Assessment report: Strathclyde Partnership for Transport (SPT) - 31 March 2023

Home
Publications
Assessment report: Strathclyde Partnership for Transport (SPT) - 31 March 2023

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Executive Summary
Authority Background
Assessment Process
Model Plan Elements: Checklist
Keeper’s Summary
Keeper’s Determination
Keeper's Endorsement

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came fully into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor record keeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Executive Summary

This report sets out the findings of the Keeper’s assessment of the RMP of Strathclyde Partnership for Transport by the Public Records (Scotland) Act 2011 Assessment Team following its submission to the Keeper on 27th February 2021.

The assessment considered whether the RMP of Strathclyde Partnership for Transport was developed with proper regard to the 15 elements of the Keeper’s statutory Model Records Management Plan (the Model Plan) under section 8(3) of the Act, and whether in this respect it complies with it and the specific requirements of the Act.

The outcome of the assessment and the Keeper’s decision on whether the RMP of Strathclyde Partnership for Transport complies with the Act can be found under section 7 of this report with relevant recommendations.

3. Authority Background

Description of Authority: Strathclyde Partnership for Transport (SPT) is the Regional Transport Partnership for the west of Scotland. SPT was formed in 2006 as part of the transport framework created by the Scottish Government, which is made up of a national transport agency (Transport Scotland) and seven regional transport partnerships. The SPT area comprises the following council areas: East Dunbartonshire, East Ayrshire, East Renfrewshire, Glasgow City, Inverclyde, North Ayrshire, North Lanarkshire, Renfrewshire, South Ayrshire, South Lanarkshire, West Dunbartonshire and the Helensburgh and Lomond area of Argyll and Bute.

SPT’s role involves planning and delivering transport solutions for all modes of transport across the region, in conjunction with councils and industry partners.

About SPT | SPT | Strathclyde Partnership for Transport

4. Keeper’s Assessment Process

The RMP was assessed by the Public Records (Scotland) Act Assessment Team on behalf of the Keeper. Assessors used the checklist elements listed in section 5, to establish whether Strathclyde Partnership for Transport’s RMP was developed with proper regard to the elements of the Model Plan and is compliant with the Act. The assessment also considered whether there was sufficient supporting evidence of such compliance.

Key

The Keeper agrees this element of an authority’s plan.

The Keeper agrees this element of an authority’s plan as an ‘improvement model’. This means that he is convinced of the authority’s commitment to closing a gap in provision. He will request that he is updated as work on this element progresses.

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Keeper may choose to return the RMP on this basis.

5. Model Plan Elements: Checklist

Strathclyde Partnership for Transport (SPT)

