Compliance review report: Clackmannanshire Council

Home
Publications
Compliance review report: Clackmannanshire Council

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Case Reference: 2024/001

Steps in Compliance Complaint Process

1. The complainant contacted National Records of Scotland (NRS) on 30 January 2024 outlining concerns around the records management practices at Clackmannanshire Council and the implementation of their agreed Records Management Plan.

2. A Compliance Complaint Review Officer was assigned.

3. Further details were requested from the complainant to ascertain if a Compliance Review was required. Details of the scope of the complaint in relation to elements of the Keeper’s Model Plan were confirmed by the complainant.

4. The complainant and authority were notified by the Keeper of the Records of Scotland (the Keeper) on 20 February 2024 that a Compliance Review was to be carried out. Section 6 of the Act allows for a review of whether an authority is complying with its records management plan where the Keeper becomes aware of a possible failure. Subsection (2) requires authorities to assist the Keeper in conducting such reviews if requested to do so, which can include providing information or documents to help inform the review. The authority was provided with an outline of the relevant elements of the Keeper’s Model Plan that had been identified as being within scope of the complaint, and a set of questions to assist in assessing compliance. In addition, at the authority’s request a bullet point list outlining the nature of the complaint was provided.

5. Representations, in the form of statements and supporting evidence, were received from the authority and acknowledged on 15 March 2024.

6. The Keeper of the Records of Scotland notified the authority of the outcome of the Compliance Review and provided the draft Compliance Review Report and recommendations on 02 September 2024.

7. The authority had 30 working days to comment on the draft Compliance Review Report and recommendations.

8. On receipt of any comments from the authority the Keeper of the Records of Scotland will consider these prior to issuing their Compliance Review Report. Response received from Clackmannanshire Council on 11 October 2024.

9. Keeper’s decision and Compliance Review Report issued to Clackmannanshire Council on 21 November 2024

10. Complainant notified of the Keeper’s decision and provided with the Compliance Review Report on 21 November 2024.

11. The Compliance Review Report will be published on the National Records of Scotland website.

Compliance Review Report

The following report outlines the complaint issue and the related Elements of the Keeper’s Model Plan provided to the authority. It includes the Keeper’s recommendations.

Element of Keeper’s Model Plan

Complaint Issue

Compliance Review and the Keeper’s recommendations.

Policies and procedures are not being followed (for example, the Destruction Policy, the Email Policy, and the Retention Schedule).

Addressed under several elements.

Element 1

Senior Officer

The Public Records (Scotland) Act 2011 (the Act) requires that an individual senior staff member is identified as holding corporate responsibility for records management in a public authority.

Individuals identified at Element 1 in RMP are outdated.

The evidence provided was created to support changes under a 2022 Progress Update Review (PUR) and reflects changes and proposed changes to personnel, but it is not signed by the responsible person. This is acceptable for a PUR submission, but it would not be acceptable evidence under a formal Records Management Plan (RMP) submission. It therefore cannot be acceptable under a formal investigation into compliance. In addition the evidence submitted references outdated Data Protection (DP) legislation, which the Keeper must question under a formal submission.

It would appear that the authority has been compliant under Element 1 but the evidence supplied in support of this is weakened by not being accurate or having the authority of the CEO. The Keeper cannot be confident in agreeing arrangements are sufficiently robust under the Element if the evidence is questionable.

Element 2

Records Manager

The Act requires that each authority identifies an individual staff member as holding operational responsibility for records management and has appropriate corporate responsibility, access to resources and skills.

No records management officer in post since 2020.

The authority cites email and documented evidence in support of its compliance statement but the emails and documents have not been submitted. Instead the authority has supplied what it says is text taken from these emails and documents. The Keeper does not consider this to be acceptable evidence for the purposes of a compliance review. It would not be regarded as appropriate evidence under a formal RMP submission. Evidence must be verifiable as formal and authentic. If the email or document being cited contains sensitive or confidential information that cannot be shared with the Keeper then redacted versions should be provided. Failing that it is also the case under formal RMP submissions that that the Keeper will accept signed confirmation from the CEO, or the person named under Element 1, that this evidence exists, but cannot be provided for specific and clearly explained reasons.

