Assessment report: Scottish Environment Protection Agency - 3 December 2024

Home
Publications
Assessment report: Scottish Environment Protection Agency - 3 December 2024

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Executive Summary
Authority Background
Assessment Process
Model Plan Elements: Checklist
Keeper’s Summary
Keeper’s Determination
Keeper's Endorsement

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came fully into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor record keeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Executive Summary

This report sets out the findings of the Keeper’s assessment of the RMP of Scottish Environment Protection Agency (SEPA) by the Public Records (Scotland) Act 2011 Assessment Team following its submission to the Keeper on 28th March 2024.

The assessment considered whether the RMP of Scottish Environment Protection Agency (SEPA) was developed with proper regard to the 15 elements of the Keeper’s statutory Model Records Management Plan (the Model Plan) under section 8(3) of the Act, and whether in this respect it complies with it and the specific requirements of the Act.

The outcome of the assessment and the Keeper’s decision on whether the RMP of Scottish Environment Protection Agency (SEPA) complies with the Act can be found under section 7 of this report with relevant recommendations.

3. Authority Background

The Scottish Environment Protection Agency (SEPA) is Scotland’s principal environmental regulator, protecting and improving Scotland’s environment. Their role is to make sure that the environment and human health are protected, Scotland’s natural resources and services are used as sustainably as possible and to use their powers to contribute to sustainable economic growth. They constantly assess the quality of the environment by monitoring air, land, and water. They use their findings to advise government, industry, and the public on environmental best practice.

4. Keeper’s Assessment Process

The RMP was assessed by the Public Records (Scotland) Act Assessment Team on behalf of the Keeper. Assessors used the checklist elements listed in section 5, to establish whether SEPA’s RMP was developed with proper regard to the elements of the Model Plan and is compliant with the Act. The assessment also considered whether there was sufficient supporting evidence of such compliance.

Key

The Keeper agrees this element of an authority’s plan.

The Keeper agrees this element of an authority’s plan as an ‘improvement model’. This means that he is convinced of the authority’s commitment to closing a gap in provision. He will request that he is updated as work on this element progresses.

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Keeper may choose to return the RMP on this basis.

5. Model Plan Elements: Checklist

Scottish Environment Protection Agency (SEPA)

