1. Public Records (Scotland) Act 2011
The Public Records (Scotland) Act 2011 (the Act) received Royal assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came fully into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.
The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor record keeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.
The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.
2. Executive Summary
This report sets out the findings of the Keeper’s assessment of the RMP of Social Security Scotland by the Public Records (Scotland) Act 2011 Assessment Team following its submission to the Keeper on 10th July 2023.
The assessment considered whether the RMP of Social Security Scotland was developed with proper regard to the 15 elements of the Keeper’s statutory Model Records Management Plan (the Model Plan) under section 8(3) of the Act, and whether in this respect it complies with it and the specific requirements of the Act.
The outcome of the assessment and the Keeper’s decision on whether the RMP of Social Security Scotland complies with the Act can be found under section 7 of this report with relevant recommendations.
3. Authority Background
Social Security Scotland is an executive agency of the Scottish Government created by The Social Security (Scotland) Act 2018. Social security is money provided by the Government to people who need it, with eligibility decided by law. Examples include disability support, child support, funeral support, and support for carers. Social Security Scotland assesses claims and pays money out to those eligible. The Chief Executive of Social Security Scotland reports to the Cabinet Secretary for Social Justice. Their executive team set out strategic direction for the organisation and ensure that it meets its objectives. They consider and approve all organisation’s policies, plans and processes. They also consider the outputs from the Scottish Government and the impact they have on the agencies capacity, finance and client service levels.
Social Security Scotland - Homepage
4. Keeper’s Assessment Process
The RMP was assessed by the Public Records (Scotland) Act Assessment Team on behalf of the Keeper. Assessors used the checklist elements listed in section 5, to establish whether Strathclyde Partnership for Transport’s RMP was developed with proper regard to the elements of the Model Plan and is compliant with the Act. The assessment also considered whether there was sufficient supporting evidence of such compliance.
Key
|
G
|
The Keeper agrees this element of an authority’s plan.
|
A
|
The Keeper agrees this element of an authority’s plan as an ‘improvement model’. This means that he is convinced of the authority’s commitment to closing a gap in provision. He will request that he is updated as work on this element progresses.
|
R
|
There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Keeper may choose to return the RMP on this basis.
|
5. Model Plan Elements: Checklist
Social Security Scotland
|
Element
|
Present
|
Evidence
|
Notes
|
|
1. Senior Officer
|
G
|
G
|
The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority.
Social Security Scotland have identified Janet Richardson, Deputy Director of Client Services, as the individual with overall responsibility for records management in the organisation.
The identification of the Deputy Director of Client Services to this role is supported by a Covering Letter from Mrs Richardson (see under General Comments below) and by the Records Management Policy, for example section 9.
The Keeper has been informed that, subsequent to submission, Mrs Richardson has been replaced as Senior Information Risk Owner (SIRO) by Karyn Dunning, Deputy Director of Low Income Benefits and Operational Improvement. The Keeper has previously determined that a change of personnel does not invalidate a RMP as long as the role remains substantially the same.
Ms Dunning is the Social Security Scotland Senior Information Risk Owner (SIRO) (Records Management Policy section 9). As SIRO Ms Dunning has a responsibility to ensure that information risk assessments are performed at least annually and to review risk assessment results and associated mitigation plans. Although responsibility for information security in Social Security Scotland resides ultimately with the accountable officer this is delegated to the SIRO.
Ms Dunning is also the Senior Information Asset Owner (SIAO) for Social Security Scotland and is a member of Social Security Scotland’s Executive Team.
The Deputy Director of Low Income Benefits and Operational Improvement is now the document owner of the Records Management Plan (the RMP).
The Keeper understands that the Deputy Director of Low Income Benefits and Operational Improvement will also be the document owner of the Records Management Policy (see element 3), the Retention and Disposal Policy (see element 5), the Records Disposal Guidance (see element 6) and the Document Naming and Control Policy (see element 11).
It is clear from the above that the Deputy Director of Low Income Benefits and Operational Improvement is closely aware of the records management provision in Social Security Scotland.
The Keeper agrees that Social Security Scotland have identified an appropriate individual to this role as required by the Act.
|
|
2. Records Manager
|
G
|
G
|
The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and that this staff member has appropriate corporate responsibility, access to resources and skills.
Social Security Scotland have identified Robert Fotheringham, Corporate Records Manager, as the individual with day-to-day responsibility for implementing the RMP.
The identification of the Corporate Records Manager to this role is supported by a Covering Letter from Janet Richardson, Deputy Director of Client Services (see element 1) and by the Records Management Policy, for example section 9 (see element 3).
It is also supported by the Annual objectives for Corporate Records Manager document provided to the Keeper. These include an objective to lead on the review of Social Security Scotland’s Records Management Plan (RMP).
The Corporate Records Manager has a responsibility to ensure the easy, appropriate and timely retrieval of information (see element 11); advising on policy and practice and for providing training and direction to Information Management Support Officers (IMSOs) (see element 12 and Local Records management under General Comments below); identifying records for permanent preservation and arranging their transfer to National Records of Scotland (see element 7); and for reporting compliance to the Executive Team (see element 13).
(from Records Management Policy section 9).
The Corporate Records Manager is the author of the Records Management Policy and the Document Naming and Control Policy (see element 11).