The Governance team has access to information governance training (data protection, data management), but this does not appear to include formal records management training. It is the case, however, that some records management training is accessed through informal means (attending meetings). The Records and Governance Officer, Project Coordinator, and other staff have, for example, attended and registered for PRSA surgeries. Records management must be a key component of any authority’s information governance training regime. The Keeper would expect this to be routinely accessible and in some instances mandatory for staff, particularly the person named under Element 2. It is good that the authority’s response notes training accessed by the Records and Governance Officer and her colleagues, but we would routinely expect this note of training to be accompanied by evidence. This does not appear to be the case. A formal RMP submission, and a response under a formal compliance complaint which questions the authority’s training, must include details of all internal training regimes in place for records management, data protection, FOISA, etc., and evidence showing how staff routinely access this training. We would also expect to see evidence of externally sourced training, where appropriate. And, the Keeper would expect to be furnished with the job description/objectives of the individual named under Element 2 demonstrating they hold formal responsibility for this role and have training obligations acknowledged, for example, under a Personal Development Plan or similar.

It appears clear that a Governance team is in place led by the person named at Element 2 (Project Coordinator) and which includes the new key contact (Records and Governance Officer), who’s job title suggests they have clear records management responsibility. In addressing the complaint issue, there may not have been someone in post with a job title specifically referencing records management, but there has been someone named at Element 2 and a key contact since the Keeper’s Agreement in 2017. However, it would be expected that that person with day-to-day responsibility (previously Project Coordinator and now Records and Governance Officer) would be formally identified in the RMP and in evidence to support this arrangement (e.g. CE Letter or a Letter from named person at Element 1).

Given the authority’s training regime is being questioned under a formal complaint, the evidence appears inadequate. It is not clear what training expectations the authority currently holds for the person named under Element 2 or what training that person has already gained. The authority’s response statement, and paucity of suitable evidence, leaves the Keeper unclear as to what extent it can meet its obligations under this Element.

Element 3

Policy

The Act requires an authority to have an appropriate policy statement on records management.

Policy versions and document control sheets do not reflect changes or are not updated.

Policy not approved by Council.

A Records Management Policy version 1.3, dated 31 August 2022, updated by the Project Coordinator has been provided. In its response the authority has confirmed this was approved by the Service Manager for Legal and Governance. It does not appear that the Policy has been through wider approval e.g. committee level since 2009/2015? Document control sheets are the recognised, standard method by which authorities evidence their policies and procedures being fit for purposes. It cannot be acceptable to the Keeper that a policy dated 2015, and authorised originally in 2009, is submitted as evidence of compliance.

The authority’s response statement and the Policy itself, state the frequency of review, ‘‘reviewed every 3 years or sooner if there is a change to legislation’’. It does not appear to be the final version though as there are obvious anomalies such as reference to both DPA 1998 and DPA and GDPR 2018. There is also a visible comment dated 12 September 2019. Under a formal RMP submission the Keeper would not regard outdated policies and procedures as credible evidence of current compliance. This is also the case under a compliance review.

It has not been demonstrated how staff access or are introduced to the Policy, only the RMP. A drive location screenshot has been provided showing the RMP. See Element 13 for comments on review and approval of policies. The Keeper’s Agreement Report of 2017 notes a screenshot was provided showing the Connect site providing access to the Records Management Policy and other information governance policies The screenshot provided here does not show a link to the Records Management Policy. Again, being able to demonstrate and provide evidence of how staff access policies and procedures, for example through mandatory training, is key to attracting the Keeper’s agreement under a formal RMP submission. The same applies under the compliance complaint process.

The authority provided a screenshot of the intranet site, Connect (which appears to carry an ‘published’ date of Oct 2012), with text that notes an Information Management Handbook will soon be published with details of the Records Management Policy. The Handbook is listed as an appendix in the RMP (version 1.4) and referenced in the 2017 Keeper’s Agreement Report and subsequent PUR. There is no reference to it in the authority’s response so it remains unclear how staff access this. It is not clear how staff learn about and access the authority’s Records Management Policy and other guidance referenced under this compliance review response. It is also not clear whether the authority’s Records Management Policy has been authorised or subject to a thorough governance procedure. It carries references to outdated data protection law. These are issues that would cause the Keeper concern under a formal RMP submission and they are of similar concern under this compliance review process.