Element	Present	Evidence	Notes
1. Senior Officer	G	G	The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority. Strathclyde Partnership for Transport (SPT) have identified Valerie Davidson, Chief Executive, as the individual with overall responsibility for records management in the organisation. The RMP gives Ms Davidson’s role as ‘Assistant Chief Executive’. The Keeper of the Records of Scotland (the Keeper) has been provided with confirmation that Ms Davidson currently retains her records management responsibilities in her new, Chief Executive, role (August 2022). The Keeper requests that he is informed if this should this change in the future. For the purposes of this assessment the Keeper accepts that any reference to ‘Assistant Chief Executive’ should now be considered to read ‘Chief Executive’. The identification of Valerie Davidson to this role is supported by a Covering Letter (dated February 2020) from Gordon Maclennan, who was Chief Executive of SPT at time of submission, and by the Records Management Policy, for example section 5. Valerie Davidson is the document owner of the Records Management Plan (RMP). The Ms Davidson is also the document owner of the Records Management Policy (see element 3) and has authorised the Data Protection Policy (see element 9), the Information Security Policy Statement and the Digital Assets Acceptable Use Procedures document (for both see element 8). Ms Davidson reports on Cyber Resilience to the Audit and Risk Committee. The Keeper has been provided with samples of these reports. Ms Davidson also provided an update on business continuity testing to the Strategy Group (copy also provided to the Keeper). Valerie Davidson is the SPT Data Protection Officer (see element 9 for more on this). It is clear, from the evidence noted above, that Valerie Davidson has a detailed knowledge of the records management provision, and information governance compliance, at SPT. The Keeper agrees that Strathclyde Partnership for Transport have identified an appropriate individual to this role as required by the Act.
2. Records Manager	G	G	The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and that this staff member has appropriate corporate responsibility, access to resources, and skills. The RMP identifies Mandi Turner, Information Governance Officer, as the individual with day-to-day responsibility for implementing the plan. The Keeper is aware that, since submission, Ms Turner has left SPT and acknowledges that he has been provided with a new name for the individual holding the Information Governance Officer post at SPT. The Keeper has previously indicated that a change of individual does not invalidate a RMP as long as the role itself has not substantially changed. This assessment is based on the principle that the new post-holder’s responsibilities and access to resources is equivalent to that of Ms Turner and has accepted that any reference to the SPT ‘Information Governance Officer’ now refers to the new post-holder. The identification of the Information Governance Officer to this role is supported by the Records Management Policy (see element 3), for example at section 5. This identification is also supported by the SPT Information Management Strategy (also element 3) which, at section 4.2, notes that the Information Governance Officer is responsible for ensuring that SPT meet their 'information handling operations' The Keeper has been provided with the Information Governance Officer Job Description (2020). He notes that the principle purpose of the role includes that “the post holder, in consultation with legal colleagues, will have key responsibility for preparing and supporting GDPR-compliant policies, robust Information Management processes and practices throughout SPT, as well as being the main point of contact for Records Management purposes.” The Data Protection Policy (see element 9) states that "The Information Governance Officer (IGO) is responsible for developing, delivering and maintaining a comprehensive information management framework for SPT and acts as the principal contact for any data protection matters." (DP Policy section 10) The Information Governance Officer prepared the RMP. The Information Governance Officer sits on the Information Governance Group (see Key Group under General Comments below) The Keeper agrees that Strathclyde Partnership for Transport have identified an appropriate individual to this role as required by the Act.
3. Policy	G	G	The Act requires an authority to have an appropriate policy statement on records management. SPT have a Records Management Policy. The Keeper has been provided with a copy of this Policy. This is version 2.0 dated December 2020. The Records Management Policy includes formal commitments around the creation of storage of records and maintaining an information asset register (see element 4); the disposal of records (see elements 6 and 7); information security (see element 8); and training (see element 12). The Records Management Policy specifically mentions compliance with the Public Records (Scotland) Act 2011. The Keeper has been provided with the minute of a meeting of the Partnership (11 December 2020) approving the Policy, which contains a copy of the Policy (in draft): REPORT (spt.co.uk) The Keeper agrees that the RMP supports the objectives of the Records Management Policy. SPT also have an Information Management Strategy. This has been provided to the Keeper as version 1.0 (2019). The Strategy provides detailed statements around the management of records digitally. As noted under element 4 below, the authority is transitioning away from hard-copy corporate records. The introduction to the Information Management Strategy states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The practical processes in place to support this overall strategy are explained in the relevant elements below. SPT have provided the Keeper with screen-shots of information governance policies and guidance on their intranet as evidence that staff can access these documents when required. The Keeper agrees that Strathclyde Partnership for Transport has a formal records management policy statement as required by the Act.
4. Business Classification	G	G	The Keeper of the Records of Scotland (the Keeper) expects that the public records of an authority are known and are identified within a structure. As noted in element 3 above, the introduction to the SPT Information Management Strategy states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The SPT Information Management Strategy also refers to a benefit of information management being "Knowing where to keep information, how to save it and how to dispose of it." (Strategy section 4.2) and that "Where appropriate to their role, staff in SPT should: Know what information is held, where we store it and when and how it should be destroyed." (Strategy section 5.1) With these statements in mind, the Keeper has been provided with the SPT Business Classification Scheme which shows the functions and activities the authority undertakes. The layout of a business classification scheme must remain a decision for the authority, but the Keeper acknowledges that a functional structure, as demonstrated here, is currently considered best practice. The SPT Business Classification Scheme is based on the Local Government Classification Scheme: Local Government Functional Classification Scheme (irms.org.uk) The record types created within the ‘activity’ level of the Business Classification Scheme will be detailed in the authority’s Information Asset Register (IAR), which is populated at a local level (see Local Records Management under General Comments below). The establishment of an IAR is supported by commitments in the Records Management Policy for example at section 6. The SPT Information Management Strategy also supports the creation of an IAR where it states they will “…maintain our knowledge of the information held by each service through the maintenance and development of our Information Asset Register (IAR)” (Strategy section 6.2) The Keeper has been provided with a copy of the Information Asset Register Template, but not