as demonstrated here, is currently considered best-practice. Records are arranged by: Function/Activity/Transaction/Record Type/Description of Records/Retention period/Disposal Action/Rationale/Vital Status/Owner For example: Office Services/In House Printing/Administrative/IHP Stats - log in of all workload which calculates the amount of prints/Retain for 3 years and destroy thereafter/Confidential Destruction/Operational Requirement/Vital/OFS Staff. (see element 5 for more around retention). The Keeper agrees that the Business Classification Scheme considers all record types in all formats (although the format is not stipulated in the scheme). Records-Keeping Structure COPFS manage records in a hybrid system: Public records are held digitally in a cloud-based document management system and on bespoke line-of-business systems. There are also public records managed in hard-copy format although this is being phased out. COPFS have provided a Covering Letter from Anthony McGeehan, Deputy Crown Agent Operational Support (see element 1) in which he states: “As we emerge from COVID, COPFS is on a journey from being a paper-based to a digital service, with the aim of improving the quality of our services, optimising resources and delivering efficiencies to meet the needs and expectations of our stakeholders, customers and our people. The RMP focuses on these planned developments and maximising the benefit to our new Records Management processes.” The Keeper recognises that COPFS are following a ‘digital first where possible’ principle in record keeping. Digital: The COPFS non-case-related records are managed on the M365 cloud platform. The authority states “COPFS has now fully migrated to Microsoft 365, making use of their packages to allow for a more structured and seamless way of working online and managing our non-case related files.” (RMP 'further developments' under Element 3). Digital Line of Business Systems: The COPFS case-related records are managed on specialised line-of-business systems “The vast majority of case work is now completed online with all offices moving to Full Electronic Record compliance.” (RMP statement against element 11). COPFS operate several stand-alone systems for example in a case management system, a ministerial correspondence system and a 'Respond' system. These line-of-business systems sit outside eDRM, but the Keeper can agree that they are likely to allow the appropriate management of records within a structure as required. The use of these is explained to staff in detail in the Records Management Manual (for example throughout section 5). Digital shared drives –COPFS currently use the M365 platform, as noted above, but maintain a some public records on networked drives. The authority’s Records Management Group has reviewed these drives and is clear what records are held in this system. They commit to “ensure consistency in retentions and metadata, naming conventions”. COPFS have had initial engagement with a third-party consultant as part of a discovery and analysis exercise into the functionality of M365 and further discussions are ongoing to establish the most appropriate approach to using M365 to manage record currently held on network drives. However, the Keeper recognises that it is likely that certain record formats will not easily transfer to M365 and the use of network drives may be required, in a limited extent, going forward. It is noted that COPFS clearly recognise that importance on ensuring that the records management provision imposed on the main system should also be replicated in network drives. Physical In-House: Including Audio/Video/DVD recordings and photographs (Records Management Manual 6.39). Although the majority of COPFS’s records are now created digitally (see statement from the Deputy Crown Agent noted above) the authority is still required to manage legacy hard-copy records. The Keeper acknowledges that these are listed in the Business Classification Scheme (for example the print log example given above). The Keeper has been provided with details of the systems in place to ensure that COPFS can be confident that these records can be stored, retrieved and destroyed/archived when appropriate. For example, details of how staff should manage hard-copy records, both in offices and in a COPFS outstore, is included in the Records Management Manual (for example section 6). The Keeper notes that COPFS are currently engaged in a scanning project to convert some hard-copy records to digital (see RMP compliance statement against element 13). On this matter COPFS have provided the following statement (September 2024): “COPFS have are in the process of migrating to fully electronic online working to support CMIC (Case Management In Court). Previously, files received by COPFS are born digital but through the investigation process, cases are printed from the system and hard copy papers are pulled together to create a case file and amendments then made to the hard copy papers. Since 2018, all summary cases have been fully electronic to support CMIC. To achieve this, we worked with staff to ensure all