Element 4

Business Classification

The Keeper of the Records of Scotland (the Keeper) expects that the public records of an authority are known and are identified within a structure

Records not stored or managed appropriately in storage systems where they can be identified, located and accessed.

The authority acknowledges there has been a lack of progress under this Element of its agreed 2017 RMP. The Keeper understands that transitioning to new systems can be time consuming and challenging. However, the authority’s agreed RMP indicated the solution proposed at that time would be operational by the end of 2017. The authority has made significant use of the PUR process to inform the Keeper of the technical, resource and other challenges it has faced since 2017, not least the impact of the global pandemic, across the Council. The authority’s 2022 PUR informed the Keeper of its decision to commit to a transition to Microsoft 365 (M365). This is commended by the Keeper. It is further commendable that the review of the Corporate File Structure is tied to the implementation of M365. This will rationalise the file structure and the location and management of the majority of the authority’s digital public records (excluding line-of-business systems). The submission does not, however, expand on timescales around the implementation.

Nevertheless, areas of concern remain with the response statement and evidence supplied under this Element. The response notes that paper records are still in use within the authority and while these are clearly a diminishing resource, there appears to be no mention of how staff are trained on the challenges of managing paper records. There is no indication of how and where these are stored, if there is a registry in operation, how they are tracked and how disposal decisions are applied to them. The authority’s agreed 2017 RMP refers to a scanning project being underway to address paper records, but this submission does not expand on the success or otherwise of that exercise. The Keeper remains unsure how the authority’s paper records, current and/or legacy, are managed.

The intranet guidance referenced under the submission appears to be outdated and carries text which is no longer sufficient to the need. The Records Management Guidelines provided in evidence appear to be 15 years old and again it is not clear where staff access this. 15 year old evidence cannot be consider by the Keeper as credible. It is also the case that the information shown in the Connect screenshot of the Document and Records Management page looks to be out of date.

Guidance that appears to have been developed to help staff, specifically an ‘Information Management Handbook’ is mentioned in evidence provided, but has not itself been provided. It is also the case that the IDOX User Guide, sent in evidence, is in fact the user manual produced by Idox Software Ltd. It is not the sort of ‘guidance’ one would expect Council staff to engage with for the purposes of meeting the authority’s requirements under its agreed RMP. It cannot be considered evidence of the authority guiding staff on their obligations under the policies and procedures agreed by the Keeper in 2017.

It is clear the authority has taken steps since 2017 to develop a Business Classification Scheme (BCS) to cover all of its business areas and public records, although questions remain about the management of paper records. It is also clear the authority has an ambition to transition to M365. That can be, if implemented properly, a credible records management solution and the authority’s aims are applauded by the Keeper. However, the authority’s response under this compliance complaint, particularly the evidence supplied in support of its statements, is not sufficient to convince the Keeper that enough progress has been made since 2017. The Keeper is concerned, for instance, that out of date guidance is being used to advise staff of their obligations.

Element 5

Retention schedule

The Keeper expects an authority to have allocated retention periods to its public records and for those records to be retained and disposed of in accordance with a Retention Schedule.

Records not managed through to disposal (secure destruction or transfer for permanent preservation) in line with retention schedule and policy (for example Email Retention Policy).

Unknown retention for certain record types.

The authority has a Corporate Retention Schedule, but it not clear to what extent it has been updated since 2014. There are statements and evidence around its review, procedures for requesting updates, and updates being made. Evidence showing requests for updates, however, suggests there are pending requests dated 2014 and 2018. The response states service areas are responsible for notifying the Governance team of updates, but pending requests from so long ago would appear to suggest the guidance is not sufficient. Retention Schedule review work is being undertaken by the Governance and Records Officer through email alerts to service managers asking about retention practices. This and other evidence might suggest the Retention Schedule is not subject to routine and systematic review.