Element	Present	Evidence	Notes
1. Senior Officer	G	G	The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority. The Scottish Environment Protection Agency (SEPA). Have identified Kieron Gallagher, Head of Governance, Risk and Resilience, as the individual with overall responsibility for records management in the organisation. The identification of the Head of Governance, Risk and Resilience to this role is supported by a Covering Letter from Nicole Paterson, Chief Executive, dated 26th March 2024, by the Information Management Policy, for example section 8.1 and by the SEPA Information Framework ‘Roles and Responsibilities’ section (for both the Policy and the Framework see element 3). The Head of Governance, Risk and Resilience approved the Records Management Plan (the RMP). The Head of Governance, Risk and Resilience also approved the Information Management Policy, the SEPA Information Framework the Information Security Policy (see element 8) and the Data Protection Policy (see element 9). The Head of Governance, Risk and Resilience leads SEPA’s Information Oversight Group. “This cross-organisation group meets regularly to coordinate, develop, and oversee the delivery of plans and projects to improve data protection, information governance and information management.” (RMP page 6) and is also a member of the Organisational Workstream and Systems and Information Transformation leadership groups. “These groups meet regularly to review progress with business-as-usual and transformational change delivery plans respectively.” (RMP page 12). The Head of Governance, Risk and Resilience also sits on the Security Incident Response Group. “This group deals with all security incidents including information security, personal data breaches, physical security, loss, or theft of SEPA equipment, and cyber security.” (RMP page 31) It is clear from the above that the Head of Governance, Risk and Resilience is closely aware of the records management provision in SEPA. The RMP identifies the Head of Governance, Risk and Resilience as having responsibility for each element of the RMP (sometimes jointly). The Keeper agrees that the Scottish Environment Protection Agency have identified an appropriate individual to this role as required by the Act.
2. Records Manager	G	G	The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and that this staff member has appropriate corporate responsibility, access to resources and skills. SEPA have identified the Information Governance Manager, as the individual with day-to-day responsibility for implementing the RMP. The identification of the Information Governance Manager to this role is supported by the Information Management Policy, for example section 8.2., by the SEPA Information Framework ‘Roles and Responsibilities’ section (for both the Policy and the Framework see element 3) by the Information Asset Owner’s Handbook section 8.1.2 (see Local Records Management under General Comments below) and by the Information Security Policy (see element 8) section 8.4. It is also supported by the Information Governance Manager Job Summary and the Information Manager Role Description both of which have been provided to the Keeper. The Information Governance Manager prepared the RMP. The Information Governance Manager also prepared the Information Management Policy and the Information Security Policy (see element 8) and approved the Information Asset Owners Handbook. The Information Governance Manager is a member of the Information Oversight Group (see under General Notes below). The Information Governance Manager has a responsibility “to lead, manage and develop the planning, organisation and delivery of output for the Information Governance Team, ensuring integration with other SEPA activities and that all performance objectives are met. To provide technical quality management and have overall responsibility for the output of the team. Participating in functional management and task and working groups and deputise for the Head of function as required.” (Information Asset Owner's Handbook section 7.2). It is clear from the above that the identified individual has a detailed knowledge of the records management provision in the authority. The Information Governance Manager is engaged at a strategic level on decisions on the latest developments in M365 (see element 4). The Information Governance Manager is required to undertake Level Three in the SEPA Information learning Programme (see element 12). The Keeper agrees that the Scottish Environment Protection Agency has identified an appropriate individual to this role as required by the Act.
3. Policy	G	G	The Act requires an authority to have an appropriate policy statement on records management. SEPA have an Information Management Policy. The Keeper has been provided with a copy of this Policy. This is version 2.0 dated February 2024. SEPA have provided the Keeper with a screenshot showing staff access to the Policy. The Keeper agrees that the RMP supports the objectives of the Information Management Policy. The objectives of the Information Management Policy are also supported by SEPA’s Information Asset Owners Handbook which has also been provided to the Keeper. This is version 1.0 dated January 2023 (see also Local Records Management under General Comments below) and by an Information Framework version 1.0 dated May 2023. The Framework specifically mentions compliance with the Public Records (Scotland) Act. The Keeper agrees that the Scottish Environment Protection Agency has a formal records management policy statement as required by the Act.
4. Business Classification	A	G	The Keeper of the Records of Scotland (the Keeper) expects that the public records of an authority are known and are identified within a structure. SEPA recognise this. It is the policy of SEPA that “We will manage and protect our information in ways that mitigate the risks and ensure that our information is: managed appropriately throughout its lifecycle.” (Information Framework – see element 3 - page 7) SEPA staff are instructed that “As a public body, we have a legal obligation to capture, manage and preserve our information in an organised way, that maintains its confidentiality, integrity and availability.” (Information Asset Owner’s Handbook – see Local Records Management under General Notes below – Introduction) Identification of the public records of the authority SEPA have a Business Classification Scheme an extract of which has been provided to the Keeper. The Business Classification Scheme provides good guidance for staff at the start and is based on a straightforward function/activity scheme. SEPA are also developing an Information Asset Register (IAR) which should capture all of the organisation’s information assets. The Keeper has been provided with a sample of the IAR template. Information Asset Owners are required to ensure that the Register is correct for their local business areas. The use of local staff in this step is commended as being more likely to highlight discrepancies and to engender buy-in from staff. For example, in regard to the M365 roll-out (see below) SEPA instruct local business areas as follows: “We are currently developing SharePoint sites to organise our information. The people in your Function who are developing those sites should be part of your information team. You also need people who understand how your physical information is stored, both on-site and in off-site storage.” (See Local Records Management under General Notes below). Records-Keeping Structure SEPA manage records in a hybrid system: Public records are held digitally in a cloud-based document management system and on bespoke line-of-business systems. There are also public records managed in physical format in-house and through a third-party storage supplier. This is acknowledged by SEPA "Most new records are electronic, though we still hold physical records. The policies, procedures and associated guidance in this Plan apply to all records held by SEPA regardless of format." (RMP page 3/4) Digital: “We are developing M365 as our principal records and information management solution” (RMP page 31). The Keeper agrees that M365, appropriately implemented, is a suitable system for the management of public records in digital format and is, particularly in a larger authority, a measurable improvement on the use of shared-drives. At several points in the RMP and evidence package it is clear that this is a work in progress. For example "Discussions on the best use of key tools within the M365 environment are in the early stages of development. More work is needed to agree on processes and authorisations, for compliance administration and reporting functions." (RMP page 7) and "The project lead for the SharePoint migration project is developing training packages with support from an external consultant and from SEPAs internal Learning and Development team." (RMP page 8). The roll-out of M365 is bound to be incremental and take several years to bed-in properly. The Keeper acknowledges that SEPA have correctly identified the importance of appropriate