paper files were scanned into the system and named appropriately to ensure consistency. This was monitored by management. Present day, we are working with Sheriff and Jury and High Court & Specialist teams to assist them in converting to working fully electronic, however this is more difficult due to the size of their cases. COPFS are currently working alongside NRS to pilot an Electronic transfer of closed cases.” Physical Third-Party Record Store: COPFS no longer manage physical records through a third-party record store. E-mail: COPFS clearly recognise the risks inherent in e-mail and the importance of ensuring that records created in Outlook are done so securely and can be properly located and identified by consistent naming practices and by saving to the central, accessible, records management system (SharePoint). For example, section 8 of the Records Management Manual clearly recognizes the risk of e-mail (particularly the temptation to store in personal storage areas rather than in a way the offers appropriate access to those who need it). This is quite detail guidance including 8.5 which gives advice around auto-destruction of e-mail (see element 6) and 8.8 which sets out the dangers of using e-mail to send sensitive or confidential information (see element 8). Staff are given guidance on the dos and don’ts of using e-mail in a simple bullet-point style (also Manual section 8). This is a clever way of laying out ‘at a glance’ guidance particularly in a large document. The Keeper notes that the compliance statement against element 14 states "COPFS is signed up to Criminal Justice Secure Mail (CJSM), a secure email system set up by the Ministry of Justice in London to provide a mechanism for secure electronic communication between criminal justice agencies in England and Wales. It is now widely used in Scotland and Ireland and enables members to communicate securely with anyone who has a .gov .pnn.gsx .gcsx and .nhs.net email address." At several points in the Records Management Manual staff are instructed to ensure that corporate records are not managed in personal workspaces (such as mailboxes). For example Manual section 3.6 "Adequate shared record keeping systems must be developed to ensure that documents are not stored in personal files or mailboxes, but can be located and retrieved when required.” There are risks associated with staff storing records in ‘hidden’ personal areas and it clear that COPFS recognise this and strongly encourage staff to avoid this. Although, as noted elsewhere, being a 2017 document it does not highlight the availabity of shared, controlled, SharePoint spaces. The Keeper agrees that The Lord Advocate and Procurators fiscal retains all its public records in controlled systems which are structured in a clear manner and which can be used by staff to manage public records where appropriate.
5. Retention schedule	G	G	The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule. COPFS make it clear that retention decisions are applied to all public records in the organisation. They state: “These Schedules relate to both case-related and non-case related material, and to hard copy and electronic records” (RMP compliance statement against element 5) (see element 4 for more on record format). COPFS operate a combined fileplan/retention schedule that they term their Business Classification Scheme (see element 4). It is set out in a functional scheme with four levels Function/Activity/Transaction/Record Type. As sample entry from the Business Classification Scheme, which has been provided to the Keeper in its entirety, might be: Level 1 Function - Sheriff & Jury Level 2 Activity - Records Management Level 3 Transaction - Physical Records management Record Type - Records management database Description of Records - Database of all paper and electronic files kept within the function Retention Period - Destroy once superseded Disposal Action - Retain for Operational Purposes Rationale - Business Need VITAL Owner - Senior Business Manager General retention decisions against record types are advertised to staff through the Records Management Manual (sections 5 and 6). However, it is obviously impossible to update this document each time there is an amendment to retention and so the Business Classification Scheme remains the organisation’s key tool against this element. For example, the Keeper notes that, due to an ongoing public inquiry, destruction against retention has been temporarily suspended. This is quite proper. A retention schedule is a living document subject to change as business requires. It is welcome that COPFS recognise this. The Keeper is satisfied that all record types created or stored by COPFS are included in the Business Classification Scheme and therefore: The Keeper agrees that the Lord Advocate and Procurators Fiscal has a schedule providing retention decisions for the record types created while pursuing its functions.