the Register itself which is still under development. The Keeper notes that the information recorded in the Register is as follows: Record Series Purpose Format (see below) Category (Personal/special category/ business critical) Security Classification Who has access and Whether the record type is routinely shared The Keeper notes that retention decisions, which were not included in the Information Asset Register at the time of submission, were included between submission and agreement. In November 2022 he was provided with an updated IAR template as evidence of this addition. The Keeper commends this inclusion as providing the authority with a single point of reference which is liable to create a stronger business tool. Please note: The addition of retention decisions to an IAR must remain a decision for the authority and is not a requirement of the Act. The RMP confirms that "The IAR will cover all SPT records and will be updated in line with the BCS and retention schedules during a major project beginning in November 2020" (RMP page 7) and a ‘future development’ (also page 7) further confirms the population and structuring of the IAR, with local business areas using the template provided. The Keeper highly commends the decision to populate the IAR at a local level. The Keeper has been provided with a statement on the BCS/IAR project (Project Dragon) from Valerie Davidson (see element 1). He agrees the objectives and timetable noted seem appropriate. The Keeper has also been provided with the Information Governance Group Work Plan (IGG - see Key Group under General Comments below). This specifically requires the IGG to embed the BCS/Retention Schedule and IAR. It also specifically mentions Project Dragon. SPT recognise that the development of a robust records management system is a work-in-progress. A Covering Letter, from the Chief Executive of SPT at time of submission, notes that "SPT has approached its ongoing development on the basis of continual self-assessment, and therefore you will note that not only does the Plan outline how SPT manages public records but also areas of future developments.” The Keeper agrees that the adoption of a full IAR, mapped against the Business Classification Scheme, is liable to be a valuable addition to SPT’s records management provision. The Keeper has been provided with the following statement in November 2022: “Seven departments have taken part in the project to date, with a roll out plan for the rest of the organisation.” He would be grateful for updates as this project progresses. The Keeper’s assessment team will provide SPT with a Progress Update Review template annually and this would seem the ideal opportunity to provide further information about this roll-out: Progress Update Reviews \| National Records of Scotland (nrscotland.gov.uk). As to record format: SPT operate a hybrid system with public records held in both digital format (on network drives and on line of business systems) and as hard-copy. This is confirmed by the Information Asset Register Template which mentions “paper, network files, system name” under its ‘format’ heading. Digital Network Drives The SPT Information Management Strategy states "SPT will endeavour to provide all staff with the technology they need to support the information management good practice and behaviours set out in this strategy through: the use of data storage infrastructure which meets the needs of the business and the user" (Strategy section 16.1) To this end, SPT have structured network drives to store and manage public records. The use of the network drives for the management of the SPT corporate record is supported by commitments in the Records Management Policy for example section 7, which states "Records will be created in accordance with the SPT Business Classification Scheme and stored on network folders in the agreed structure." SPT use a third-party security system (see element 8) and have used part of the functionality of that system to map their network drives to locate public records and to provide reports on the folders in the drives that contain records and something of the nature of those records. Digital Line of Business As well as the public records held on the SPT network drive, several of SPT’s activities are pursued using specialised information systems which also create and store public records outwith the main network drives. These are the authority’s ‘line-of-business systems’. The Records Management Policy section 7 notes that “Records are also held within various systems and security measures are in place to limit access to these (e.g. passwords).” SPT Have provided the Keeper with the following statement regarding the records management functionality of their line of business systems: “SPT’s digital team is confident that all systems have adequate functionality, or that the supplier would support.” Paper The Keeper agrees that public records held in paper format are considered in the authority’s Business Classification Scheme. Furthermore, SPT will indicate which records types are held in hard-copy format in their Information Asset Register. However, the Keeper also notes that “SPT is working towards reducing the amount of hard copy data held.” (Records Management Policy – see element 3 - section 7). This is supported in the SPT Information Management Strategy "SPT will endeavour to provide all staff with the technology they need to support the information management good practice and behaviours set out in this strategy through: moving the organisation to a common digital infrastructure" (Strategy section 16.1) The RMP (page 9) clearly states that SPT do not use third-party storage contractors for their public records. This element of the SPT was awarded an amber RAG status under the original, 2017, agreement. With the following comment by the Keeper: “The Keeper agrees this element of SPT’s Plan under ‘improvement model’ terms. This means that the authority has identified a gap in records management provision (lack of a corporate Business Classification Scheme), but has committed to closing that gap. The Keeper’s agreement is conditional on him being updated as this project progresses. SPT have committed to doing this.” https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/keepers-assessment-report-strathclyde-partnership-for-transport.pdf The Keeper acknowledges that the corporate Business Classification Scheme has now been created and he has been supplied with a copy. The Keeper agrees that Strathclyde Partnership for Transport retains all its public records in controlled systems which are structured in a clear manner and which can be used by staff to manage public records where appropriate.
5. Retention schedule	G	G	The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule. The introduction to the SPT Information Management Strategy (see element 3) states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The SPT Information Management Strategy also confirms that "Where appropriate to their role, staff in SPT should: Know what information is held, where we store it and when and how it should be destroyed." (Strategy section 5.1). The Information Management Strategy also supports retention schedules elsewhere, for example at section 6.2 The use of a retention schedule is a commitment in the SPT Records Management Policy (see element 3) for example at section 7. As noted above, retention does not feature in the Information Asset Register, but appears to be made up of separate schedules for the different SPT business areas: Audit & Assurance, Bus Operations, Marketing, Corporate, Finance, Health & Safety, HR & OD, Digital, Legal and Property, Procurement, Projects and Subway Operations. These schedules have been provided. SPT have provided a screen-shot showing that staff can access the relevant retention schedule through their intranet library. The RMP (page 8) notes that retention schedules are made available to the public on request. SPT note in their RMP (page 8) that retention schedules are subject to change as business and legal requirements dictate. This is a commendable recognition that a retention schedule is a living document. The Keeper has been provided with the Information Governance Group (IGG - see Key Group under General Comments below) Work Plan. This specifically requires the IGG to 'maintain and update retention schedules for all areas of SPT business'. The Keeper agrees that Strathclyde Partnership for Transport has a schedule providing retention decisions for the record types created while pursuing its functions.