polices, governance and staff training in making this major project a success. As noted above this transition is supported with input from local business areas. This is strongly commended. As is the close involvement of the information governance team in the technical roll-out: “The Senior Information Officers meet with the Senior Operations Engineer responsible for M365 at operational level on a weekly basis and engage at a strategic level with attendance at Power Platform meetings” (RMP page 11) The Keeper notes that extra resource in the form of two new Senior Information Officers have been allocated to the “compliance administration requirements for the new M365 environment, including SharePoint sites across the organisation” (RMP page 7). This is welcome news. Staff guidance is already being rolled-out for the M365 transition for example in the Naming Conventions guidance (see element 11). The Keeper acknowledges that following submission of the RMP in March, new naming conventions and version control guidance has been developed in SEPA. The Keeper has been provided with the updated version. This element retains an Amber ‘improvement model’ agreement as this roll-out continues. The Keeper requires updates as this project continues. SEPA have committed to engaging with the Keeper’s Progress Update Review process (see element 13) and this would be an ideal mechanism for providing M365 roll-out updates. The implementation of M365 as a records management solution throughout the authority is liable to be a major undertaking and the Keeper would be interested to see a timetable and a statement explaining the licensing arrangements (as they impact the management of public records, for example reporting and disposition). Digital Line-of-Business: SEPA operate line-of-business systems. The Keeper can accept these systems have records management functionality. SEPA should be aware that, in the case of a further resubmission, the Keeper will be investigating the use of legacy line-of-business systems in more detail than in this assessment. These are systems that will sit outside the main records management structure and may not be compliant with the authority’s own Information Management Policy. For the purposes of this assessment it is not required that the Agency provides any further statement on this issue. Physical: as noted above SEPA manage some records in hard-copy format and SEPA also contract storage space for corporate records through a third-party storage supplier. It is clear that physical records are appropriately considered in the RMP and in the supporting evidence. In 2014 the Keeper agreed this element of the SEPA Records Management Plan with a ‘green’ compliant RAG status. It is important to note that the current ‘amber’ grading does not indicate a degrading of the record management provision in the authority. It simply signifies that, at time of this submission, they were in a transition period. In fact, the Keeper judges that, if appropriately implemented, the M365 transition may represent an improvement in record keeping in SEPA.
5. Retention schedule	G	G	The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule. SEPA have provided the Keeper with their Retention and review of documents and data under Permitting document which acts as their Retention Schedule. (undated). SEPA explain ‘Permitting’ as follows: “The Permitting Function requires to set out retention and review guidelines for all documentation and data to facilitate the reduction in storage in SEPA offices and offsite storage facilities as well as on SEPA systems in a controlled and appropriate manner, with full audit facility of what documents and data have been archived and/or reviewed. This document sets out the agreed organisational retention and review process for such information.” A sample entry might be: All Data required as part of the determination process of any application or review of an authorisation SEPA’s oracle based database/SEPA’s digital licensing system One year from date of cessation The Keeper agrees that the Permitting guidance includes records in various formats and also those held on line-of-business systems. For the different formats featured in SEPA records management systems see element 4 above. The Permitting document is accompanied by explanatory guidance in the form of a Retention and Disposal of Information and Records document that has also been provided to the Keeper. This includes easy to follow instructions and engaging ‘did you know’ sections. Such as “Did you know? By law, SEPA must have a Records Management Plan. Retention and disposal is part of that plan.” Destruction instructions are available to staff in this document (for more see element 6). The Keeper recognises that SEPA have committed, in a ‘further developments’ statement to pursue transferring current retention decisions to automatic labels in the M365 roll-out (see element 4) and to review the retention decisions applied to line-of-business systems. As noted above, this is an area that the Keeper is particularly interested in. For the purpose of this assessment no further statement around the application of retention to line-of-business systems, particularly legacy ones, is required. The Keeper agrees that the Scottish Environment Protection Agency has a schedule providing retention decisions for the record types created while pursuing its functions.
6. Destruction Arrangements	G	G	The Keeper expects a Scottish public authority to have processes in place to destroy public records in an controlled, secure and irretrievable way when appropriate. The SEPA Information Management Policy – see element 3 - states that "Effective management of information allows fast, accurate and reliable access to facilitate business processes. This includes the timely destruction of redundant information, and the identification and protection of vital and historically important information." (Information Management Policy section 9.3) The Information Framework – also see element 3 - commits SEPA as follows "We will manage and protect our information in ways that mitigate the risks and ensure that our information is...destroyed securely and definitively or transferred to a suitable location for long-term preservation." (Information Framework page 7) With these principles in mind, SEPA have procedures in place to ensure the controlled, secure and irretrievable destruction of their public records. These procedures are explained in the Destruction of Documents and Data under Permitting staff guidance document which has been provided to the Keeper (for 'Permitting' see element 5 above). Under SEPA’s Permitting system a list of records and a date for destruction is provided to Information Asset Owners (see Local Records Management under General Comments below) on a spreadsheet. It is the responsibility of the IAO to authorise and instigate the destruction of highlighted records in his or her business area. The spreadsheet includes records in both digital and physical format. The guidance explains that: “updated reports from IS Helpdesk, Permitting SharePoint and manual paper records will be transferred on to a Destruction Certificate, which will be held in the Permitting SharePoint system under the Change & Improvement / Information Management area for a further five years from date of destruction. This is to enable a response to any external queries regarding documentation that may be requested via Freedom of Information where SEPA can confirm that information was held but has been destroyed following this procedure.” (Destruction of Documents and Data under Permitting section 2. The maintenance of destruction logs is commended by the Keeper. Third-Party record storage: SEPA store some of their physical public records with a third-party storage contractor. The recent disruption to business (see element 8) has interfered with the record tracking functionality with regard to this arrangement. This is dealt with under element 11 ‘Audit Trail’. However, the Keeper is confident that the destruction processes arranged between the authority and its storage contractor are still in place. An extract from the contract between SEPA and the contractor, showing the arrangements for secure shredding, destruction and disposal services, has been provided to the Keeper in evidence. Line-of-Business Systems: The Destruction of Documents and Data under Permitting staff guidance document refers to certain line of business systems such as Oracle databases. For the purpose of this assessment the Keeper can accept that line-of-business systems operated by SEPA are liable to have records destruction as part of their functionality. Back-ups: SEPA, quite properly, keep back-up copies of public records for business continuity purposes (see element 10). It is important that the information governance team understand the availability of records, from back-up, beyond the scheduled destruction date. There is no ‘correct’ answer to this, but the Keeper must be confident that the authority has a clear recognition of when a record may still be retrieved, for example to respond to an inquiry, past its apparent removal from the system. The Destruction of Documents and Data under Permitting guidance makes it clear to staff that records will remain in the Permitting back-up for 93 days when the system will automatically remove them. The Keeper agrees that the Scottish Environment Protection Agency has process in place that allow the controlled, secure and irretrievable destruction of their public records.