6. Destruction Arrangements	G	G	The Act requires that public records are destroyed in a timely, controlled and secure manner. COPFS state that they are “committed to a systematic and planned approach to the management of records within the organisation, from their creation to their ultimate disposal or archive” (RMP compliance statement against element 3). “Records are a vital information asset and a valuable resource for the COPFS functions and must be managed effectively from the point of their creation until their ultimate disposal.” (Records Management Manual - see element 3 - page 5) “All staff have a responsibility to manage records effectively throughout their lifecycle, including access, tracking and storage of records; the timely review of records, whether this be for permanent preservation, or confidential destruction or recycling and, where appropriate, their ultimate disposal” (Manual section 1.9). COPFS staff are instructed in the Records Management Manual (section 3.5) that "Records should be arranged in a logical filing system, so that files and documents can be quickly located and retrieved and easily identified when the time comes for review or destruction." With this in mind COPFS have issued staff guidance on the disposal of records “Retaining and disposing of records” (Records Management Manual section 3) which has been provided to the Keeper. This guidance explains the destruction process that should be applied to records in different formats and how these processes should be recorded. The Keeper has been provided with a screen shot showing staff access to information governance policies and guidance. For more regarding the different formats featured in the authority’s records management systems see element 4 above. Digital: The vast majority of the non-case-related records of COPFS are managed on M365. As such they are subject to the automated destruction processes of that system. Digital Line of Business Systems: These line-of-business systems sit outside the main records management system and are primarily used for managing case-related records. The Keeper can agree that they are likely to allow the destruction of public records within a retention framework as required. However, see note at element 4 around possibly revisiting certain legacy line-of-business systems functionality in the future. Physical In-House: The Records Management Manual describes procedures for the disposal of paper waste (confidential or otherwise). This work is undertaken by a third party contractor. COPFS have provided the Keeper with destruction certificates as evidence that this arrangement is in operation. Physical Third-Party Records Store: COPFS no longer utilise the services of a third-party record store. E-Mail: E-mail must be saved into the main records management system or is subject to autodelete through the Enterprise vault system. The Keeper is familiar with this system and agrees that it is appropriate to assist public authorities ensure that e-mail records are not retained beyond legitimate business use. Hardware: Redundant equipment that may contain public records are destroyed under contract. The Keeper has been provided with evidence that this disposal system is operational. Back-ups: COPFS, quite properly, back-up digital records for business continuity purposes. The Keeper has been provided with a statement explaining the back-up procedure and the availability of public records, using this recovery system, beyond their allocated retention period. In the original 2016 agreement, the Keeper said "The Keeper can agree this Element on an ‘improvement model’ basis. This means that the authority has identified a gap in provision (deletion of electronic records and backups) and has evidenced a commitment to closing this gap. This agreement is conditional upon the Keeper being kept informed of progress as work in this area moves forward." The Keeper can now agree that the adoption of the M365 platform as a records management system has resolved the first of these points as it includes robust deletion functionality. As COPFS have also provided a statement around the availability of ‘backed-up’ records they can now agree that this element is now compliant.
7. Archiving and Transfer	A	G	The Act requires that all Scottish public authorities identify a suitable repository for the permanent preservation of any records considered suitable for archiving. A formal arrangement for transfer to that repository must be in place. COPFS state that they are “committed to a systematic and planned approach to the management of records within the organisation, from their creation to their ultimate disposal or archive” (RMP compliance statement against element 3). “All staff have a responsibility to manage records effectively throughout their lifecycle, including access, tracking and storage of records; the timely review of records, whether this be for permanent preservation, or confidential destruction or recycling and, where appropriate, their ultimate disposal” (Records Management Manual – see element 3 - section 1.9). The benefits of permanent preservation of some of the public records of COPFS are explained in the Records Management Manual (section 7.4) COPFS have identified the National Records of Scotland as the proper