6. Destruction Arrangements	A	G	The Act requires that public records are destroyed in a timely, controlled and secure manner. SPT acknowledge this: The introduction to the corporate Records Management Policy (see element 3) notes that "Strathclyde Partnership for Transport is committed to good records management...to ensure that we: safely destroy records as soon as they are no longer required." (Records Management Policy section 2). The introduction to the SPT Information Management Strategy (also see element 3) states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The SPT Information Management Strategy also refers to a benefit of information management being "Knowing where to keep information, how to save it and how to dispose of it." (Strategy section 4.2) and that "Where appropriate to their role, staff in SPT should: Know what information is held, where we store it and when and how it should be destroyed." (Strategy section 5.1) The Information Management Strategy also supports controlled destruction elsewhere for example at section 6.2 The RMP supports this: It explains that “Records Management is the systematic control of an organisation’s records… [that] allows the timely destruction of redundant information” (RMP page 3) With this in mind SPT have the following processes in place to ensure the controlled, secure and irretrievable destruction of their public records: Digital (Network Drives) At annual review, against the records retention schedules, records held on network drives requiring disposal will be identified by Information Asset Owners and signoff obtained from Directors before they are manually deleted. The Keeper notes that the RMP explains a future development where the security software suite (see element 8) which has been imposed on its digital public records may be utilised to automate and audit disposition of records according to retention decisions (RMP page 8). Digital (Email) Staff are responsible for managing their email accounts, ensuring required attachments are securely saved within the network folders and unneeded information is deleted. Paper (in-house) Records are destroyed internally by shredding, incineration, or are pulped so that they cannot be reconstructed. Secure waste disposal bins are provided within SPT. Also bulk shredding is managed by an external organisation, with proof of destruction provided. The Keeper has been provided with details of the internal shredder and with a contract showing that the external arrangements are operational. Hardware SPT uses internal hardware destruction process which ensure that media, such as CD and tapes, is destroyed and an external third-party destruction contractor for other hardware, such as storage drives on mobile devices. The Keeper has been provided with details of the internal shredder and with destruction certificates showing that the external arrangements are operational. Staff instructions for the disposal of hardware are provided in the Digital Acceptable Use Procedures document (section 6) a copy of which has been provided to the Keeper (v1.0, January 2019) Back-Ups SPT, quite properly, back-up their public records for business continuity purposes (see element 10). The Keeper has been provided with the following statement regarding the retention of back-up copies: “Backups are kept for 12 months before being overwritten in line with the Digital Retention Policy.” This assures him that all copies of electronic records and information are deleted after a controlled time. This element of the SPT was awarded an amber RAG status under the original agreement. With the following comment by the Keeper: "The Keeper agrees this element of SPT’s Records Management Plan on improvement model terms. This means that an authority has identified a gap in their records management provision (in this case that electronic records are not universally destroyed at the end of their retention period), but have put processes in place to close that gap. The Keeper’s agreement is conditional on his being updated as the project explained in element 4 is progressed." https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/keepers-assessment-report-strathclyde-partnership-for-transport.pdf Although the Keeper can agree that arrangements are now in place for destruction of digital records the RMP suggests that these arrangements may still require to be fully communicated to staff. The RMP states (page 9): "Guidance for staff on disposal protocols is being developed" and as a ‘future development’ “A set of business rules for staff is being developed as part of the Records Management project” (also page 9). The Keeper is able to agree this element of the plan on an ‘improvement model’ basis while the staff guidance on destruction is developed, approved and rolled out.
7. Archiving and Transfer	G	G	The Act requires that all Scottish public authorities identify a suitable repository for the permanent preservation of any records considered suitable for archiving. A formal arrangement for transfer to that repository must be in place. SPT acknowledge this: The introduction to the corporate Records Management Policy (see element 3) notes that "Records Management...allows reliable access to records, ensures timely destruction of redundant information, and the identification and protection of vital and historically important records." (Records Management Policy section 1). Also that "Strathclyde Partnership for Transport is committed to good records management...to ensure that we: identify and preserve records deemed worthy of permanent preservation." (Section 2). The Information Management Strategy also explains that "Good information management “Preserves for the public record decisions being made now which will become our history in the future.” (Strategy section 4.2). SPT make the following statement in their Records Management Policy (see element 3) section 11: "SPT has an agreement in place with Glasgow City Archives for the long-term preservation of significant historical records" The Keeper agrees that Glasgow City Archives is a suitable repository for the permanent preservation of public records in Scotland: Glasgow City Archives — Glasgow Life This element of the SPT was awarded an amber RAG status under the original agreement. With the following comment by the Keeper: “The Keeper can agree this Element on an ‘improvement model’ basis. That means that the authority has an agreement in principal to transfer records to an appropriate archive, but requires to formalise these arrangements. Once the Keeper receives a document, such as a MoU or SLA or similar, showing that there is an agreement to transfer records, he should be able to fully agree this Element.” https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/keepers-assessment-report-strathclyde-partnership-for-transport.pdf The Keeper acknowledges that a formal Archive Deposit Agreement has now been agreed (2020) and he has been supplied with a copy. Therefore, the Keeper agrees that Strathclyde Partnership for Transport has arrangements in place to properly archive records when appropriate.