7. Archiving and Transfer	G	G	The Act requires that all Scottish public authorities identify a suitable repository for the permanent preservation of any records considered suitable for archiving. A formal arrangement for transfer to that repository must be in place. The Scottish Environment Protection Agency (SEPA) Information Management Policy – see element 3 - states that "Effective management of information allows fast, accurate and reliable access to facilitate business processes. This includes the timely destruction of redundant information, and the identification and protection of vital and historically important information." (Information Management Policy section 9.3) The Information Framework – also see element 3 - commits SEPA as follows "We will manage and protect our information in ways that mitigate the risks and ensure that our information is...destroyed securely and definitively or transferred to a suitable location for long-term preservation." (Information Framework page 7) SEPA have identified the National Records of Scotland (NRS) as the proper repository for the small selection of their public records suitable for permanent preservation. Some of the public records of SEPA will therefore form part of the national collection. NRS is an accredited archive https://www.nrscotland.gov.uk/news/2015/national-records-of-scotland-receives-archive-accreditation-award and fully adheres to the Keeper’s Supplementary Guidance on Proper Arrangements for Archiving Public Records: https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/supplementary-guidance-on-proper-arrangements-for-archiving-public-records.pdf Archive transfer arrangements operate under the terms of a memorandum of understanding (MOU). This has previously been supplied to the Keeper in evidence. The Keeper is satisfied that information asset owners (see Local Records Management under General Notes below) have adequate input to how preservation decisions are allocated to particular record types. The Keeper acknowledges that SEPA is currently (2024) negotiating with their Client Manager around pursuing the latest NRS Agreement for Transfer. The Keeper notes that SEPA have included a ‘future development’ against this element that commits them to: “Implement an agreement with NRS for the archiving of SEPA website content with the Website Archiving Team.” (RMP page 22). This is a welcome development. Since the submission of the RMP for the Keeper’s agreement in March 2024, an formal web archive agreement with NRS has been agreed. A copy of the agreement has been provided. NRS will complete the first crawl of the SEPA website in November. The archival arrangements are supported elsewhere such as in the SEPA Retention and Disposal of Information staff guidance document, which has been supplied separately. The Keeper agrees that the Scottish Environment Protection Agency has arrangements in place to properly archive records when appropriate.
8. Information Security	G	G	The Act requires that public records are held in accordance with information security compliance requirements. SEPA’s Information Management Policy (see element 3) states that: “Information must be protected, regardless of format, and must be authentic, accurate, accessible, complete, comprehensive, compliant, effective and secure.” (IM Policy section 9.4) The Information Framework (also element 3) SEPA commits that: “We will classify information according to its sensitivity. We will put in place good controls and ensure that they are followed. We will ensure our systems are secure.” (Framework page 4). The RMP states (page 31): “All SEPA employees have a personal responsibility and duty of care for SEPA’s information, and the information people entrust to us. Our Information Asset Owners (see Local Records Management under General Notes below) are responsible for ensuring information assets are properly protected.” With these commitments in mind, SEPA have provided the Keeper with the authority’s Information Security Policy (version 1.0 dated February 2024). This Policy is supported by a suite of supplemental policies and guidance documents such as an IT Acceptable Use Policy (v9.0), a Hybrid Working Policy (2022) and Password Policy (2024) these have also been provided to the Keeper. These are available to staff on the intranet (screen-shot provided). The Information Security Policy specifically mentions the Public Records (Scotland) Act 2011. The Information Security Policy includes the physical security of records held in hard-copy format (for example at section 11). SEPA have implemented Information Classification Standard, based on the Government’s Security Classifications, for applying classification labels to all documents and emails. Security around e-mail is specifically mentioned in the authority's staff guidance such as the Acceptable Use Policy. For example, guidance on spotting phishing and malware emails is available through the National Cyber Security Centre (Acceptable Use Policy section 20). A system for reporting information security breaches (actual or potential) is in place. This is explained to staff in several guidance documents with quick links to the security breach team (for example Acceptable Use Policy section 42 or Information Security Policy section 15) SEPA have provided the Keeper with their Code of Conduct for Staff document. It imposes the following statement on employees: "Information is a valuable resource and must be treated accordingly. The confidentiality and integrity of all sensitive information is essential. It must be readily available to those authorised to access it. SEPA’s Information Security policies and guidance must be followed at all times to protect all information held by SEPA.” All staff undertake mandatory cyber security training and modules on information security learning annually (see element 12). All employees (including temporary appointments) are security cleared to the Baseline Personnel Security Standard, and undertake security awareness and data protection training. Specific information security staff guidance is provided for those working outside SEPA’s offices. For example, Hybrid Working Policy section 19. The Keeper notes that SEPA have achieved Cyber Essentials + certification: BM Registry \| 3901a65e-1d6a-4c21-a95a-8ee9e7aca362 (blockmarktech.com) The Keeper has been provided with sample information governance training slides (see element 12). These include those for ‘Information Classification Standard’ and ‘Managing Information Securely’. The Keeper is aware that the authority was recently the subject of a cyber-attack. SEPA has been notably transparent around this event and has, in fact, shared their experience with other Scottish public sector information management teams. This is to be commended. On this issue SEPA state: “The impacts of the cyber-attack are outlined in: sepas-response-and-recovery-from-a-major-cyber-attack.pdf. More than 40 learnings were identified, all of which were accepted and continue to underpin our recovery” (RMP page 3). “SEPA laboratory services are accredited by UKAS under ISO 17025. Following the cyber-attack in December 2020, SEPA voluntarily suspended the accreditation as many systems had been lost. The accreditation was reinstated in January 2022 as systems were rebuilt. A formal audit was carried out in May 2022 and UKAS recommended that SEPA’s accreditation to ISO 17025 is maintained. The reinstatement of document controls for key procedures and documentation was carried out in SharePoint. A Controlled Document Register has been reinstated.” (RMP page 26) The Keeper agrees that the Scottish Environment Protection Agency have procedures in place to appropriately ensure the security of their records as required by the Act.