repository for the small selection of their public records suitable for permanent preservation. Some of the public records of COPFS will therefore become part of the national collection. NRS is an accredited archive https://www.nrscotland.gov.uk/news/2015/national-records-of-scotland-receives-archive-accreditation-award and fully adheres to the Keeper’s Supplementary Guidance on Proper Arrangements for Archiving Public Records: https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/supplementary-guidance-on-proper-arrangements-for-archiving-public-records.pdf Archive transfer arrangements operate under the terms of a memorandum of understanding (MOU). This has been supplied to the Keeper in evidence. However, this is quite out-of-date (for example it refers to the 1998 Data Protection Act). On this matter COPFS have provided the following statement: “COPFS are currently working alongside NRS to pilot an Electronic transfer of closed cases. NRS colleagues are also invited to our regular monthly meeting to provide advice and guidance.” The Keeper is satisfied that COPFS have adequate input to how preservation decisions are allocated to particular record types (see for example Records Management Manual – see element 3 – Sections 6.11 and 10). Although it is the COPFS Records Manager who liaises directly with NRS, the 'lead official' must review the contents of a file to determine whether it should be transferred to NRS in the first place (Manual section 7.46). Staff guidance on preparing public records for archive transfer (particularly in the case of digital records) is available and has been shared with the Keeper. The COPFS website has been selected for preservation as part of the NRS Web Continuity Service: Archive Timeline (nrscotland.gov.uk) Awaiting an updated transfer agreement, the Keeper can agree this element of the Lord Advocate and Procurators Fiscal’s Records Management Plan under Improvement Model terms
8. Information Security	G	G	The Act requires that public records are held in accordance with information security compliance requirements. COPFS state that they are “committed to a systematic and planned approach to the management of records within the organisation, from their creation to their ultimate disposal or archive. This approach will ensure that COPFS can: Control the quality, quantity and security of the information that it generates” (RMP compliance statement against element 3). It is the policy of COPFS that “All staff have a responsibility to manage records effectively throughout their lifecycle, including access, tracking and storage of records; the timely review of records, whether this be for permanent preservation, or confidential destruction or recycling and, where appropriate, their ultimate disposal” (Records Management Manual section 1.9). With these commitments in mind COPFS have provided the Keeper with the authority’s Departmental Security Guidance (version dated 20 October 2021). This guidance contains a suite of supplemental policies and guidance such as staff instructions to impose physical security on COPFS offices; the organisation’s social media policy and instructions on how to report security breaches (actual or potential). Operating a single information security guidance document, rather than a framework of multiple separate items, is liable to create stronger tool for staff (but obviously, as with the Records Management Manual harder to keep up to date). E-Mail Compliance statement against element 14 states "COPFS is signed up to Criminal Justice Secure Mail (CJSM), a secure email system set up by the Ministry of Justice in London to provide a mechanism for secure electronic communication between criminal justice agencies in England and Wales. It is now widely used in Scotland and Ireland and enables members to communicate securely with anyone who has a .gov .pnn .gsx .gcsx and .nhs.net email address." The Departmental Security Guidance document is available to staff on the intranet COPFS have provided a screen-shot from the intranet to show staff access to the Departmental Security Guidance. The Keeper agrees that the Lord Advocate and Procurators fiscal have procedures in place to appropriately ensure the security of their records as required by the Act.
9. Data Protection	G	G	The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law. Crown Office And Procurator Fiscal Service is registered as a data controller with the Information Commissioner’s Office (ICO): Z6396154 It should be noted that, due to the nature of their function, COPFS are subject to the Law Enforcement Directive and relevant law enforcement clauses in data protection legislation (for example Part 3 of DP2018). COPFS have a Data Protection Manual. The Keeper has been provided with a copy of this Manual. The Data Protection Manual is available to staff on the intranet COPFS have provided a screen-shot from the intranet to show staff access to the Data Protection Manual. Members of the public are made aware of their rights and how they can make a subject access request at: Privacy notice \| COPFS Request personal data \| COPFS The compliance statement against element 14 states that “The renewed external website will also have the capability to process requests for SAR’s and complaints also.” This improvement appears to have been completed since submission: Subject access request (SAR) form \| COPFS The Records Management Manual (see element 3) supports the data protection processes in COPFS (for example at page 5). As required by data protection legislation, COPFS have identified a Data Protection Officer. This is the Head of Information Governance and Security Assurance (IGSAU). The Keeper agrees that the Lord Advocate and Procurators fiscal have arrangements in place that should allow them to properly comply with data protection legislation.