The management of retention in network drives, which is notoriously difficult to manage, is a manual process and it is stated staff are contacted to act on retention periods. The evidence provided of staff being prompted to act is through a Teams message. There is evidence of a destruction plan in place in a specific service, but it is not clear to the Keeper how effective Teams prompts are and how effective a solution this is for ensuring the authority’s disposal mechanism is robust.

The Corporate Retention Schedule is a tab on the Connect intranet page (screenshot provided). There is some staff guidance, e.g. around email retention, however it is not clear where the guidance on providing updates to the Retention Schedule (Evidence 29) is located and it appears to be out of date.

The Drive Usage Guidance (Evidence 23) advises regular housekeeping of J drive and checking retention; it directs staff to the Retention Schedule and Destruction Arrangements Policy and where they can be located i.e. J drive file path and Connect intranet page.

The authority has a Retention Schedule in place, but it is under review and there are indications updates have not been made, possibly for some years. The authority acknowledge they can only partially confirm its public records are being retained and disposed of in line with the retention schedule. A clear commitment is given to progressing this work and evidence has been provided to show this is already underway and will be further progressed under the move to M365. It appears as though the process followed may on occasion be ad-hoc rather than systematic. The submission suggests, for example, that action to apply disposal decisions is sometimes brought about by concerns over server space rather than best practice records management driving decisions to safeguard the authority under information legislation and help maintain regulatory compliance.

The Keeper must again be concerned about the quality of evidence supplied in support of the authority’s compliance statements. The Retention Schedule refers to paper records, which are only briefly referenced under Element 4. It addresses secure destruction and includes details about the destruction of back-ups, but it continues, as with other evidence to reference outdated legislation. It points staff, for example, to the Data Protection Act 1998. Failing to reference the appropriate legislation under what the authority regards to be a ‘living document’ suggest policies and procedures are possibly not being reviewed and updated as frequently or as thoroughly as is necessary. The authority’s statement that the Corporate Retention Schedule has “been in place since 2014, but is currently under review” suggests insufficient attention has been paid to this. This view is supported by Evidence 26, which appears to come from the text of an email to staff containing questions about current records retention time frames and processes and inviting them to respond by end November 2023. It is also the case that lifting text from emails and documents to submit as evidence under a compliance review is not considered credible evidence by the Keeper. If the emails and documents cannot be supplied then a note from the CEO or person named under Element 1 of the RMP is required to give the Keeper an assurance the evidence exists and is robust. This is standard practice under a formal RMP submission and must apply under a compliance review.

The authority is not alone in managing a retention mechanism that aims to be better and it’s ambition to develop and implement a M365 solution is commendable. If properly resourced and managed over time this solution will support the authority’s retention schedule and ensure proper disposal of public records into destruction and permanent preservation as appropriate. However, the statements and evidence submitted under this Element of the compliance review do not appear sufficient to satisfy the Keeper that the authority’s Retention Schedule is as robust as it should be.

Element 6

Destruction Arrangements

The Act requires that public records are destroyed in a timely, controlled and secure manner.

Records not managed through to disposal (secure destruction or transfer for permanent preservation) in line with retention schedule and policy (for example Email Retention Policy).

Record of destruction not being maintained.

The Destruction Arrangements Policy (Evidence 36) supplied in evidence appears not to have been reviewed or updated since 2015, despite stating that it will be reviewed every two years. It is also the case that the policy, as a consequence of not being reviewed, continues to reference, as do other Council documents, the 1998 DP Act. Outdated policies would not be regarded as credible evidence under a formal RMP submission and therefore cannot be credible for the purposes of this compliance review. It appears from Evidence 64 - Version Control Sheet showing amendments for PU Review 2022, that there is a later version of this Policy, but an earlier version has been provided as evidence for this compliance review. See Element 11 for comments on version control.