9. Data Protection	G	G	The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law. SEPA is registered as a data controller with the Information Commissioner’s Office (ICO): Information Commissioner's Office - Register of data protection fee payers - Entry details (ico.org.uk) It should be noted that, due to the nature of their function, SEPA are subject to the Law Enforcement Directive and relevant law enforcement clauses in data protection legislation (for example Part 3 of DP2018). SEPA have a Data Protection Policy. The Keeper has been provided with a copy of this Policy. This is version 2.0 dated February 2024. They have a Privacy Policy published online at Privacy Policy \| Scottish Environment Protection Agency (SEPA) The Data Protection Policy confirms: "We recognise the fundamental importance of handling this information in an appropriate and lawful manner to maintain the confidence and trust of our customers and staff in our processing of their personal data. Protecting the confidentiality and integrity of personal data is a critical responsibility that we always take seriously. If SEPA fails to comply with Data Protection Law, then it may be subject to enforcement and sanctions from the Information Commissioner’s Office." (Data Protection Policy section 1) The Data Protection Policy explains the 6 principles of data protection and the accountability clause (section 6). The Policy goes into considerable detail to alert staff to the organisation’s accountability. This is welcome. The Policy also includes staff guidance on reporting breaches actual or potential. Members of the public are made aware of their rights and how they can make a subject access request at: subject_access_request_form.pdf (sepa.org.uk) As required by data protection legislation, SEPA have identified a Data Protection Officer. This is Alison Mackinnon. This identification is supported by the Information Framework (see element 3). The Data Protection Officer is required to undertake Level Three in the SEPA Information learning Programme (see element 12). SEPA have committed to carrying out data protection impact assessments (DPIA) before they begin any processing of personal data which is likely to result in a high risk to individuals (Data Protection Policy section 11). A DPIA template has been supplied to the Keeper in evidence. SEPA maintains a Register of Processing Activities (ROPA) which is based on the content of DPIAs. A sample from the ROPA has also been provided. Staff are supported with guidance and mandatory training (see element 12). SEPA also applies the ICO Accountability Framework Accountability Framework \| ICO. This Framework includes a section specifically on Records and Security. The Keeper has been provided with a screen-shot showing access to information governance policies and guidance including the suite of information security guidance such as the Data Protection Policy. Local Information Asset Owners (see Local Records Management under General Comments below) are required to work with the Data Protection Officer to ensure that personal information is handled compliantly including engagement with the DPIA process (Information Asset Owner's Handbook section 7). Data protection provision is also supported by clauses in the SEPA Information Security Policy (see element 8). The Keeper agrees that the Scottish Environment Protection Agency have arrangements in place that should allow them to properly comply with data protection legislation.
10. Business Continuity and Vital Records	G	G	The Keeper expects each public authority to have processes in place that allow them to recover public records in an emergency. The requirement for business continuity planning is specified in the SEPA Information Security Policy (see element 8), for example at section 1.4 and, more fully, at section 13. “Every Function in SEPA must have a business continuity arrangement and underpinning contingency procedures capable of addressing all reasonably foreseeable events, whether externally or internally driven.” (Information Security Policy section 13.4). It is the responsibility of each of SEPA’s Information Asset Owners (see Local Records Management under General Comments below) to develop and implement a business continuity plan, including record recovery, for their immediate business area. These plans are reviewed bi-annually. A master copy of all SEPA continuity plans is held centrally. To create their plan the IAO is provided with a Business Impact Analysis and ‘toolkit’ which includes a template document (provided to the Keeper as part of the evidence package accompanying the RMP). SEPA have provided screen shots of some completed templates. SEPA states “These processes are classified by SEPA as Official – Confidential. This extract is provided to evidence that there are robust processes in place for the organisation to deal with extreme disruption which aligns with the requirements of Element 10.” The Keeper agrees that these redacted samples are all that is required as evidence against this element and understands that providing more detailed continuity arrangements represents a security risk for the authority. The Keeper also agrees that the samples provided clearly show that record-recovery forms part of the SEPA’s business continuity arrangements. The Keeper notes that a copy of all business continuity documents are held digitally outwith the main record-keeping systems and also in hard-copy. The principle that record-recovery instructions are still available when the record-keeping system is disabled is commended. The Keeper agrees that the Scottish Environment Protection Agency have an approved and operational business continuity process and that information management and records recovery properly feature in the authority’s plans.
11. Audit trail	A	G	The Keeper expects an authority to have processes in place to track public records in such a way that their location is known and changes recorded. The Information Management Policy (see element 3) states that "Effective management of information allows fast, accurate and reliable access to facilitate business processes" (Policy section 9.2) and that "Effectively managed information will...Provide an audit trail to meet business, regulatory and legal requirements" (section 9.4) SEPA also issue staff with the following general guidance: “As a public body, it is our responsibility to keep our information safe, and only keep it for as long as it is needed. Access to the right information, by the right people at the right time enables good decision making, and great public services. Therefore, our information must be filed in a way that makes it easy to retrieve.” With this in mind, SEPA have the following processes in place (For the structure of SEPA records management systems see element 4 above.) Digital: In the Keeper's original agreement (2014) this element of the SEPA Records Management Plan was graded with an amber RAG status under 'improvement model' terms. This meant that the authority had recognised a gap in provision and had put processes in place to close that gap. In this case the Keeper stated: "The management of records held on shared servers will form part of the review and design phase of the roll out of the new system (beginning in April 2014 and acknowledged by Chief Officer (Governance) in the covering letter). The Keeper would be keen to see how SEPA responds to this problem when that phase is complete, although this is not required for agreement....The assessment team considers that this element of the RMP should be agreed on ‘improvement model’ terms. With the proviso that the Keeper may request that he re-assesses this element in the future." The Keeper agrees that the introduction of M365 as a record keeping system, instead of the shared servers used at the time of the 2014 agreement, should address the issue of providing an audit trail for the public records of an authority that are held digitally. However, the text of the compliance statement against this element of the SEPA plan shows that this is still a work in progress. SEPA list as future developments: “Embed version control functionality in Microsoft 365” (RMP page 26). In this case the Keeper is content to continue this element at an Amber RAG status. The Keeper makes this agreement on the grounds that a suitable solution to a recognised problem has been put in place, but has not yet been finalised. The Keeper requires SEPA to provide updates, perhaps through the Progress Update Review mechanism (see element 13). The M365 system will automatically apply version control to public records as they are created or amended. However, to best use the powerful e-discovery tool consistent naming convention should be applied. SEPA have a staff guidance document, An Approach to Naming of Documents and Files Including the Use of Metadata, which has been provided to the Keeper. The Keeper agrees that this gives clear and appropriate instructions to staff to ensure that records are named in such a way as will allow efficient tracking. The Keeper acknowledges that following submission of the RMP in March, new naming conventions and version control guidance has been developed in SEPA. The Keeper has been provided with the updated version. Digital Line-of-Business: SEPA operate line-of-business systems. The Keeper can accept these systems have record tracking functionality. However, the Keeper also notes that in future developments against this element SEPA include: Assess and document audit trail records in Line of Business systems. This is a welcome objective. Hard-Copy: As noted under element 4, SEPA hold records with a third-party record store under contract. The document tracking system for these records was badly disrupted during a cyber-attack in 2020 (see element 8) and was being rebuilt at the time of submission. In their RMP SEPA have stated a ‘future development’ to: “Reinstate and rebuild logs of physical records held offsite … to track their movements”. (RMP page 26). The Keeper would be interested in an update on this matter and, as with the M365 roll-out above, suggests that the annual Progress Update Review process would be an idea opportunity to provide this. The Keeper agrees this element of the Scottish Environment Protection Agency’s records management plan under improvement model terms while the M365 roll-out and the physical record tracking rebuild is underway.