10. Business Continuity and Vital Records	G	G	The Keeper expects that record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning. The Records Management Manual (see element 3), section 3.16 states "Business continuity plans must include reference to the protection and recovery of records"; “We must ensure business continuity, minimise risk and protect the rights of individuals about whom we hold information” and “Business Continuity Plans will be produced, maintained and tested” (Manual section 9). With these commitments in mind, COPFS confirm in the RMP that “a number of Business Continuity and disaster recovery plans” are in place (RMP compliance text against element 10). The Keeper has been provided with a detailed statement from the COPFS Head of Information Services Division explaining the situation and stating that they are content that record recovery is embedded in emergency planning. The Keeper acknowledges that the statement confirms that record recovery is included in business continuity arrangements. The Keeper understands and accepts that “COPFS are unable to provide full policy documents on this due to the sensitivity of the information”. The Keeper commits that they will not publish any of the evidential documents provided by an authority, including the statement supplied, (or the RMP itself for that matter) without specific approval. Vital Records Vital records are identified against their entry in the COPFS Business Classification Scheme (see elements 4 and 5 above) The Keeper can agree that the Lord Advocate and the Procurators fiscal have an approved and operational business continuity process and that information management and records recovery properly feature in the authority’s plans.
11. Audit trail	G	G	The Keeper expects an authority to have processes in place to track public records in such a way that their location is known and changes recorded. COPFS recognise this. It is the policy of COPFS that “All staff have a responsibility to manage records effectively throughout their lifecycle, including access, tracking and storage of records; the timely review of records, whether this be for permanent preservation, or confidential destruction or recycling and, where appropriate, their ultimate disposal” (Records Management Manual – see element 3 - section 1.9). COPFS staff are instructed in the Records Management Manual (section 3.5) that "Records should be arranged in a logical filing system, so that files and documents can be quickly located and retrieved and easily identified when the time comes for review or destruction." “It is essential to ensure the authenticity, confidentiality, context, integrity, reliability, structure and usability of records and information held in all media and formats...COPFS must ensure that records are easy to retrieve, protected from deterioration/damage and unauthorised access” (Records Management Manual, Security Considerations section - see also element 8). Digital: COPFS are now “fully migrated to Microsoft 365” (see element 4. This system automatically applies version control to records. However, in order to fully utilise the powerful search ‘e-discovery’ features in M365 consistent naming of records should be pursued. The Keeper acknowledges that COPFS have issued staff with the corporate naming conventions in the Records Management Manual (for example at section 7). Which includes file naming conventions and other 'creation' instructions, for example how to deal with review periods and attachments. As with other parts of the Records Manual, including under paper-records (see below), the Manual also includes a ‘what not to do’ section which appears a useful addition to staff guidance. Digital Line of Business Systems: The Keeper can agree that line-of-business systems used in COPFS are liable to have record location functionality embedded. However, see comment against line-of-business systems under element 4 above. Physical In-House: In order to track and identify hard-copy records in COPFS “A full list of the paper files is to be made available to all staff involved in the particular area of work. This will be maintained by an identified member of staff” (Records Management Manual section 7.40). The Manual goes on to explain what appears to be an appropriate file registry system for document tracking and a “Principles for Good Filing Practice – Paper” section (7.5 also 9.6). As hard-copy records are principally legacy, the Keeper can agree that this instruction is current. Physical Third-Party Records Store: See above. At several points in the Manual staff are instructed to ensure that corporate records are not managed in personal workspaces (such as mailboxes). For example Manual section 3.6 "Adequate shared record keeping systems must be developed to ensure that documents are not stored in personal files or mailboxes, but can be located and retrieved when required.” There are risks associated with staff storing records in ‘hidden’ personal areas and it clear that COPFS recognise this and strongly encourage staff to avoid this. The Keeper agrees that The Lord Advocate and Procurators Fiscal has procedures in place that will allow them to locate their records and assure themselves that the located record is the correct version.
12. Competency Framework for records management staff	G	G	The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported. Section 2 of the Records Management Manual – see element 3 - lays out the COPFS Records Manager Competency Framework (the identification of a records management competency framework is a key commitment in the RMP). This shows that the Records Manager (see element 2) has attended a two-day professional course in records management practices and has a specific requirement within their job description to attend training workshops and records management conferences at least twice a year to “ensure that skills and knowledge are kept up to date”. Manual section 2 details expectations under the framework which the Keeper agrees are appropriate to the role. The Records Manager, under the competencies, is expected to disseminate records management advice to relevant staff in COPFS. In this they are assisted by the Information Governance Unit (see Key Group under General Comments below) who have responsibility for “issuing corporate guidance for implementing and complying with [The Records Management Manual].” COPFS staff are required to undertake mandatory annual training around information security and data protection issues. This is commitment in the Records Management Manual (for example section 9). Also a new e-learning module has been created to inform staff of the importance of accurate data and keeping information safe. This is now also a mandatory module. Records of when staff completed the mandatory courses are kept. Changes to, and reminders of, records management and information security procedures are addressed at team briefings and through regular “Top Tips” appearing on the COPFS intranet. The Intranet is also home to the “Keeping information safe” guidance pages. COPFS have provided a PowerPoint example of a training module and a screen shot of the “Keeping information safe” home page as evidence. The Keeper agrees that the individual identified at element 2 has the appropriate responsibilities, resources and skills to implement the records management plan. The Keeper is also able to agree that The Lord Advocate and Procurators Fiscal consider information governance training for staff as required.
13. Assessment and Review	A	G	Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review. Since the Keeper’s original agreement in 2016 COPFS have been reviewing their records management provision paying attention to those elements (such as this one) that were graded with an amber RAG status by the Keeper. They state “As part of our commitment to comply with the PRSA, the Records Management Project was reconvened. Areas of work were identified where further compliance was required. Staff from all areas of COPFS have been involved in the work. Progress has been communicated to all staff through a variety of methods so that all staff are aware of our obligations under PRSA.” The involvement of local business areas in this review is commendable as it is liable to highlight local issues and to encourage buy-in. The review has highlighted several specific issues that need addressed and these have been shared with the Keeper. Much of this refers to a move to a digital first approach utilising the records management capabilities of the M365 platform and moving away from storage of paper records (see element 4). The general review is, however, clearly still a work in progress and this element will remain at amber. Hopefully once COPFS are satisfied that they have appropriate records management provision in place throughout the organisation, the review of the RMP can be a scheduled (annual?) business as usual action. The compliance statement against this element goes on to suggest that COPFS will engage with the Keeper’s Progress Update Review process going forward. This is welcome: Progress Update Reviews \| National Records of Scotland (nrscotland.gov.uk) The Records Manager (see element 2), through a ‘Records Management project’ is responsible for the records management review (of the RMP and the supporting documents - see below) with overall responsibility falling to the Deputy Crown Agent, Operational Support (see element 1). It is expected that the Records