In Social Security Scotland the Corporate Records Manager sits within the Data Protection and Information Governance Branch, which is part of the Data Office.
It is clear from the above that the identified individual has a detailed knowledge of the records management provision in the authority.
The Keeper notes that the Corporate Records Manager is now supported by a Corporate Records Practitioner.
The Keeper agrees that Social Security Scotland have identified an appropriate individual to this role as required by the Act.
|
|
3. Policy
|
G
|
G
|
The Act requires an authority to have an appropriate policy statement on records management.
Social Security Scotland have a Records Management Policy. The Keeper has been provided with a copy of this Policy. This is Version 2 created by the Corporate Records Manager (see element 2) and approved by the Information Governance Group (see Key Group under General Comments below) in April 2023. The Keeper acknowledges that, since submission the Social Security Scotland Records Management Policy has been reviewed and that she has been provided with the reviewed version (version 3, July 2024)
The Keeper has been provided with a screen-shot showing the Records Management Policy on the Social Security Scotland intranet.
The Records Management Policy is specifically endorsed by Deputy Director of Client Services (see element 1) in a Covering Letter (see under General Comments below).
The Records Management Policy specifically mentions compliance with the Public Records (Scotland) Act 2011.
The Keeper agrees that the RMP supports the objectives of the Records Management Policy.
The Keeper agrees that Social Security Scotland has a formal records management policy statement as required by the Act.
|
|
4. Business Classification
|
G
|
G
|
The Keeper expects that the public records of an authority are known and are identified within a structure.
Social Security Scotland operate a hybrid system: Public records are held digitally on an electronic document and records management system (eRDM), on bespoke line-of-business systems and in hard-copy format in-house.
Digital eDRM:
As a relatively new organisation the vast majority of the public records of Social Security Scotland are ‘born digital’ although they also manage a limited amount of paper records. The existence of paper records is acknowledged throughout the RMP and evidence package.
The digital records of Social Security Scotland are managed on the Objective eRDM system. Although Social Security Scotland operate their own separate file plan, eRDM is the record-keeping system used throughout the Scottish Government. It is also the system utilised by the National Records of Scotland and, as this is the case, the Keeper is obviously familiar with the functionality of eRDM and can agree that, properly implemented, it is a suitable system for the management of a public authority’s public records.
The Keeper has been provided with an extract of the eRDM showing Social Security Scotland records managed on that system.
Digital Line of Business: Social Security Scotland operate several stand-alone systems for example Public Protection Case Management System (PPCMS) and Social Programme Management (SPM). These line-of-business systems sit outside eRDM, but the Keeper can agree that they are likely to allow the appropriate management of records within a structure as required. The Keeper has been provided with an extract of both the systems mentioned above.
Physical in house: Although the vast majority of Social Security Scotland’s public records are digital there are some hard-copy records including, for example, correspondence received by post. Hard-copy records are recorded in the Information Asset Register (see below) but managed in local business areas (see Local Records Management under General Comments below). The RMP explains (page 13): "A small number of other teams maintain relatively small amounts of hard copy records. These are retained in secure lockable cabinets with access restricted to the relevant members of these teams." The Keeper has been provided with details of the systems in place to ensure that Social Security Scotland can be confident that these records can be stored, retrieved and destroyed/archived when appropriate.
As well as the eRDM file plan, Social Security Scotland have also developed an Information Asset Register (IAR) which captures all of the organisation’s information assets. “This captures all of our information assets. A network of Information Asset Managers (IAMs) has been established in business areas across the organisation. They act as points of contact for the Records Management Team when assets become due for review and are responsible for identifying and registering new assets.” (RMP page 14). Screen-shots of Information Asset Register and the Information Asset Tracker have been provided to the Keeper. The Keeper notes that, since the submission of the Social Security Scotland RMP, the Information Asset Register tool has been under review, both in Social Security Scotland and in the wider Scottish Government. Social Security Scotland have committed to update the Keeper on developments in this area.
The IAR is based on that used by the Scottish Government (agreed by the Keeper in 2022) and adopts the following structure:
Unique asset I.D./Owner/Title/Description/Location [confirming it includes information assets outside the eRDM]/Risk Management/Published (Y/N)/Personal Information (Y/N)/Status/Directorate/Division
The Keeper agrees that Social Security Scotland retains all its public records in controlled systems which are structured in a clear manner and which can be used by staff to manage public records where appropriate. The Keeper recognises that this represents an improvement in the Records Management provision in Social Security Scotland since their original agreement in 2020 which was agreed as an improvement model carrying an amber RAG status.
|
|
5. Retention schedule
|
A
|
G
|
The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule.
The Social Security Scotland Records Management Policy (see element 3) states: “The periods for which records are retained will be determined by Social Security Scotland’s statutory and regulatory obligations, business requirements and professional standards. These will be set out in our retention and disposal schedule. Records are required to be available to the user for the whole retention period. This will be achieved by...maintaining a retention schedule covering all business areas within Social Security Scotland. Social Security Scotland’s retention schedule is key to effective records management. It describes the recommended periods for which particular classes of records should be retained. It also provides a formalised, accountable system for the retention and disposal of records. This will realise business efficiencies and legislative compliance by ensuring that information is not kept longer than necessary.”