12. Competency Framework for records management staff	G	G	The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported. SEPA has a commitment that they will “train and develop our staff with specific roles in information (Information Framework - see element 3 - page 4). The Information Governance Manager has delivered the function of Records Manager for SEPA since 2018 and is an MCQI Chartered quality professional. The Keeper is aware that the Information Governance Manager attends National Records of Scotland PRSA ‘surgeries’ and Information and Records Management Society (IRMS) events. The Information Governance Manager encourages her team to attend these events and make use of online webinars. The Keeper is aware that the Information Governance Manager is fully supported by an information governance team who share considerable records management experience. The Keeper is familiar with members of this team and has no doubt of their competence in their roles. SEPA have an information governance training framework set out in three levels: 1. Mandatory for all staff. All staff undertake mandatory information learning annually. This learning includes cyber security and modules on information security Information Classification Standard, Protecting Information, Cyber Security, Risk Management and data protection. This is a mandatory requirement of the SEPA Information Security Policy sections 8.9 and 16 and Data Protection Policy section 11 (see elements 8 and 9). There is special mention made to the training requirements of those staff who work out of the office in the Hybrid Working Policy which has also been provided to the Keeper. 2. For staff with particular information management responsibilities. For example SEPA have a commitment for "Ongoing training and support for IAOs [see Local Records Management under General Comments below]” and “staff who would play a key role in any business continuity plan (see element 10).” (RMP page 29) 3. For information management specialists (such as the Information Governance Manager). Information Asset Owners are responsible for ensuring local staff in their business areas have completed the required information governance training (at the appropriate level). Training packages will need to be consonantly updated to respond to changes in the M365 platform. This is recognised by SEPA (see for example RMP page 8 or 16). SEPA holds corporate membership of the IRMS for governance staff to access resources and webinars as part of their Continuing Professional Development. The Keeper’s PRSA Implementation Team work closely with IRMS and agree their resources are useful for promoting robust records management and to PRSA compliance. SEPA delivers training and desktop resilience exercises for staff on coping with critical incident response scenarios (see element 10). The Keeper has been provided with samples of staff guidance/training presentations such as that for Information Classification standard – PowerPoint presentation guidance and a screen-shot of intranet access to other information training. The Keeper agrees that the individual identified at element 2 has the appropriate responsibilities, resources and skills to implement the records management plan. Furthermore, they agree that the Scottish Environment Protection Agency consider information governance training for staff as required.
13. Assessment and Review	G	G	Section 1(5)(i)(a) of the Act says that an authority must keep its records management plan under review. The RMP is reviewed annually with a first review scheduled for March 2025 (RMP control sheet). Reviewing the implementation of the RMP is the responsibility of the Information Governance Manager (see element 2) supported by the Information Asset Owners (IAOs) and Records Management Champions (see under Local Records Management below). To inform the 2025 review SEPA intend to self-evaluate using methodology explained in the Information Framework. The Keeper has been provided with a copy of this Framework (see element 3) The results of any review are reported to the Information Oversight Group (see under General Comments below) and the Audit and Risk Committee. The Head of Governance, Risk and Resilience (see element 1) chairs the Oversight Group. The Information Oversight Group has a responsibility to “coordinates, develops and oversees delivery of plans and projects to improve data protection, information governance and information management” (Oversight Group’s Terms of Reference). The Keeper acknowledges that the SEPA Policy Review methodology and a copy of the paper to the Corporate Leadership Team regarding the 2023/24 RMP review has been provided. As well as the assurance of an overall RMP review, most individual elements have a review commitment and SEPA provides details of who should carry out that review. For example: “The retention schedule is subject to ongoing review by the Information Governance team and Information Asset Owners.” (RMP page 17) It is a requirement of the SEPA Data Protection Policy (section 11.4) that managers "must regularly review all the systems and processes under their control to ensure they comply with this [Data Protection] policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data. SEPA commit to using the Keeper’s Progress Update Review (PUR) reporting methodology going forward (RMP page 12). Progress Update Reviews \| National Records of Scotland (nrscotland.gov.uk) This commitment is welcome. It should be noted that PUR is a way of collating the results of a review not a review methodology in itself. The review will be pursued under the terms explained in the Information Framework. The Information Management Policy (see element 3) and the Information Security Policy (see element 8) must be reviewed by January 2025. The Data Protection Policy (see element 9) must be reviewed by February 2025. Business Continuity Plans (see element 10) are reviewed bi-annually (RMP page 24). This is a clear recognition that business continuity arrangements are constantly subject to changes in circumstance. The Keeper agrees that the Scottish Environment Protection Agency has made a firm commitment to review their RMP as required by the Act and have explained who will carry out this review and by what methodology. Furthermore they agree that supporting policy and guidance documents have appropriate review periods allocated.
14. Shared Information	G	G	The Keeper expects a Scottish public authority to ensure that information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled. SEPA shares information with third parties and does so ensuring that “Information is shared securely in line with the sensitivity of the information.” (RMP page 28) including the use of Data Sharing Agreements and a central log of agreements. The sharing of personal information is done following the ICO Code of Practice. The Keeper has been provided with a template Data Sharing Agreement (personal information), a template Data Sharing Agreement (non-personal), a Data Processing Agreement template and a sample Data Protection Impact Assessment (DPIA) all as evidence that the arrangements explained in the RMP are currently operational. SEPA instruct their Information Asset Owners (see Local Records Management under General Notes below) that they must “Ensure appropriate agreements are in place for sharing information with other organisations, particularly if it includes personal data. We are developing corporate logs so that we know which of or assets are shared with others.” (Information Asset Owners Handbook section 7.4) The information sharing processes explained in the RMP are supported by policy commitments in the Data Protection Policy (see element 9) for example at section 11. Having consulted the documents provided in evidence The Keeper can agree that the Scottish Environment Protection Agency properly considers records governance when undertaking information sharing programmes. For example the Data Sharing Agreements require contracting parties to agree retention periods.
15. Public records created or held by third parties	N/A	N/A	The Public Records (Scotland) Act 2011 (PRSA) makes it clear that records created by third parties when carrying out the functions of a scheduled authority should be considered ‘public records’ - PRSA Part 1 3 (1)(b). SEPA state in their RMP (page 30): “At this stage, following assessment of the requirements of this element, it has been concluded that SEPA does not have records created and held by third parties to carry out any of our functions.” The Keeper agrees that this element does not apply to the Scottish Environment Protection Agency.