8. Information Security	G	G	The Act requires that public records are held in accordance with information security compliance requirements. SPT acknowledge this: The corporate Records Management Policy (see element 3) commits that "Strathclyde Partnership for Transport is committed to good records management...to ensure that we: maintain securely and preserve access to ... records as long as they are required." (Records Management Policy section 2). The introduction to the SPT Information Management Strategy (see element 3) states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The Information Management Strategy also explains that "Good information management “Ensures that our information is protected and secure and in turn, reduces levels of information-related risk” (Strategy section 4.2). SPT make the following commitment: “SPT will maintain a proactive, planned, proportionate approach to information risk and security. Our response to managing information risk will be appropriate and balanced with business need, enabling staff to do their jobs whilst safeguarding information. (Strategy section 8.2) To manage this commitment, SPT have purchased a third-party security software suite which has been imposed on its digital public records. This currently allows SPT’s Information Governance Group to track, visualise, analyse and protect public records held in the network drive system and will, in the future, allow automated and audited destruction or archiving of records according to retention decisions. SPT also have an Information Security Policy supported by other policies and guidance, such as their Digital Assets Acceptable Use Procedures (provided, v1.0). SPT have provided the Keeper with a statement regarding information security, dated 2019 and signed by Valerie Davidson (see element 1). The Keeper has been provided with a copy of the SPT Information Security Policy. This is v1.0 dated November 2021. He agrees it contains appropriate clauses to protect the authority’s public records. The RMP notes (page 11) that the suite of information security guidance was being expanded at the time of submission. Clear desk instructions have now be included in the Information Security Policy noted above. A Secure Marking Policy is still in a pilot phase. The Keeper would appreciate being sent a copy of any information security policies and guidance as they are developed in order that he might keep the SPT submission up-to-date. The Keeper has been provided with the Information Governance Group Work Plan (see Key Group under General Comments below). This specifically supports the roll-out, and promotion among staff, of information security policies and guidance. Ensuring the practical implementation of document security functionality and of continuity backups are part of the responsibility of SPT's 'Digital' team: "Digital are responsible for ensuring that access rights to network folders/ records are well managed to limit unauthorised access to information. Digital are responsible for ensuring regular backups of SPT network folders." (Records Management Policy - see element 3 - section 5) Instructions for actions to be taken in the case of a security breach are supported in the SPT Records Management Policy (see element 3) for example at section 9. The Keeper has been provided with a separate statement from Valerie Davidson (see element 1) explaining reporting of security breaches, actual or suspected, and confirming her personal responsibility for dealing with these. Training in information security is supported by the SPT Information Management Strategy which, at section 5.1, notes that "Where appropriate to their role, staff in SPT should...know how to protect information and manage it appropriately." Again, the Keeper has been provided with a separate statement from Valerie Davidson (see element 1) noting that SPT have a process of continual improvement through a process of incident reporting, risk assessment and regular audits. SPT have provided a screen-shot showing that staff can access the risk management strategy through their intranet library (for ‘Risk’ see element 13 below). SPT is engaged with the Scottish Government’s Cyber Resilience Framework: Cyber resilience: framework and self assessment tool - gov.scot (www.gov.scot). SPT have provided the Keeper with screen-shots of information governance policies and guidance on their intranet as evidence that staff can access these documents when required. Specifically, he has been provided with a screen-shot showing a link to the Information Security Policy. The Keeper agrees that Strathclyde Partnership for Transport have procedures in place to appropriately ensure the security of their records as required by the Act.
9. Data Protection	G	G	The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law. SPT acknowledge this: The corporate Records Management Policy (see element 3) commits that "Strathclyde Partnership for Transport is committed to good records management...to ensure that we: protect vital records, which are required in order to function effectively." (Records Management Policy section 2). The importance of compliance with data protection legislation is acknowledged in the SPT Information Management Strategy (see element 3) SPT are registered as a data controller with the Information Commissioner: Z9340370 Information Commissioners - Data protection register - entry details (ico.org.uk) SPT have appointed a data protection officer. This is Valerie Davidson (see element 1). This is confirmed by the ICO registration. SPT have a formal Data Protection Policy which has been supplied to the Keeper. It is available publically at data-protection-policy.pdf (spt.co.uk) The Data Protection Policy appropriately explains the six principles of data protection and the GDPR accountability clause. Members of the public are provided suitable guidance for making subject access requests: Privacy \| SPT \| Strathclyde Partnership for Transport The Keeper has been provided with the Information Governance Group Work Plan (see Key Group under General Comments below). This specifically supports the roll-out, and promotion among staff, of the Data Protection Policy and other objectives in relation to data protection including breach reporting and ‘lessons learned’. The Keeper has also been provided with the Information Governance Officer Job Description (see element 2). He notes that the role includes that “the post holder…will lead and be responsible for Information Governance services across SPT, ensuring compliance with statutory Information Governance responsibilities, including Data Protection.” SPT have provided the Keeper with screen-shots of information governance policies and guidance on their intranet as evidence that staff can access these documents when required. Specifically SPT have provided a screen-shot of links to data protection guidance. SPT make a commitment in the RMP (page 12) that “All staff have been trained to an appropriate level in data protection and refresher training will be on-going.” Training is supported in the Data Protection Policy (section 12). The Keeper agrees that Strathclyde Partnership for Transport have arrangements in place that allow them to properly comply with data protection legislation.
10. Business Continuity and Vital Records	G	G	The Keeper expects that record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning. SPT have an overarching Business Continuity Strategy supported by local arrangements. These are routinely tested (RMP page 13). The Keeper has been provided with a separate statement from Valerie Davidson (see element 1) supporting the development and testing of business continuity plans. The Information Management Strategy (see element 3) supports the principles of back-up and the identification of vital records, for example at section 6.2 Ensuring the practical implementation of document security functionality and of continuity backups are part of the responsibility of SPT's 'Digital' team: "Digital are responsible for ensuring that access rights to network folders/ records are well managed to limit unauthorised access to information. Digital are responsible for ensuring regular backups of SPT network folders." (Records Management Policy - see element 3 - section 5). See element 6 regarding the availability of records beyond their retention period. SPT have provided the Keeper with screen-shots of information governance policies and guidance on their intranet as evidence that staff can access these documents when required. SPT have provided a statement “SPT’s Digital Disaster Recovery Plan details the procedures to be followed to manage the operational recovery of information systems and digital services.” However, they have not provided the Keeper with sight of this Recovery Plan. However, the Keeper has been supplied with a separate letter from the individual identified at element 1 explaining that sharing the authority’s disaster recovery information with the Keeper is impossible, but assuring him that they are content that record recovery is embedded in emergency planning. The Keeper agrees that Strathclyde Partnership for Transport have an approved and operational business continuity process and that information management and records recovery properly feature in the authority’s plans.