Social Security Scotland have provided the Keeper with their retention schedule. It is set out as follows:
Reference/Activity-Records Series/Description-Examples/Personal Information (Y/N)/ Trigger/ Retention Period/ Justification/Disposal Action/Vital Records (Y/N)/ notes.
For example:
IMSO Meeting Agendas and Notes/Agendas and meeting notes from Information Management Support Officer (IMSO) monthly catch ups/No/Date of creation/1 Year/Business Decision/Destroy/Business Requirement/No
The Keeper acknowledges that the Retention Schedule considers records in all formats for example an entry refers to “Emails, letters, applications, ID, Phone calls recordings”.
Retention in Social Security Scotland is managed through a formal Retention and Disposal Policy. The Keeper has been provided with this policy. This is version 1.0 approved by the Information Governance Group (see Key Group under General Comments below) in October 2022. Staff are also supported with a Records Disposal Guidance document (see element 6).
The vast majority of the public records managed by Social Security Scotland are held on their eRDM system (see element 4). On the issue of assigning retention, the Keeper has been provided with the Scottish Government File Type Guidance. The allocation of a record to a file type dictates the retention applied to that record. It is not possible, therefore, to save a record to eRDM without retention being automatically applied. The Keeper is familiar with the functionality of retention in eRDM as it is that used in the National Records of Scotland.
The Keeper recognises that not all the public records of Social Security Scotland are managed on their eRDM and it is important that those records have retention decisions applied to avoid the authority retaining records that have no business use. The Keeper can agree that records held on the various business systems (such as PPCMS or SPM) have specified retention decisions allocated and that these are understood.
Social Security Scotland manage small amounts of hard copy records and have developed retention periods for these that feature in the retention schedule.
However, Social Security Scotland is not yet fully confident that appropriate retention has been applied to all the public records managed by the organisation. They state in their RMP (page 15): “There still remains some work to capture the retention requirements of some business areas.”
Separately from their RMP submission, Social Security Scotland have provided the Keeper with the following: “A considerable amount of work has been undertaken with IMSOs in other business areas to identify and capture the retention requirements for their records and information. Once all business areas have returned their requirements, these will be quality assured for accuracy and to avoid duplication of entries.” and (in January 2025) “Social Security Scotland views its retention schedule as a living document. We have an approved retention schedule which is currently under review.”
The Keeper notes that the Senior Information Asset Owner, in a separate letter (see under General Comments below), has made a commitment that Social Security Scotland will be: “working towards records management best practice”.
Social Security Scotland also note "The retention schedule will continue to be regularly reviewed" (RMP page 15). This is an indication that the organisation recognises that a retention schedule is a living document liable to alteration to reflect changes in business need.
The Keeper can agree this element of the Social Security Scotland’s Records Management Plan on ‘improvement model’ terms. This means that the authority has recognised a gap in their records management provision (the retention schedule is still under review – see also element 7), but have identified suitable processes that will allow them to shortly close that gap. The Keeper requires Social Security Scotland to keep them appraised of progress.
|
|
6. Destruction Arrangements
|
G
|
G
|
The Act requires that public records are destroyed in a timely, controlled and secure manner.
Social Security Scotland acknowledge this and set out that “Records which are vital for the effective operation of Social Security Scotland will be identified. They will be appropriately protected to ensure their continuing availability in the event of any disaster. This will be achieved by a number of processes including, but not limited to:… developing procedures for disposal of records at the end of their life-cycle” (Records Management Policy – see element 3 – section 8). A commitment to pursuing this appears in the Policy at section 11.
“The permanent retention of all records is unsustainable and unnecessary. Disposal is necessary to free up storage space, reduce administrative burden and to ensure that Social Security Scotland does not unlawfully retain records for longer than necessary (particularly those containing personal data” (Retention and Disposal Policy - see element 5 - section 3)
With these commitments in mind Social Security Scotland has supported the Retention and Disposal Policy with a Records Disposal Guidance document which has been provided to the Keeper. This is version 1.0 which was approved by the Information Governance Group (see under General Comments below) in April 2023.
Social Security Scotland have the following process in place, to ensure the controlled, secure and irretrievable destruction of public records (For the structure of Social Security Scotland records management systems see element 4 above).
Digital eRDM: The vast majority of the public records of Social Security Scotland are managed on the eRDM system. As such they are subject to the automated destruction processes of that system.
This is explained in the RMP at page 19. The Keeper is familiar with the operation of the eRDM’s destruction functionality as it is that used by the National Records of Scotland.
Digital Line-of-Business: These line-of-business systems sit outside eDRM, but the Keeper can agree that they are likely to allow the destruction of public records within a retention framework as required. examples this have been given in the RMP at pages 17 and 19.
Physical in-house: The Records Disposal Guidance describes procedures for the disposal of paper waste (confidential or otherwise) at section six. This work is undertaken by a third party contractor. Social Security Scotland have provided the Keeper with a destruction certificate as evidence that this arrangement is in operation.
Hardware: Hardware disposal is arranged through the Scottish Government who have provided the Keeper with a statement regarding this. The Keeper has recently agreed that the destruction of hardware by the Scottish Government, through a third-party, is compliant with expectations under the Act.
Back-Ups: The majority of Social Security Scotland’s public records are covered by the back-up feature of the eDRM. The RMP and a covering statement from the Scottish Government explains the back-up process and the Keeper can agree that the destruction of digital back-up copies is controlled and understood.