General Notes on submission

Version

This assessment is on the Scottish Environment Protection Agency (SEPA) Records Management Plan (the RMP) submitted to the Keeper for their agreement on 28th March 2024. This is version 2.0 of the RMP approved by the Head of Governance in the authority (see element 1) on 29th February 2024. The RMP was prepared by the Information Governance Manager (see element 2) The Keeper originally agreed the Records Management Plan of the Scottish Environment Protection Agency in 2014: Keeper’s Report (nrscotland.gov.uk)

The 2024 RMP is accompanied and supported by a separate letter from Nicole Paterson, SEPA Chief Executive dated 26th March 2024.

The Keeper agrees that the efficiencies introduced by robust records management provision will assist SEPA to attain the objectives explained in their Three-Year Corporate Plan: Our Corporate Plan (sepa.scot) such as “We must share the job of service delivery so that we offer better outcomes more efficiently…” and “We will deliver a digital transformation that drives operational efficiencies and provides high quality environmental and regulatory information and data to those who need it.”

In the Introduction to the RMP SEPA state: “Any information that we generate in delivering our functions, stored on any system, is a public record. We have a duty to manage our information for the people of Scotland, everyone in SEPA has a role in this. Our Information Framework sets out our commitment to achieving high standards in information management.” The Keeper thoroughly agrees this sentiment.

“SEPA recognises the need for good information management practices, to deliver the services of the organisation, and to meet our legal obligations. Effective information management leads to accountability and transparency. It enables staff to access accurate information and make appropriate decisions. Senior management must ensure that information is created and maintained in such a way to protect its Confidentiality, Integrity, and Availability. Senior management also recognise the importance of maintaining a corporate memory of events and activities. SEPA endeavour to provide enough staffing, technical and organisational resources to ensure that the above requirements for dealing with information can be achieved and maintained.” (Information Management Policy section 1.2). The Keeper fully agrees this policy statement.

The authority refers to records as a business asset (for example RMP page 18, Information Framework Introduction or Information Management Policy section 1.3). This is an important recognition and the Keeper commends it.

The RMP mentions the Act and is based on the Keeper’s, 15 element, Model Plan.