11. Audit trail	A	G	The Keeper expects an authority to have processes in place to track public records in such a way that their location is known and changes recorded. SPT acknowledge this: The introduction to the corporate Records Management Policy (see element 3) notes that "Records Management...allows reliable access to records, ensures timely destruction of redundant information, and the identification and protection of vital and historically important records." (Records Management Policy section 1). The introduction to the SPT Information Management Strategy (see element 3) states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The Information Management Strategy also explains that "Good information management provides the benefits [of] finding the information you need quickly and easily.” (Strategy section 4.2). The RMP explains that “Records Management is the systematic control of an organisation’s records… [that] allows fast, accurate and reliable access to records (RMP page 3)” With this in mind SPT have developed a records management structure around a Business Classification Scheme, to be improved by the roll out of a detailed IAR (see element 4). The adoption of this structure should direct staff where to locate public records. In order for these records to be correctly identified when located, it is imperative that they are consistently named. SPT have now created naming convention and version control guidance which forms part of the Records Management Project guidance. The naming convention and version control part of the project document has been provided to the Keeper. This includes a link to a stand-alone Version Control Guidance document which has also been provided to the Keeper but which, at time of submission, was in draft format (v00.02). Version control by record creators is essential in a network drive based records management system. The Keeper agrees that the development of version control and naming convention instructions for staff is a significant improvement on the part of SPT. SPT have provided a screen-shot showing that staff can access the relevant guidance through their intranet library. This element of the SPT was awarded an amber RAG status under the original agreement. With the following comment by the Keeper: “The Keeper agrees this element of SPT’s Plan under ‘improvement model’ terms. This means that the authority has identified a gap in records management provision (lack of a corporate procedure for the tracking and identification of records), but has committed to closing that gap. The Keeper’s agreement is conditional on him being updated as this project progresses.” https://www.nrscotland.gov.uk/files//record-keeping/public-records-act/keepers-assessment-report-strathclyde-partnership-for-transport.pdf The RMP makes it clear that, on this particular issue, SPT are still not satisfied with their ability to track and identify public records. Despite the steps taken around naming, the RMP states (page 14): “Recognising that currently many electronic records held within SPT … have neither an audit trail nor a limit on the number of copies or versions of the same document, guidance on version control and audit tracking will be issued. This is being rolled out as part of the ongoing Records Management Project” and “For the future, SPT will investigate ways in which we can improve audit trails in relation to records by investigating procedures and guidance to ensure that a corporate approach is developed and established” As noted above, the Keeper acknowledges that he has already seen a draft version control document. Going forward, he will ensure that SPT is provided with the opportunity to offer annual updates using the Progress Update Review (PUR) process: Progress Update Reviews \| National Records of Scotland (nrscotland.gov.uk). This would be an ideal way to report on the development of an operational tracking system for the authority’s public records. The Keeper is able to agree this element of the RMP on ‘improvement model’ terms. This means that SPT have identified a gap in their records management provision and have implemented a project to close that gap. The Keeper’s agreement is conditional on his being kept up-to-date with progress.
12. Competency Framework for records management staff	G	G	The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported. Competency and training of individual identified at element 2 It is a requirement of the Information Governance Manager’s Job Description (see element 2) that they must actively participate in required training including refresher training. SPT has confirmed it is satisfied with the appointee’s qualifications and experience. The new post-holder has a Postgraduate Diploma in Archives & Records Management, is a Law Society of Scotland Certified Specialist in Data Protection, and has 5 years’ experience in an information compliance role. Information Governance Training for other SPT staff The Keeper has been provided with a statement from Valerie Davidson (see element 1) committing SPT to provide information security training for staff. The RMP states that “All staff will receive appropriate training and development support to ensure that they are aware of their records management responsibilities. SPT believe that Information Management is the responsibility of all staff in the organisation.” There are dedicated 'development' and ‘communication’ sections in the Information Management Strategy (sections 10 and 14) that commit SPT to "ensure that information management awareness is reflected in the development needs of everyone in SPT throughout their career." The Keeper has been provided with the Information Governance Group Work Plan (see Key Group under General Comments below). This specifically supports the roll-out, and promotion among staff, of the RMP, information security policies and guidance (see element 8) and the Data Protection Policy (see element 9). The Keeper has also been provided with the Information Governance Officer Job Description. He notes that the role includes that “the post holder…will Develop, oversee and monitor Information Governance training for all staff and Board members, implement clear and robust information and data handling standards and procedures, raise awareness of Information Governance responsibilities and promote awareness and best practice.” SPT make the following formal commitment in their Records Management Policy (see element 3) section 10: "Training and support for staff will be provided by the Information Governance Officer and staff are afforded opportunities for further formal training as required for their role". Training is also supported by the SPT Information Management Strategy which, at section 5.1, notes that "Where appropriate to their role, staff in SPT should...have the skills needed to manage information." Also in the Strategy, SPT commit to "Providing staff with the right tools for managing information and training them in using those tools will help everyone to know and understand what information is available to them, why it’s being held and where it’s stored." (Strategy section 6.1) and a commitment to “provide adequate training to all staff who deal with information and help them understand their role and responsibilities.” (Strategy section 8.4). To this end, the IGG (see Key Group under General Comments below) is undertaking a programme of awareness raising among SPT staff. This includes involving local business areas in developing their local retention schedule (see Local Records Management under General Comments below). Staff are reminded of their responsibilities through the SPT intranet and ‘all-staff’ e-mails. There are also specific mandatory training requirements. The Keeper acknowledges that he has been provided with samples of training communications (intranet articles). The Keeper has been provided with the Information Governance Group Work Plan (see Key Group under General Comments below) that shows objectives in relation to communicating information Management including a responsibility to “Create, maintain and roll out a training plan for all staff. Ensure that frequency, method of delivery and level of training is appropriate for each employee group.” The RMP commits SPT that “All staff have been trained to an appropriate level in data protection and refresher training will be on-going.” (RMP page 12). The Keeper agrees that the individual identified at element 2 has the appropriate responsibilities, resources and skills to implement the records management plan. Furthermore, he agrees that Strathclyde Partnership for Transport consider information governance training for staff as required.