A Sample Records Disposal Log page, has been provided to the Keeper. The Keeper commends the principle of retaining a log of all public records destroyed.
The Keeper agrees that Social Security Scotland has processes in place to irretrievably destroy their records when appropriate.
|
|
7. Archiving and Transfer
|
A
|
G
|
The Act requires that all Scottish public authorities identify a suitable repository for the permanent preservation of any records considered suitable for archiving. A formal arrangement for transfer to that repository must be in place.
Social Security Scotland have identified the National Records of Scotland (NRS) as the proper repository for the small selection of their public records suitable for permanent preservation. Some of the public records of Social Security Scotland will therefore become part of the national collection.
NRS is an accredited archive https://www.nrscotland.gov.uk/news/2015/national-records-of-scotland-receives-archive-accreditation-award and fully adheres to the Keeper’s Supplementary Guidance on Proper Arrangements for Archiving Public Records: https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/supplementary-guidance-on-proper-arrangements-for-archiving-public-records.pdf
Archive transfer arrangements will operate under the terms of a Formal Transfer Agreement going forward. This supports a commitment in the Records Management Policy (see element 3) page 13: " A small percentage of Social Security Scotland’s records will be selected for permanent preservation. These will be identified in the retention schedule. The arrangements for the transfer of archives to National Records of Scotland will be detailed in a Transfer Agreement. The transfer will be managed by Social Security Scotland’s Records Management Team.."
However, this agreement is not fully embedded by both parties. This is due to the outstanding work explained under element 5 where Social Security Scotland are reviewing all document types to confirm that they carry the correct retention decision, including permanent preservation.
On this issue Social Security Scotland state (RMP page 21) “See Element 5 for update on progress on the retention schedule. The Corporate Records Manager has maintained contact with NRS Client Managers to keep them informed of progress. Social Security Scotland will enter into a transfer agreement once the retention schedule has been finalised.”
Also the Retention and Disposal Policy (see element 5) states on page 6: “Social Security Scotland will identify, appraise and offer records identified as having historic value and if applicable transfer to The National Records of Scotland. Historic records can be transferred earlier by agreement of all parties affected by the decision. This agreement will be called the Memorandum of Understanding and will come into place when the retention schedule is finalised.”
The Keeper notes that the Retention and Disposal Policy includes a section “Archiving and Transferring Best Practice”
Social Security Scotland has an National Records of Scotland Web Archiving Agreement in place for the website to be regularly accessioned: Social Security Scotland Archive Timeline (nrscotland.gov.uk)
The Keeper can agree this element of the Social Security Scotland under improvement model terms while the review of the retention schedule progresses. It is clear that the authority has selected a suitable archive and has made a commitment to ensure that a formal transfer agreement is in place.
|
|
8. Information Security
|
G
|
G
|
The Act requires that public records are held in accordance with information security compliance requirements.
The RMP states (page 23): “Social Security Scotland is aware of the importance of protecting its information from unauthorised access.”
The Records Management Policy (see element 3) states “records need to be maintained securely. The user must have confidence the record has not been altered, amended or destroyed without authorisation. Sensitive records must be identified and protected in accordance with Government Security Classifications requirements" (Records Management Policy section 4)
With these commitments in mind Social Security Scotland have provided the Keeper with the authority’s Information Security Policy (version 1.0 dated 2022). This Policy is supported by a suite of supplemental policies and guidance documents such as Access Management Policy and Password Policy. These are available to staff on the intranet (screen-shot provided) and from links within the main Information Security Policy. The Information Security Policy mentions the physical security of areas where hard-copy records may be managed. This is also considered in the RMP itself, for example at page 26.
The Keeper notes that Social Security Scotland plan to develop further security policy and guidance documents, such as a Clear Desk Policy. As these are authorised and implemented the Keeper would be pleased to receive copies in order that the Social Security Scotland’s case file may be kept up to date.
The Information Security Policy explains that Social Security Scotland have the following procedures in place to ensure the security of its public records:
Digital eDRM: The eDRM is governed by published information security procedures. These area available to staff and training is provided.
Digital Line-of-Business: The Keeper can agree that line-of-business systems operated by Social Security Scotland have adequate information security provision as part of their functionality.
Physical in-house: There are very few public records managed in paper format and these are managed locally (see element 3). Access to paper records is restricted to appropriate staff in local business areas, with storage in locked cabinets.
A system for reporting information security breaches (actual or potential) is described in the Information Security Policy. For example on page 6.
All information assets will be identified and assigned an Information Asset Owner (see Local Records Management under General Comments below). Information Asset Owners ensure that information risk assessments are performed at least annually.
The Social Security Scotland Senior Information Risk Owner (SIRO) is also the senior officer responsible for the implementation of the RMP (see element 1).
The Keeper agrees that Social Security Scotland have procedures in place to appropriately ensure the security of their records as required by the Act.
|
|
9. Data Protection
|
G
|
G
|
The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law.
Social Security Scotland is registered as a data controller with the Information Commissioner’s Office (ICO)as part of the general entry for Scottish Ministers: Information Commissioner's Office - Register of data protection fee payers - Entry details (ico.org.uk)
It should be noted that, due to the nature of their function, Social Security Scotland are subject to the Law Enforcement Directive and relevant law enforcement clauses in data protection legislation (for example Part 3 of DPA 2018).