Management Network group (see under General Comments below) will assist when established. As noted above, this element was originally graded amber. In 2016 Keeper said "The Keeper can agree this element on an ‘improvement plan’ basis. This means that a gap in records management provision has been identified (methodology for assessing compliance with the RMP) and a commitment to closing this gap has been evidenced. The Keeper requests that he is kept updated as the work to close this gap continues." The Keeper acknowledges that a methodology has now been established. However, the full review is not yet complete. The Records Management Manual (see element 3) is scheduled for review by December 2024. The COPFS Data Sharing Template is currently under review (see element 14). The COPFS Business Continuity Plans are currently under review (see element 10). Retention schedules will be reviewed annually following the publishing of the COPFS Annual Business Plan (see element 5). COPFS commit to review information security policies and systems ‘regularly’ (RMP ‘Further Developments’ against element 8). These reviews include "comprehensive independent IT network health checks, penetration tests and detailed review of technical and policy documentation." (Records Management Manual – see element 3 - section 1.10 and 15). Regular checks are also carried out with regard to the access to case-related information to ensure that only those with a direct involvement in a case view sensitive personal data (see element 8). The Keeper agrees this element of the Lord Advocate and the Procurators fiscal’s Records Management Plan under improvement model terms. This indicates that, at time of submission, a full review of records management provision was ongoing. Once this work is successfully completed the Keeper would expect the element to become fully compliant and a routinely scheduled, review of the plan put in place as business as usual.
14. Shared Information	G	G	The Keeper expects a Scottish public authority to ensure that information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled. COPFS have created a data sharing template and staff guidance document both of which have been shared with the Keeper. The Guidance is v1.0 dated 2021. COPFS inform the Keeper that they are currently undergoing a review of the data sharing agreements. The routine review of arrangements for sharing information is best-practice. Active Information Sharing Agreements are published on the COPFS web site. For example between COPFS and the Police: Sharing of evidence in cases involving children \| COPFS. The Keeper is therefore satisfied that the arrangements explained in the RMP are operational. The Keeper notes that, in this case, sensitive information is shared through as secure link POLIN. Other similar systems are used for the transfer of information (such as COPLINK). The Keeper notes that COPFS also share sensitive information with defence agents through a Secure Disclosure Website. The details of this are explained at section 5.14 of the Records Management Manual (see element 3). These are examples of secure information sharing tools that are operated under the terms of the relevant data sharing agreement. The Keeper acknowledges that the staff guidance document includes reference to data protection legislation (section 5) information governance (section 6) and actions to be taken at the closure of the data sharing agreement (also section 6). Closure instructions specifically instruct staff to “Provide details of the process involved when the DSA has reached its conclusion. This should include whether the data is retained or destroyed. If it is destroyed this section should detail how this is carried out ensuring that the data is destroyed at the appropriate HMG Standard.” These are important, and occasionally overlooked, clauses and their inclusion is welcome. The RMP compliance statement against element 14 states that "Ensuring that sensitive personal data is shared securely is of paramount importance and full guidance, reviewed and updated regularly, is available to all staff." The Keeper has been provided with a screen shot showing that staff can access the guidance this through the COPFS intranet.. The Keeper agrees that the Lord Advocate and Procurators Fiscal properly considers records governance when undertaking information sharing programmes.
15. Public records created or held by third parties	N/A	N/A	The Public Records (Scotland) Act 2011 (PRSA) makes it clear that records created by third parties when carrying out the functions of a scheduled authority should be considered ‘public records’ - PRSA Part 1 3 (1)(b). Although they have otherwise followed the Keeper’s Model Plan in the structure of their RMP, COPFS have chosen not to include a separate ‘element 15’ Model Records Management Plan \| National Records of Scotland (nrscotland.gov.uk). However, they are quite clear in the Records Management Manual (section 1.12) that “No function of COPFS is carried out by a third party.” And the Keeper can, therefore, agree this element does not apply to this authority.