It is not clear that the authority’s compliance statements and evidence cited above address the questions posed. It appears clear that the authority understood the necessity to manage destruction robustly in 2015 and committed to the Destruction Arrangements Policy formulated in that year. This has been submitted in evidence for the purposes of this compliance review, but appears not to be the current version, as noted above. Paper records are covered by the 2015 Policy, but the Keeper cannot be confident this Policy remains fully operational and that it meets the current needs of the authority. It’s not clear whether the in-house paper shredding solution meets industry standards. If the commercial service engaged for the destruction of special category information continues to operate the Keeper might have expected to be furnished with a recent destruction certificate in support of this. It’s also not clear by what means the authority securely destroys hardware.

The authority’s response to the Keeper’s questions about destruction logs, or some other record of destruction of its public records, is insufficient. There is, of course, no law requiring the creation of destruction logs, but FOI and DP legislation place an expectation on authorities’ to be able to qualify under scrutiny their destruction decisions. Knowing what records were destroyed, when and under what authority, can be important in protecting the authority’s reputation with stakeholders but also mitigating against a statutory penalty or legal action for breaching information legislation. It is therefore widely recognised as best practice to maintain destruction logs, or employ the tagging and record stub facilities of our (Electronic Records and Document Management) ERDM systems, as a safeguard. These actions will protect the authority against claims of wilful destruction of public records without regard to the stakeholders for whom they are created or the information legislation they help support. Pointing to there being no legal requirement to do such a thing when information, its management and destruction, is at the heart of a growing number of public inquiries and scrutiny of Government and public authority decision making is not a credible response. Failing to properly log the destruction of information could put the authority and its Chief Executive Officer in a difficult position.

It appears clear from the authority’s submission that services are responsible for regular destruction of records. It acknowledges this is only being partially met. The copy of the Destruction Arrangements Policy provided in evidence is dated effective from December 2015 and refers to DPA 1998, despite it stating that it will be updated every two years. This compromises its evidential credibility. There is also ‘Guidance on destruction of records and compliance with RMP’ (Evidence 35), but the Guidance has not been made available to the Keeper, instead what appears to be an excerpt from the Guidance has been pasted into a word document. This is not credible evidence of an authorised Council document.

Element 8

Information Security

The Act requires that public records are held in accordance with information security compliance requirements.

Records are not being held securely.

The compliance statements under this Element and the evidence provided in support indicates comprehensive standards and guidance are in place around ICT security, some of which address information security. As with other evidence, documents (Evidence 40 - Account Management Standards and Evidence 41 - IT Patch Management Standard) have been provided to support compliance which have visible comments, suggesting these may not be the final version. There is a commitment to reviewing and getting approval for a separate information security policy, which is currently in draft. Paper records are addressed in the RMP (version 1.4) and the authority’s response to this compliance complaint, which states paper records are minimal and being reduced. However, there appears to be insufficient reference under this compliance response to their secure management. The Keeper has been provided with a range of evidence which indicates comprehensive standards and guidance are in place around ICT security. However the response has not sufficiently addressed the security of paper records

Element 9

Data Protection

The Keeper expects a Scottish public authority to manage records involving personal data in compliance with data protection law.

Data protection information is not up to date or does not exist.

A review of the authority’s Data Protection Policy was delayed since December 2022, but it is currently being reviewed. The Data Protection Policy is published on the website, along with a Data Protection statement, information about contacting the Data Protection Officer (DPO) and how to make a Subject Access Request (SAR). Staff have to complete mandatory GDPR training (see Element 12). The Keeper can be confident the Council has appropriate arrangements in place, which will be more comprehensive once the Data Protection Policy has completed its review.

Element 11

Audit trail

The Keeper expects an authority to have process in place to track public records in such a way that their location is known and changes recorded.

No means of tracking and audit (access and alterations) for hardcopy records.

Document control sheets not always being used consistently to accurately record changes.

The authority is not alone across the Scottish public sector in operating a hybrid system of record creation and record keeping. The systems in operation in Clackmannanshire Council, IDOX (the Council’s ERDMS), shared network drives, line of business systems and paper operate with varying levels of compliance. For example, the authority’s ERDMS (IDOX) has built in audit trail and version control, which has been evidenced. Audit trail in network drives is manual. Services have different processes in place outwith the ERDMS. We appear not to have been sent any evidence of how this works, but advised that services can provide this if requested. This is acknowledged by the authority and it has plans to address gaps in provision under its proposed M365 solution.