13. Assessment and Review	G	G	Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review. The RMP is reviewed annually and any changes ratified by the SPT Strategy Group (RMP page 1). Responsibility for ensuring that an annual review is carried out currently falls to Valerie Davidson (see element 1) and results are reported to the Information Governance Group (IGG) (See Key Group under General Comments below). In turn, the IGG reports to senior management and to the Audit and Assurance Team and is included in SPT’s governance framework. The IGG carries out a review of the Records Management Plan, and other information governance provision in the authority, in routinely scheduled meetings with the Information Governance Officer (see element 2). The testing of the RMP will be carried out by the Information Governance Officer through the IGG. The Information Governance Officer reports to the Senior Solicitor. The Keeper has also been provided with the Information Governance Officer Job Description (see element 2). He notes that the role includes that “the post holder…will Coordinate the identification, assessment, reporting and management of risk in relation to all aspects of Information Governance within SPT, including regular review of the Information Asset Risk Register and reporting to the nominated SPT Solicitor and the Assistant Chief Executive. [Currently this will be the Chief Executive – see element 1 above]” The Keeper has also been provided with the forward Work Plan of the Information Governance Group which breaks down future developments and the review process and confirms the responsibilities of the Information Governance Officer in these areas. The Keeper agrees that this work plan is granular enough to indicate that there are appropriate records management review methodologies in SPT. The Work Plan also specifically supports the roll-out, and promotion among staff, of the RMP. The Data Protection Policy (see element 9) is due for review annually. The Records Management Policy (see element 3) is due to be reviewed every three years (supported at RMP page 4 and 16). SPT is engaged with the Scottish Government’s Cyber Resilience Framework and a full risk assessment has been undertaken and is reported via the SPT Audit & Standards Committee. The Keeper has been provided with the Information Governance Group Work Plan (see Key Group under General Comments below) that shows objectives in relation to risk including to create and maintain a risk register for SPT wide information management. The last review of the corporate business continuity plans took place in 2020. The Keeper has been provided with a separate statement from Valerie Davidson (see element 1) noting that SPT have a process of continual improvement through a process of incident reporting, risk assessment and regular audits. There is a specific commitment in the Information Management Strategy (section 10) that commits SPT to "monitor and evaluate the effectiveness of information management training material and guidance on an on-going basis." This is an important review commitment. The Keeper agrees that Strathclyde Partnership for Transport have made a firm commitment to review their RMP as required by the Act and have explained who will carry out this review and by what methodology. Furthermore he agrees that supporting policy and guidance documents have appropriate review periods allocated.
14. Shared Information	G	G	The Keeper expects a Scottish public authority to ensure that information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled. The introduction to the SPT Information Management Strategy (see element 3) states that "To maximise the potential benefit from SPT’s information we need to manage it efficiently, re-use it where we can, share it appropriately, store it safely and destroy it in line with our retention policies. Information that is not managed properly may be lost, shared with the wrong people or impossible to locate” (Information Management Strategy section 2). The Information Management Strategy also explains that "Good information management provides the benefits [of] knowing what information you can share and with whom.” (Strategy section 4.2) and that "Where appropriate to their role, staff in SPT should...collaborate with others to share knowledge and information" (Strategy section 5.1) As well as these general, introductory, comments, the Information Management Strategy features a complete section on the benefits and challenges of information sharing and collaboration (section 7). For example it explains that "We need to share information and knowledge with colleagues, business partners, stakeholders and the public as appropriate – and understand the benefits that this brings. We must recognise that sharing and protecting are complementary activities, and are not mutually exclusive." (Strategy section 7.1). With this strategy in mind, and in order to facilitate secure and controlled information sharing, SPT utilises formal data sharing agreements and specific protocols. The Keeper has been provided with samples of both these procedures. Request for the sharing of information, under the protocol, are logged and tracked. The Keeper agrees that both the sample Data Sharing Agreements he has seen and the Request for Disclosure of Personal Data from External Organisations (part of the information sharing protocol) appropriately consider information governance. The Keeper can agree that Strathclyde Partnership for Transport properly considers records governance when undertaking information sharing programmes.
15. Public records created or held by third parties	N/A	N/A	The Public Records (Scotland) Act 2011 (PRSA) makes it clear that records created by third parties when carrying out the functions of a scheduled authority should be considered ‘public records’ - PRSA Part 1 3 (1)(b). SPT note that their Records Management Policy (see element 3) applies to “The policy applies to all SPT members, employees, agents, consultants and contractors, who create, collect, hold, use or dispose of SPT information.” (Records Management Policy section 3). "These procedures apply to all SPT employees and members, including temporary staff, suppliers and contractors, with access to Digital assets..." (Acceptable Use Policy - see element 8 - section 2). However, the RMP makes it clear that "The nature of SPT’s business is such that there are very few public records created and held by third parties on SPT’s behalf." (RMP page 18). Those few records are covered by contractual clauses. SPT have provided the Keeper with sample of data sharing agreement (see element 14) and a commitment to maintain these clauses going forward as business develops. The Keeper accepts that SPT does not contract-out any of its functions to be undertaken by third-parties and that the records created and held by third parties are in relation to information sharing programmes (examples suggesting this have been provided as evidence against this element). The procedures regarding these programmes are explained in element 14.