Information Oversight Group meets regularly to coordinate, develop, and oversee delivery plans and projects to improve data protection, information governance and information management. The purpose of this group is to help create a culture where staff value information. This includes agreeing standards for information management and approving new information products. The Keeper has been provided with the Information Oversight Group’s Terms of Reference and recognises that both the Head of Governance (see element 1) and the Information Governance Manager (see element 2) sit on this group, the Head of Governance in the chair.

This group is clearly of significant relevance to the implementation of the RMP and the Keeper thanks SEPA for providing details of their remit.

Local Records Management

SEPA is a large and complex organisation. It is not practical for the Information Governance Manager to personally monitor the management of records in the diverse business areas. For this reason the authority has set up a network of Information Asset Owners (IAOs) throughout the organisation who are responsible for implementing the requirements of the RMP and the Information Management Policy (see element 3) at a local level. These senior officers are referred to in SEPA as ‘Heads of Function’ and they sit on the authority's Strategic Leadership Team. They must “Understand what information is held, what is added and/or removed, how information is moved, who has access to it and why”. (Information Management Policy - see element 3 - section 8.4).

A list of IAOs is provided to all staff on the SEPA intranet.

IAOs are supplied with an Information Asset Owner Handbook, which includes a 'A checklist for Information Asset Owners in their first 90 days'. A copy of the Handbook has been provided to the Keeper. This is version 1.0 dated January 2023. The Handbook is designed to help IAOs "foster a culture where our information is valued, both internally and externally" (Handbook section 3). This matches a statement in the RMP (page 6) that mentions "a culture where people value our information". The principle of creating a culture that values and protects records is entirely in the spirit of the Act and it is welcome to see this principle so clearly stated in this guidance document.

The Handbook explains the responsibilities of the IAO in detail. A commitment for "Ongoing training and support for IAOs to meet current and future requirements for maintaining logs of data sharing activity" is provided in the RMP (page 29). A similar commitment to support IAOs is evident throughout the various elements of the SEPA RMP.

Among other records management responsibilities relevant to the RMP, IAOs are required to ensure that the record types they ‘own’ are properly identified in the corporate Business Classification Scheme (see element 4). IAOs are responsible for "ensuring information assets are properly protected" (see element 8). The principle of engaging with local business areas in the population of the BCS and the local monitoring of security are both commended by the Keeper. Destruction must be signed off by the appropriate IAO (see element 6). IAOs are also responsible for approving business continuity arrangements for their local areas (see element 10) and to work closely with the Data Protection Officer (see element 9).

A fundamental responsibility of each IAO is to appoint local ‘Information Champions’ for their business areas, who are responsible for monitoring the day-to-day records management in that area and reporting to the IAO. The use of local records champions is highly commended in all but the smallest public authorities. Local input is vital to a records management scheme as it is liable to highlight anomalies and to engender buy-in. In this case, each Information Champion is part of an Information Champion Network set up by SEPA. This network meets regularly to discuss and coordinate data protection and information governance activities.

As noted, the local champion reports to the IAO. IAOs regularly meet in a forum chaired by the organisation’s Senior Information Risk Owner (SIRO). The SIRO sits on the SEPA Corporate Leadership Team. The Keeper agrees that the reporting structure from local business area records management champions through to the senior leaders in the organisation is clear.

IAOs and their local Information Champions have mandatory 'level 2' (of 3) information governance training (see element 12). It is a requirement that IAOs maintain a level of information governance competency by undertaking training (see Handbook section 7.1).

The Keeper notes that two Senior Information Officers were recently appointed, who report directly to the Information Governance Manager (see element 2). These Officers are specifically working on the M365 implementation (see element 4) as part of a 'Power Platform Strategy Group'. These new officers have responsibilities around ensuring the smooth roll-out of M365 in local business areas. For example there is a commitment to "support IAOs and Information Champions [should be] delivered by the Senior Information Officers" (RMP page 8)

The Keeper notes that SEPA make the following commitment around the connection between the authority’s RMP and their IAOs: “Work to progress elements of the RMP continues throughout the year. This is achieved through regular liaison with Information Asset Owners (IAOs) and Records Management Champions, both at regular scheduled meetings, and with the provision of additional support to areas of business across the organisation as required or requested by the IAOs” (RMP page 12).

6. Keeper’s Summary

Elements 1 - 15 that the Keeper considers should be in a public authority records management plan have been properly considered by the Scottish Environment Protection Agency. Policies and governance structures are in place to implement the actions required by the plan.

Elements that require development by the Scottish Environment Protection Agency are as follows:

4. Business Classification
11. Audit trail

7. Keeper’s Determination

Based on the assessment process detailed above, the Keeper agrees the RMP of Scottish Environment Protection Agency.

The Keeper recommends that the Scottish Environment Protection Agency should publish its agreed RMP as an example of good practice within the authority and the sector.

This report follows the Keeper’s assessment carried out by,

Pete Wadley
Public Records Officer

Liz Course
Public Records Officer

8. Endorsement of Report by the Keeper of the Records of Scotland

The report has been examined and is endorsed under the signature of the Keeper of the Records of Scotland as proof of compliance under section 1 of the Public Records (Scotland) Act 2011, and confirms formal agreement by the Keeper of the RMP as submitted by the Scottish Environment Protection Agency. In agreeing this RMP, the Keeper expects the Scottish Environment Protection Agency to fully implement the agreed RMP and meet its obligations under the Act.

Laura Mitchell
Deputy Keeper of the Records of Scotland

File downloads

Assessment Report Scottish Environment Protection Agency 3 December 2024

File type: PDF,
File size: 346.71 KB