The authority confirms it operates document control sheets for all policies and procedures, but there is sufficient evidence under this formal response to suggest this does not operate effectively. The submission includes, for example, a version of a document for which the Keeper has been supplied with a screenshot of the control sheet referencing a more recent version of that document (Destruction Arrangements Policy). It is also the case that some control sheets do not appear to include all the information needed to evidence robust tracking and monitoring of change. The RMP version 1.4, for example, does not carry a date. Again, the submission of excerpts from documents that are cited in evidence is not credible. It would not be sufficient under a formal RMP submission and therefore cannot be sufficient under a compliance review.

The authority does not properly address its paper records under its response. These were clearly in existence in 2017 when it achieved agreement for its plan and subsequent PUR submissions did not suggest any change. The original RMP evidenced the existence of a paper registry, but there’s no clarity around whether this remains in place and operational. A digitisation programme also appeared to be operational, but there is no indication of whether this concluded successfully.

There is evidence of systems and practices in place, acknowledgement by the authority of gaps in provision under these systems and practices, and statements in support of its ambitions to close these gaps. The Council’s PUR submissions are evidence of senior management remaining informed of the authority’s ambitions and help demonstrate progress in place or planned. However, questions remain about the quality of evidence supplied in support of the systems in place and the authority’s programme of improvement. There is sufficient cause for the Keeper to be concerned about the level of compliance under the authority’s agreed RMP.

Element 12

Competency Framework for records management staff

The Keeper expects staff creating, or otherwise processing records, to be appropriately trained and supported.

Staff training is not sufficient.

Limited documentation about records management practices available and no basic guidance on records management.

The Keeper needs to be confident under this Element that records and information training is made available to Clackmannanshire Council staff and how uptake of that training is monitored. They also needs to know how staff are directed to updated records management guidance to ensure training and learning is maintained and supported.

It is clear that the authority supports an online training regime under its Clacks Academy service. The training provided by the Academy is mandatory for all staff and compliance is monitored. This training includes refresher courses which operates annually. Line managers have responsibility for ensuring their staff comply and must report attendance using the Council’s ‘Reporting Switchboard’.

The Academy shows Data Protection (or ‘GDPR’ more precisely) and Information Security training as mandatory, but it appears never to have supported records management training, which was a commitment given by the Council under its agreed RMP in 2017. Subsequent PUR submissions have not alerted the Keeper to any specific records management training being made available to staff. It is noted the Council’s ambition is that the proposed M365 solution will, under a SharePoint site, include a Records Management module.

The Keeper, while applauding the Council’s openness, must be concerned about gaps in training provision, particularly where this submission appears to indicate that staff employed during the Covid-19 pandemic have not been trained appropriately. The Keeper is concerned to learn that staff employed, possibly for some years, may remain without adequate training and guidance on their key information management obligations. This must be regarded as a significant oversight. Failing to properly train staff can lead to poor decision making. It could put the authority’s compliance with all information legislation in jeopardy leaving it open to the possibility of statutory penalties and reputational damage. Combining the gaps in provision here with those identified under Element 2, where there appears to be no evidence supporting the training routinely undertaken for the authority’s named individual, is of particular concern under this formal scrutiny exercise.

As with some other Elements above, the Keeper is concerned with the quality of evidence submitted in support of the authority’s statements, or which is mentioned but appears not to be available. The authority’s agreed RMP and subsequent PUR submissions refer to an Information Management Handbook, which could have considerable value under this exercise, but the Keeper has not been furnished with this and evidence otherwise might suggest it has not yet been published.

In addition, it would appear the authority’s intranet (Connect) pages about records management which direct staff to policies and guidance include pages that are outdated, for example the Document and Records Management page is dated 2012. It is the case that staff are alerted to [records management] updates, for example, under the Manager’s Cascade and News section of Connect (intranet), but these would appear to be infrequent as the authority acknowledges not all staff are aware of records management information and resources, particularly if they were recruited during the Covid-19 pandemic.