Social Security Scotland have a Data Protection Policy. The Keeper has been provided with a copy of this Policy. This is version 1.0 approved by the Information Governance Group (see Key Group under General Comments at the end) in July 2022.
The Data Protection Policy explains the 6 principles of data protection (section 4). The Policy also provides staff instruction for reporting data protection breaches, actual or potential (for example at section 7).
Members of the public are made aware of their rights and how they can make a subject access request at: Social Security Scotland - Privacy Notice.
As required by data protection legislation, Social Security Scotland have identified a Data Protection Officer. This is the Data Protection Officer of the Scottish Government, arrangements by which Social Security Scotland has adopted the data protection arrangements of the Scottish Government are explained in a Memorandum of Understanding between the Social Security Scotland and the Government. A copy of this agreement has been provided to the Keeper. In 2022 the Keeper agreed that the data protection provision in the Scottish Government is compliant with their expectations.
Social Security Scotland have committed to carrying out data protection impact assessments before they begin any processing of personal data which is likely to result in a high risk to individuals (Data Protection Policy section 5).
Social Security Scotland have committed, in their RMP, to maintaining a Record of Processing Activities (ROPA). An extract has been provided to the Keeper as evidence that this commitment is operational.
Furthermore, they have other supporting guidance for staff, such as an e-learning module (see element 12). This has also been shared with the Keeper.
The Records Management Policy (see element 3) and Information Security Policy (see element 8) specifically indicates support for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Social Security Scotland operates a Data Protection Team to monitor data protection issues around projects; legislative and regulatory issues and to review information sharing requests.
“The Social Security Scotland Data Protection team is responsible for providing advice, monitoring compliance, and is the first point of contact in Social Security Scotland on data protection matters.”(Information Security Policy - see element 8 - page 10)
The team is led by a Senior Data Protection Practitioner who produces ad-hoc reports to escalate findings of significant concern or emerging risk to the Audit and Assurance Committee or Executive Team as appropriate. The Keeper has been provided with the Social Security Scotland Data Protection Assurance Framework Overview under which this arrangement operates. The Keeper has also been provided with a link to the records of the Audit and Assurance Committee showing data protection as an agenda item:
Social Security Scotland - Audit and Assurance Commitee - Sept 2022 - Data Protection Annual Assurance Report 2021-22.docx
The Keeper has been provided with a screen-shot showing staff access to information governance policies and guidance including the Data Protection Policy.
Data protection arrangements are specifically supported by other evidence provided to the Keeper, for example the Retention and Disposal Policy (see element 5) pages 4 and 7 and the Records Disposal Guidance (see element 6) page 3.
The Keeper agrees that Social Security Scotland have arrangements in place that should allow them to properly comply with data protection legislation.
|
|
10. Business Continuity and Vital Records
|
G
|
G
|
The Keeper expects that record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning.
Social Security Scotland recognise this. The Records Management Policy (see element 3) states that “Records which are vital for the effective operation of Social Security Scotland will be identified. They will be appropriately protected to ensure their continuing availability in the event of any disaster.” (Records Management Policy section 8) and in the Information Security Policy (see element 8) "Social Security Scotland will implement a business continuity management system that will be aligned to the international standard of best practice...This will include appropriate backup routines and built-in resilience." (Information Security Policy page 8).
Social Security Scotland has an overarching Business Continuity Framework supported by a Business Continuity Management Policy
The Keeper has been provided with a copy of the framework and the policy. These hold Social Security Scotland to the International Standard BS ISO22301:2012.
The Keeper has reviewed the submitted documents and agrees that record recovery (principally through IT recovery) is considered. The vast majority of Social Security’s public records are held digitally either on eRDM (auto recovery available) or on line-of-business systems.
Social Security Scotland identify their ‘vital’ records in their Information Asset Register (see element 4 above). There are not thought to be any paper records considered to be vital (RMP page 33).
The Framework and Policy inform the development of local business area continuity plans. A sample of a local business area continuity plan has been provided in evidence that this scheme is operational. The Keeper agrees that this sample, considers the recovery of records.
The Keeper agrees that Social Security Scotland have an approved and operational business continuity process and that information management and records recovery properly feature in the authority’s plans.
|
|
11. Audit trail
|
G
|
G
|
The Keeper expects an authority to have processes in place to track public records in such a way that their location is known and changes recorded.
The Records Management Policy (see element 3) states that “Records are required to be available to the user for the whole retention period. They must be accessible to respond to a request for information or to meet an immediate business requirement.” (Policy section 4). It is clear Social Security Scotland recognise the importance of locating, tracking and correctly identifying records.
With this in mind, Social Security Scotland have the following processes in place (For the structure of Social Security Scotland records management systems see element 4 above.)
Digital eDRM: The vast majority of the public records of Social Security Scotland are managed on the eDRM. The Objective system has a powerful search facility that allows a user to track all records using a variety of search criteria. The efficiency of the search facility relies on consistent naming of documents as they are saved as records on the system.
Social Security Scotland have a Document Naming and Control Policy document which has been provided to the Keeper. This is version v2.0 approved by the Information Governance Group (see under General Comments below) in September 2022. The author of the Policy is the Corporate Records Manager (see element 2). The Keeper agrees that this gives clear and appropriate instructions to staff to ensure that records are named on the eDRM in such a way as will allow tracking. The eDRM itself automatically imposes version control.