General Notes on submission

Version: This assessment is on the Crown Office & Procurator Fiscal Service Records Management Plan (the RMP) submitted to the Keeper for his agreement on 30th December 2022. This is the version approved on 30th May 2020. The RMP was approved by the Deputy Crown Agent Operational Support (see element 1). The Keeper originally agreed the Records Management Plan of the Lord Advocate and Procurators Fiscal in 2016: Lord Advocate and Procurators Fiscal Assessment Report (nrscotland.gov.uk)

The authority refers to records as a business asset (for example Records Management Manual – see element 3 - page 5). This is an important recognition and the Keeper commends it.

The COPFS have a Strategic Plan published at: https://www.copfs.gov.uk/media/i4caytmn/copfs-strategic-plan-2023-27.pdf The Keeper notes that robust records management processes will assist the authority to meet several of the outcomes indicated in this strategy. For example: “We work innovatively and efficiently to maximise our resources and deliver a high-quality public service” (Strategic Plan page 10) and “We will provide our colleagues with effective digital tools, systems, and processes to enable them to be successful at work” (page 14)

Key Group: Information Governance Unit (IGU)

The Information Governance Unit has responsibility for:

Issuing corporate guidance for implementing and complying with the [Records Management Manual] (see element 3)

Issuing guidance to ensure that staff are made aware of the requirement for the destruction of records to comply with obligations under the Data Protection Act 2018 and Freedom of Information (Scotland) Act 2002. (see element 9)

Developing strategies for the permanent preservation of selected records with the National Records of Scotland (see element 7)

Directing staff to the appropriate information legislation and standards

The COPFS Records Manager has created a new Records Management Sub Group to assist in the review of their Records Management Manual and retentions. This group will also have responsibility for implementing changes and reviewing local arrangements to ensure consistency.

Local Records Management

The branch heads of local business areas are responsible for identifying who in their area will have a records management support role and to ensure that these individuals (and other staff where relevant) have “appropriate records management knowledge and skills, through training, where appropriate.” These ‘champions’ take “local responsibility for records management functions, most particularly with regard to the retention and destruction of records.” They also have a responsibility to maintain, review and delete electronic folders as required and must maintain a record with the common folder of all deleted folders for audit purposes. They are also responsible for maintaining a paper file register for their business area. A list of responsibilities, including those around information security, are detailed at Records Management Manual section 9.6.

Local 'champions’ have their records management responsibility included in their formal objectives. This is commended.

Regular meetings will take place between the Records Manager (see element 2) and nominated staff to ensure that consistent practices are adopted across COPFS. This is all explained in detail in the Records Management Manual section 2. T

Outside the work of the local records management champion, the Records Management Manual instructs the 'lead official' on a case to review the contents of a file to determine whether it should be transferred to NRS (See element 7, Manual section 7.46)

6. Keeper’s Summary

Elements 1 - 15 that the Keeper considers should be in a public authority records management plan have been properly considered by the Lord Advocate and the Procurators fiscal. Policies and governance structures are in place to implement the actions required by the plan.

Elements that require development by the Lord Advocate and the Procurators fiscal are as follows:

7. Archiving and Transfer
13. Assessment and Review

7. Keeper’s Determination

Based on the assessment process detailed above, the Keeper agrees the RMP of the Lord Advocate and the Procurators fiscal.

The Keeper recommends that the Lord Advocate and the Procurators fiscal should publish its agreed RMP as an example of good practice within the authority and the sector.

This report follows the Keeper’s assessment carried out by,

Pete Wadley
Public Records Officer

Liz Course
Public Records Officer

8. Endorsement of Report by the Keeper of the Records of Scotland

The report has been examined and is endorsed under the signature of the Keeper of the Records of Scotland as proof of compliance under section 1 of the Public Records (Scotland) Act 2011, and confirms formal agreement by the Keeper of the RMP as submitted by the Lord Advocate and the Procurators fiscal. In agreeing this RMP, the Keeper expects the Lord Advocate and the Procurators fiscal to fully implement the agreed RMP and meet its obligations under the Act.

Laura Mitchell
Deputy Keeper of the Records of Scotland
Direct Email: RG-Keeper@nrscotland.gov.uk

File downloads

Assessment report: Lord Advocate and Procurators Fiscal - 3 December 2024

File type: PDF,
File size: 338.4 KB