There appears to be no question that the authority has training provisions in place, but it is not reaching all staff, which is concerning. It also appears that some of it remains to be updated and gaps in provision remain to be filled. The lack of records management training, which was a specific commitment of the authority under its 2017 RMP, is disappointing and may indicate that the authority is not properly following its RMP as agreed. Based on the information supplied, the Keeper cannot be satisfied the authority is doing all it can do under this Element.

Element 13

Assessment and Review

Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review.

Statements and information provided in relation to the Council’s Records Management Plan differ from the updates published in the PUR reports.

Outdated policies are in place (not reviewed as claimed, outdated information remains after review, review changes not recorded).

Polices are updated without going through an approval process.

It would appear the authority misunderstands what is expected under Section 5 of the Act, ‘Review of plans’. Section 5(1) says, ‘An authority must keep its records management plan under review’. This must be an ongoing process to be managed and maintained by the authority. It is not something to be instigated at regular intervals by the Keeper. Referencing the annual, voluntary PUR mechanism in answer to the Keeper’s question seeking confirmation of the authority’s ongoing review programme is not sufficient for this compliance review process.

In response to the Keeper’s question about the review method employed [which would, for instance, inform a PUR submission] the authority references only its two PUR submissions (2019 and 2022). The use of the voluntary PUR mechanism is applauded and is a clear indication that the Records Management Plan and its implementation continues to be considered by the authority. The evidence provided, which is again screenshots of emails not the actual emails, suggests the PUR draft and final reports are shared with the individuals named under Elements 1 and 2 and the CE of the authority. It would also appear that the individuals named at Element 1 and 2 meet with the key contact in advance of a PUR submission and approve its submission. This is commendable. The PUR is not, however, a formal internal and ongoing review process. While it remains commendable that the authority has undertaken two PURs since its plan was agreed in 2017, this does not evidence the Council’s review processes.

The Keeper’s expectation under this Element is to have confirmation of the methods used by the authority to interrogate the arrangements agreed under its 2017 RMP. Evidence of who manages this process, who carries out the review, what methodology is used to conduct the review, how frequently the review is conducted, does it assess and review all Elements of the plan or only some, and who is furnished with the review report and recommendations for actioning. Is this, for example, a governance committee or the person named as having overall responsibility for the agreed RMP.

The Keeper’s 2017 RMP Report acknowledged the authority’s commitment to use the newly established Records Management Working Group (RMWG), led by Head of Resources and Governance, to review all Elements of the plan to an established timetable. The authority provided the Keeper with this Group’s terms of reference in evidence of the commitment and confirmed that the outcomes of these internal reviews would be provided to the Council’s Senior Management Team in the form of an Annual Governance Statement. It seems to the Keeper that confirming this process is operational and submitting evidence of its reporting would constitute robust evidence of the authority keeping its agreed arrangements under review and in compliance with the Act. It is the case that the most recent PUR indicates a new IT and Information Governance Group has been formed and this appears to replace the RMWG. Internal Audit is also mentioned in the 2017 Agreement Report and the 2020 PUR Report. It would appear this Group was committed to reviewing the implementation of the Plan 5 years after agreement. A report on the Internal Audit review was to be provided to the Senior Management Team and the Chief Executive. The Keeper would have expected this to form a key part of the evidence package supporting the Council’s response to this compliance review.

We have been provided with a link to the RMP (version 1.4, dated 2024). Under Element 13 it refers to both the RMWG and use of Internal Audit, which would suggest the RMP (version 1.4 dated 2024) is only updated in parts as these reference remain. The recording of updates and approvals appears to vary. For example in some documents a date of the current version is not shown (RMP) and in some the approvals section is not populated (Email Retention Policy). Some show visible comments (e.g. Records Management Policy and Account Management Standards). While it is clear the use of the PUR mechanism is a driver to review the documentation which supports the RMP and the RMP itself (version 1.2 dated 2019 and version 1.3 dated 2022), it appears the methodology used to do this might have changed since 2017. Such changes are to be expected, however the Keeper has not been provided with evidence of this process and how it might support the authority’s compliance statements under this compliance review.