Digital Line-of-Business: Social Security Scotland operate line-of-business systems such as Social Programme Management (SPM). The Keeper can accept these systems have record tracking functionality.
Physical in-house: The Records Management Policy confirms that “The location of paper records outwith any storage area must be tracked. Paper records can be required for responding to requests for information and these are time-sensitive. It is essential that their location is known at any given time.” (Policy section 10). However, as noted under element 4, the volume of paper records managed by Social Security Scotland is very limited and controlled in local business areas. The RMP states (page 13) that "A small number of other teams maintain relatively small amounts of hard copy records. These are retained in secure lockable cabinets with access restricted to the relevant members of these teams". The Keeper is content that an organisation-wide paper record tracking system may not be required in the case of this authority as long as the Information Governance Team are confident that local arrangements allow business areas to adequately “respond to a request for information or to meet an immediate business requirement” as required by the Records Management policy.
The Keeper agrees Social Security Scotland has procedures in place that will allow them to locate their records and assure themselves that the located record is the correct version.
|
|
12. Competency Framework for records management staff
|
G
|
G
|
The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported.
The Corporate Records Manager (see element 2) is a qualified information professional with a Postgraduate Diploma in Archive Administration. He also has considerable practical experience in records management.
The Keeper notes that other members of the Records Management Team have appropriate training opportunities. For example the Corporate Records Practitioner has completed the Principles and Practices of Information Management continuing professional development module at the University of Dundee (RMP page 7).
All employees are mandatorily required to undertake annual Protecting Information and Data Protection and Security e-learning (RMP page 26 and also Data Protection Policy - see element 9 - section 4.9.)
All records creators receive training before they are permitted to use the eRDM system (see element 4). Additional training is provided to those staff that take on the Information Management Support Officer (IMSO) role (see Local Records Management under General Comments below). The Records Management Team has developed monthly eRDM masterclasses that all staff can participate in. This training will make staff aware of the Records Management Policy and their responsibilities under it.
A separate Records Management page on Social Security Scotland’s version of Saltire has been created (screenshot supplied) and promoted to staff. The intranet hosts all relevant records management policies, procedures and guidance in one place. This includes information governance training modules.
Training in information governance can be directed to specific staff as appropriate. For example line managers in Social Security Scotland are reminded of information governance responsibilities, including records management, through the distribution of a “Line Manager Cascade” publication (RMP page 11). Also all staff in the data protection team either hold or are working towards a professional qualification in data protection (RMP page 31).
The Records Management Team continues to identify new Information Asset Managers (IAMs) and Information Asset Owners (IAOs) as they join the authority’s information structure and aim to provide training as soon as possible. The Deputy Director of Client Services (see element 1) completed the ‘Principles of being an Information Asset Owner’ training in May 2021. The Keeper notes a commitment in the ‘future plans’ of the RMP that “The Records Management Team will investigate the possibility of ensuring that the IAOs have access to regular refresher training.” (RMP page 5) – For more on the IAMs and IAOs in the authority see Local Records Management under General Comments below.
The Keeper has been provided with the Social Security Scotland Records Management Competency Framework document which explains records management roles and responsibilities, available training and expected competencies. The Keeper agrees these are appropriate for a Scottish public authority of the size and complexity of Social Security Scotland. The Keeper has also been provided with the Social Security Scotland Information Asset Manager Training module PowerPoint. Provision of training and the Competency Framework is specifically supported by the Records Management Policy (see element 3) section 12.
The Keeper agrees that the individual identified at element 2 has the appropriate responsibilities, resources and skills to implement the records management plan. Furthermore, he agrees that Social Security Scotland consider information governance training for staff as required.
|
|
13. Assessment and Review
|
G
|
G
|
Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review.
The RMP is reviewed annually with a first review scheduled for April 2024 (RMP control sheet). The Keeper acknowledges that this review was scheduled during their assessment process and has been deferred to 2025.
Reviewing the implementation of the RMP is the responsibility of the Corporate Records Manager (see element 2) supported by the Information Governance Group (IGG) (see under General Comments below).
To inform the annual review Social Security Scotland intend to self-evaluate using a Records Management Assurance Framework. This will be used to measure our progress against aspirations in the RMP. However, this Assurance Framework was, at time of submission, a work in progress. The IGG have committed to liaise with colleagues in Social Security’s Corporate Assurance team to help develop the self-assessment tool. This maps to statements in the Records Management policy (see element 3) for example at section 13. The Keeper agrees that this is an appropriate way forward. In January 2025 Social Security Scotland confirmed to the Keeper that “We are currently planning to finalise the Assurance Framework along with the work to review the Plan. We have started undertaking records management assurance assessments, working with IMSOs and IAMs within divisions across the organisation. The results of these assessments, along with recommendations for improvements, are sent to the relevant Deputy Director.” A sample report was provided.
The Keeper recognises that the Deputy Director of Client Services (see element 1) makes a commitment in her Covering Letter to “developing a framework for complying with all relevant legislation and for working towards records management best practice”. As RMP-review is a requirement of the Act, the Keeper accepts that Social Security Scotland is working towards a review methodology and is happy to agree this element of the RMP under ‘improvement model’ terms while this is being developed.
The results of any review will be reported to the Senior Information Asset Owner and the Executive Team. (The SIAO as Deputy Director sits on the Executive).