General Notes on submission

Version: This assessment is on the Strathclyde Partnership for Transport Records Management Plan (the RMP) submitted to the Keeper for his agreement on 27th February 2021. This is version 2.0 of the RMP approved by the SPT Strategy Group on 26th January 2021. The RMP was prepared by the Information Governance Officer (see element 2) and is owned by the Assistant Chief Executive (see element 1). The Keeper originally agreed the Records Management Plan of Strathclyde Partnership for Transport in 2017: Strathclyde Partnership for Transport Assessment Report (nrscotland.gov.uk)

SPT state in their RMP: “The Partnership believes that effective records management will bring substantial benefits to SPT, which will result in greater business efficiency and considerable improvements in the use of information as well as financial, human and other resources within the organisation .” (RMP page 3) and that “SPT believes that effective records management will not only provide a framework for the lawful management of records that contain personal data but will also bring substantial benefits to SPT, which will result in greater business efficiency and considerable improvements in the use of information as well as financial, human and other resources within the organisation.” (page 6) The Keeper fully supports these statements.

A culture of robust records management is supported by the SPT Information Management Strategy (see element 3) which, for example at section 5.1, notes that "Where appropriate to their role, staff in SPT should...know that this matters because they are part of an organisation that values knowledge and information." And “SPT will provide all staff with the knowledge, skills and support they need to manage information and use it appropriately. We will build information management capability through a culture which encourages information management skills.” (section 9). The Strategy then goes on to provide a dedicated section describing how this culture will be created (section 13). The Keeper commends the development of a culture that values robust records management in an authority as being entirely in keeping with the objectives of the Public Records (Scotland) Act 2011.

SPT clearly recognise that records are a key business asset (for example Information Management Strategy section 7). The Keeper commends this recognition.

The RMP mentions the Act and is based on the Keeper’s, 15 element, Model Plan

Key Group: Information Governance Group (IGG)

Since the agreement of the original RMP in 2017, SPT have established an IGG which is responsible for supporting the implementation of the RMP. They offer advice and support to SPT staff in all matters relating to information. The IGG is responsible for developing records management policies and guidance and will receive reports on the operational effect of these from local business areas (see below). The Keeper has been provided with the IGG Terms of Reference.

The Keeper has also been provided with the IGG Work Plan. This specifically supports the roll-out, and promotion among staff, of the RMP, of information security policies and guidance (for example the Clear Desk Policy) and of the Data Protection Policy

Updates on the records management provision in SPT are reported to the Information Governance Group every 8 weeks

The establishment of the IGG is endorsed in a Covering Letter (dated February 2020) from Gordon Maclennan, Chief executive of SPT at time of submission. The post-holder identified at element 2 sits on the IGG.

The IGG produced the Information Management Strategy and all relevant guidance and procedures, including

the Records Management Policy (for Strategy and Policy see element 3). The RMP (page 8) notes that the IGG is undertaking a programme of ‘awareness raising’ in SPT.

Although overall corporate responsibility for records management is accepted by the IGG, each business area is delegated day-to-day responsibility for implementing and monitoring the policies and guidance the IGG develop. Membership of the IGG includes a ‘champion’ from each of SPT’s business areas. This allows the Information Governance Officer to liaise directly with the local teams.

Information security arrangements, including all staff communications and training, are regularly reviewed by the Information Governance Group.

Clearly the work of the IGG is vital to the records management process in SPT and the Keeper thanks the authority for sharing details of their remit as part of this submission.

Local Records Management

The Records Management Policy - see element 3 - instructs that "Each business area should hold information detailing records held and their location. This will inform regular updating of the IAR and support regular disposal activity." With this in mind, SPT have, as noted above, set up a forum of local records management champions.

There is a specific commitment in the Information Management Strategy (section 10) that commits SPT to "encourage champions in each business area to promote good information management and knowledge sharing practices."

The Records Management Policy also commits SPT as follows: “Directors are responsible for ensuring that their business areas comply with this policy and related procedures/ guidance. Directors will signoff annual records disposal activity.” This is confirmed in the RMP (page 9).

Local business area managers "are responsible for ensuring that their teams are aware of and comply with this

policy and related procedures/ guidance, and that teams attend training where identified." (Records Management Policy section 5).

Retention schedules are monitored by local business areas. This is commendable as it is liable to increase local buy-in and better utilise the local knowledge of record creators in individual departments. Changes to a business area retention schedule must be approved by the Information Governance Manager.

Local information asset owners identify public records scheduled for destruction under the Retention Schedule and apply to the relevant director for signoff.

6. Keeper’s Summary

Elements 1 - 15 that the Keeper considers should be in a public authority records management plan have been properly considered by Strathclyde Partnership for Transport. Policies and governance structures are in place to implement the actions required by the plan.

Elements that require development by Strathclyde Partnership for Transport are as follows:

6. Destruction Arrangements
11. Audit trail

7. Keeper’s Determination

Based on the assessment process detailed above, the Keeper agrees the RMP of Strathclyde Partnership for Transport.

The Keeper recommends that Strathclyde Partnership for Transport should publish its agreed RMP as an example of good practice within the authority and the sector.

This report follows the Keeper’s assessment carried out by,

Pete Wadley
Public Records Officer

Liz Course
Public Records Officer

8. Endorsement of Report by the Keeper of the Records of Scotland

The report has been examined and is endorsed under the signature of the Keeper of the Records of Scotland as proof of compliance under section 1 of the Public Records (Scotland) Act 2011, and confirms formal agreement by the Keeper of the RMP as submitted by Strathclyde Partnership for Transport. In agreeing this RMP, the Keeper expects Strathclyde Partnership for Transport to fully implement the agreed RMP and meet its obligations under the Act.

Laura Mitchell
Deputy Keeper of the Records of Scotland
Direct Email: RG-Keeper@nrscotland.gov.uk

File downloads

Assessment report: Strathclyde Partnership for Transport (SPT) - 31 March 2023

File type: PDF,
File size: 403.14 KB