The authority states that each Element of the agreed RMP is reviewed and any changes made. It says ‘analysis is undertaken to ensure compliance along with consultation with Services.’ The analysis or the methodology employed to carry out the analysis, or evidence of a staff consultation exercise, has not been submitted in evidence.

It is also the case under this Element, as with others, that the evidence appears not to be consistent or clear. Evidence 63, Version Control Sheet, for example, shows amendments under the 2022 PUR. This is presented as a screenshot of part of a document control sheet. It notes ‘minor amendments made in line with PU Review’ and that this was done by the Project Coordinator. It does not show an approval date. Other documents provided as evidence do not show approval dates or evidence of the approver. Some support revision history content, some don’t. Evidence 64, Version Control Sheet supporting amendments under the 2022 PUR, which is submitted as a screenshot of part of a document control sheet, for the Destruction Arrangements Policy appears inconsistent or wrong. While it has an approver and shows it was approved by a committee in 2015, it appears this is just for the first version 1.0 not for subsequent updates. This is confusing and cannot be considered evidence of compliance. The Keeper is left with questions over the authority’s arrangements under this Element sufficient to suggest a formal PRSA review of the authority’s arrangements may be necessary.

Recommendations

Representations from Clackmannanshire Council, submitted in response to the Keeper’s request in relation to a compliance complaint (case reference 2024/001) and subsequent compliance review under section 6 of the Act, have been supplied in the form of statements in answer to questions asked and evidence to support these.

Having reviewed these representations, the Keeper has concluded that further assurances are required around the implementation and review of the agreed Records Management Plan of Clackmannanshire Council. In several areas, the evidence provided is insufficient, both to adequately demonstrate compliance and to satisfy the Keeper’s expectation as to what qualifies as credible evidence. This compliance review has raised concerns around how fully records management practices are embedded within the authority. The authority have acknowledged under several Elements of the Keeper’s Model Plan that requirements are not being fully met (Elements 4, 5, 6 and 11) and, that staff recruited since Covid-19 have not been made aware of records management guidance and requirements (Element 12). Based on the statements and evidence received the Keeper is not confident that the authority understands what is expected under Section 5 of the Act, ‘Review of plans’ and therefore is not satisfied around arrangements currently in place under Element 13.

The authority has demonstrated an awareness of the requirements of the Act and has engaged with the PRSA team by participating in the voluntary PUR process, attending PRSA surgery events and providing an update on changes to the key contact. Recent steps noted in the statements provided, including the appointment of a Records and Governance Officer, a review of the Corporate File Structure, the initiation of a review of the Retention Schedule, moves towards implementation of M365, and plans to improve staff induction processes, are welcome indications of positive ongoing work.

The Keeper is reassured by the authority’s acknowledgement that further work is required in several areas, for example around staff training and awareness, uniform and documented processes for saving and managing public records and, documented processes for the secure destruction of public records out with the ERDMS. In addition, representations indicate that the individual/s named at Element 1 and the Council’s Chief Executive are kept informed about the authority’s Records Management Plan.

The M365 implementation is providing an opportunity for review of records management practices which the authority appear to be utilising, in particular around compliance with Elements 4, 5, 6 and 11 of the Keeper’s Model Plan. The authority’s 2022 PUR submission also makes reference to a planned ‘‘overall review of Information Governance’’.

However, the authority has not satisfied the Keeper with regard to their representations in response to this compliance complaint. Given that a period exceeding 5 years has elapsed since the last Agreement Report and that further questions have been raised through this compliance review, the Keeper requires, under section 5 of the Act, Clackmannanshire Council and Clackmannanshire Licensing Board (this is a combined Plan for two named authorities scheduled under PRSA) to submit a reviewed Records Management Plan for their agreement.

Keeper issues formal invitation for submission of reviewed Records Management Plan – 02 December 2024

Expected submission of reviewed Records Management Plan – 30 April 2025

This Compliance Review Report has been examined by the Keeper:

Alison Byrne OBE
Keeper of the Records of Scotland

File downloads

Compliance review report: Clackmannanshire Council

File type: PDF,
File size: 229.24 KB