Social Security Scotland commit to using the Keeper’s Progress Update Review (PUR) reporting methodology going forward (RMP page 39). Progress Update Reviews | National Records of Scotland (nrscotland.gov.uk) This commitment is welcome and the Keeper’s Assessment Team acknowledge that this was done in 2021. It should be noted that PUR is a way of collating the results of a review not a review methodology in itself. The review will be pursued under self-assessment tool mentioned above.
Each policy relating to information or records management created by Social Security Scotland will generally be reviewed on an annual basis to ensure they remain up-to-date. this is confirmed by the control sheets of the various evidence documents. Several of these review dates have elapsed since the RMP/evidence package was submitted to the Keeper.
Business Continuity Management arrangements (see element 10) will be reviewed quarterly at the Audit and Assurance Committee, providing the Chief Executive with assurance that the Business Continuity Management System is being managed accordingly.
The Keeper agrees that Social Security Scotland have made a firm commitment to review their RMP as required by the Act but this element retains an amber RAG status until the review methodology is adequately developed and embedded in the business processes of the organisation. The Keeper acknowledges that this was well underway in January 2025. The Keeper agrees that supporting policy and guidance documents have appropriate review periods allocated. The Keeper acknowledges that in their first agreement, Social Security Scotland, had indicated that they would use an alternative self-assessment mechanism. The allocation of an amber RAG status to this element, where the authority was originally green, does not indicate a degrading of the record management provision in the authority. It simply signifies that, at time of this submission, they were in a transition period. In fact, the Keeper judges that, if appropriately implemented, a bespoke self-assessment tool, designed specifically for Social Security Scotland, may represent an improvement in record keeping.
|
|
14. Shared Information
|
G
|
G
|
The Keeper expects a Scottish public authority to ensure that information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled.
Social Security Scotland shares information with third parties and states that “Social Security Scotland is aware of the importance of sharing information with other organisations in a lawful and secure manner.” (RMP page 23)
With this in mind, Social Security Scotland shares information with other bodies using Data Sharing Agreements. This is a commitment in the Social Security Scotland Data Protection Policy (see element 9) section 5.8. The Keeper has been provided with a Data Sharing Agreement (with the Department of Work and Pensions) as evidence that the arrangements explained in the RMP are currently operational.
When sharing non-personal information the authority utilises the Scottish Government’s data sharing template which covers the governance of the information being shared. In 2022 the Keeper agreed that the Scottish Government’s data sharing processes are compliant with their expectations.
The Keeper notes that Social Security Scotland has a third party disclosures function governing the lawful sharing of personal information with bodies with law enforcement powers. This is done in line with their Part 3 of DP2018 responsibilities (also see element 9).
The Keeper can agree that Social Security Scotland properly considers records governance when undertaking information sharing programmes.
|
|
15. Public records created or held by third parties
|
G
|
G
|
The Public Records (Scotland) Act 2011 (PRSA) makes it clear that records created by third parties when carrying out the functions of a scheduled authority should be considered ‘public records’ - PRSA Part 1 3 (1)(b).
Social Security Scotland contracts out one of its functions to a ‘third party’, the UK Department of Work and Pensions. This is a temporary arrangement while Social Security Scotland puts processes in place to carry out the function themselves. In the meantime, the Act makes it clear that records created by this third party when carrying out this function are subject to the Act. It is the responsibility of the scheduled authority, Social Security Scotland, to ensure that procedures are in place to satisfy themselves that third parties are carrying out records management appropriately.
The RMP gives the following statement under element 15: “Social Security Scotland is aware of the importance of ensuring that any third party carrying out a function on its behalf manages the records created in carrying out that function appropriately.”
With this in mind, Social Security Scotland has entered into a number of Formal Agreements which describe the obligations on each party in terms of information governance arrangements.
Social Security Scotland has supplied the Keeper with a sample agreement. The Keeper acknowledges that the control of public records is embedded in this agreement including, for example, freedom of information requests and data controller arrangements.
The Keeper agrees that Social Security Scotland has properly considered the management of records created by third parties while they undertake activities in pursuance of their functions under contract.
|
General Notes on submission
This assessment is on the Records Management Plan (RMP) submitted by Social Security Scotland, for the Keeper of the Records of Scotland’s (the Keeper) agreement, on 10th July 2023. This is RMP version 2, approved by the Social Security Scotland Information Governance Group (See Key Group) on 6th April 2023
The RMP submission was supported by an appropriate evidence package and by a separate letter from the Social Security Scotland Senior Information Risk Owner (see element 1), undated, in which she endorses the RMP and the Records Management Policy (see element 3).
This is the second RMP from Social Security Scotland assessed by the Keeper. Their first Records Management Plan was agreed by the then Keeper on 23rd September 2020: Social Security Scotland Assessment Report (nrscotland.gov.uk)
The RMP mentions compliance with the Public Records (Scotland) Act 2011 and is set out in the structure of the Keeper’s 15 element Model Plan: Model Records Management Plan | National Records of Scotland (nrscotland.gov.uk)
The Introduction to the RMP (page 3) states:
“The systemic management of records is particularly significant because it will allow the organisation to:
- increase efficiency and effectiveness;
- make savings in administration costs, both in staff time and storage;
- support decision making;
- be more accountable;
- achieve business objectives and targets more efficiently;
- provide continuity in the event of a disaster;
- meet legislative and regulatory requirements, and;
- protect the interests of employees, clients and stakeholders.”
The Records Management Policy states:
“The systematic management of records will allow Social Security Scotland to:
- know what records it owns and locate them easily;
- increase efficiency and effectiveness;
- improve the service provided to clients;
- make savings in administration costs, particularly in staff time and storage;
- support decision-making;
- be open, transparent and accountable;
- meet legislative and regulatory requirements.”
The Keeper fully agrees these statements.
Social Security Scotland recognise public records as a business asset that must be appropriately managed (for example at RMP page 23 or Records Management Policy page 3). This is an important recognition and the Keeper welcomes it.
The Information Governance Group
Social Security Scotland have an Information Governance Group (IGG) who are responsible for approving the RMP, which they did in April 2023, and for monitoring its implementation. Significant changes to records management in Social Security Scotland must be reported to the IGG.
The IGG meets every two months and consists of senior managers from across Social Security Scotland. It reports to the Leadership Team.
Each policy relating to information or records management created by Social Security Scotland has been presented to and approved by either the Agency Leadership Team or the Information Governance Group. For example The Document Naming and Control Policy (see element 11) has recently been reviewed and approved by the IGG.
The RMP pages 29/30 explain that "Social Security Scotland has developed its data protection functions to ensure it is...maintaining Data Sharing Agreements and accurate records of any data sharing initiatives through engagement with the…Information Governance Team…(see elements 9 and 14).
The Deputy Director of Client Services (see element 1) chairs meetings of the IGG.
Local Records Management
There is ample evidence in the RMP that Social Security Scotland have designed their records management provision with close engagement with local business areas in mind. For example the file plan was developed in collaboration with the IMSO network (see below). Engagement with local business areas is to be commended.
Each business area has a senior officer (Deputy Director) designated as Information Asset Owner (IAO) supported by local Information Asset Managers and Information Support Officers (IMSO). The use of IMSOs is a requirement of the main eRDM system.
IAOs are responsible for the security of their digital and physical environments where information is processed or stored (Information Security Policy - see element 8 - page 9). With this responsibility in mind IAOs ensure that information risk assessments are performed at least annually, following guidance from the SIRO (See element 1). IAOs are also required to approve access to public records to those who have legitimate business need (Information Security Policy page 5). To this end, an audit trail of system access and staff data use is maintained and reviewed on a regular basis. IAOs are also responsible for approving Data Protection Impact Assessments in their directorate (Data Protection Policy – see element 9 - section 10).
As noted above, each directorate IAO is “supported [by] Information Management Support Officers (IMSOs) and Information Asset Managers (IAMs). They act as points of contact in local business areas for the Records Management Team. They are also the first points of contacts for queries within their business areas regarding eRDM and Information Assets.” (RMP page 8)
IAMs contact the Records Management Team when assets become due for review and are responsible for identifying and registering new assets. An IAM ‘network’ has been established in throughout the various business areas of Social Security Scotland. All IAMs receive mandatory training explaining what information assets are and what the IAM role requires.
IMSOs within business areas are responsible for offering advice and guidance regarding records management to all staff within their area. They monitor the compliance with relevant policies and guidance in consultation with the Corporate Records Manager (see element 2). IMSOs have the responsibility to support their IAM in the maintenance of the retention schedule for their business area. They have day to day responsibility for ensuring the eDRM is being operated correctly in their business area and for correcting naming errors. IMSOs are responsible for completing the local area of the Disposal Log when records are deleted (Records Disposal Guidance – see element 6 - section 9). They are also the point of contact in a business area for file creation. IMSOs identify records due for disposal according to the retention schedule and follow the disposal process. The Records Management Team meets monthly with IMSOs for updates. The RMP explains the day-to-day work of the IMSO in detail (page 16). This is also made clear in the Records Management Policy (section 9).
Clearly these local ‘champions’ are vital to the records management process in Social Security Scotland and the Keeper thanks the authority for sharing details of their remit as part of this submission.
6. Keeper’s Summary
Elements 1 - 15 that the Keeper considers should be in a public authority records management plan have been properly considered by Social Security Scotland. Policies and governance structures are in place to implement the actions required by the plan.
Elements that require development by Social Security Scotland are as follows:
5. Retention schedule
7. Archiving and Transfer
13. Assessment and Review
7. Keeper’s Determination
Based on the assessment process detailed above, the Keeper agrees the RMP of Social Security Scotland
The Keeper recommends that Social Security Scotland should publish its agreed RMP as an example of good practice within the authority and the sector.
This report follows the Keeper’s assessment carried out by:
Pete Wadley
Public Records Officer
Liz Course
Public Records Officer
8. Endorsement of Report by the Keeper of the Records of Scotland
The report has been examined and is endorsed under the signature of the Keeper of the Records of Scotland as proof of compliance under section 1 of the Public Records (Scotland) Act 2011, and confirms formal agreement by the Keeper of the RMP as submitted by Social Security Scotland In agreeing this RMP, the Keeper expects Social Security Scotland to fully implement the agreed RMP and meet its obligations under the Act.
Laura Mitchell
Deputy Keeper of the Records of Scotland
Direct Email: RG-Keeper@nrscotland.gov.uk
