Progress Update Review - Food Standards Scotland - National Records of Scotland (NRS)

Home
Publications
Progress Update Review - Food Standards Scotland

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Progress Update Review (PUR) Mechanism
Executive Summary
Authority Background
Assessment Process
Progress Update Review (PUR): Food Standards Scotland
The Public Records (Scotland) Act Assessment Team’s Summary
The Public Records (Scotland) Act Assessment Team’s Evaluation

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal Assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor recordkeeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Progress Update Review (PUR) Mechanism

Under section 5(1) & (2) of the Act the Keeper may only require a review of an authority’s agreed RMP to be undertaken not earlier than five years after the date on which the authority’s RMP was last agreed. Regardless of whether an authority has successfully achieved its goals identified in its RMP or continues to work towards them, the minimum period of five years before the Keeper can require a review of a RMP does not allow for continuous progress to be captured and recognised.

The success of the Act to date is attributable to a large degree to meaningful communication between the Keeper, the Assessment Team, and named public authorities. Consultation with Key Contacts has highlighted the desirability of a mechanism to facilitate regular, constructive dialogue between stakeholders and the Assessment Team. Many authorities have themselves recognised that such regular communication is necessary to keep their agreed plans up to date following inevitable organisational change. Following meetings between authorities and the Assessment Team, a reporting mechanism through which progress and local initiatives can be acknowledged and reviewed by the Assessment Team was proposed. Key Contacts have expressed the hope that through submission of regular updates, the momentum generated by the Act can continue to be sustained at all levels within authorities.

The PUR self-assessment review mechanism was developed in collaboration with stakeholders and was formally announced in the Keeper’s Annual Report published on 12 August 2016. The completion of the PUR process enables authorities to be credited for the progress they are effecting and to receive constructive advice concerning on-going developments. Engaging with this mechanism will not only maintain the spirit of the Act by encouraging senior management to recognise the need for good records management practices, but will also help authorities comply with their statutory obligation under section 5(1)(a) of the Act to keep their RMP under review.

3. Executive Summary

This Report sets out the findings of the Public Records (Scotland) Act 2011 (the Act) Assessment Team’s consideration of the Progress Update template submitted for Food Standards Scotland. The outcome of the assessment and relevant feedback can be found under sections 6 – 8.

4. Authority Background

Food Standards Scotland’s primary responsibility is to ensure that information and advice on food safety and standards, nutrition and labelling is independent, consistent, evidence-based and consumer-focused. Its primary concern is consumer protection – making sure that food is safe to eat and ensuring consumers know what they are eating and improving nutrition. With that in mind, their vision is to deliver a food and drink environment in Scotland that benefits, protects and is trusted by consumers.

FSS develops policies, provides policy advice to others, is a trusted source of advice for consumers and protects consumers through delivery of a robust regulatory and enforcement strategy.

FSS was established by the Food (Scotland) Act 2015 as a non-ministerial office, part of the Scottish Administration, alongside, but separate from, the Scottish Government. It is mainly funded by government but also charges fees to recover costs for regulatory functions.

5. Assessment Process

A PUR submission is evaluated by the Act’s Assessment Team. The self-assessment process invites authorities to complete a template and send it to the Assessment Team one year after the date of agreement of its RMP and every year thereafter. The self-assessment template highlights where an authority’s plan achieved agreement on an improvement basis and invites updates under those ‘Amber’ elements. However, it also provides an opportunity for authorities not simply to report on progress against improvements, but to comment on any new initiatives, highlight innovations, or record changes to existing arrangements under those elements that had attracted an initial ‘Green’ score in their original RMP submission.

The assessment report considers statements made by an authority under the elements of its agreed Plan that included improvement models. It reflects any changes and/or progress made towards achieving full compliance in those areas where agreement under improvement was made in the Keeper’s Assessment Report of their RMP. The PUR assessment report also considers statements of further progress made in elements already compliant under the Act.

Engagement with the PUR mechanism for assessment cannot alter the Keeper’s Assessment Report of an authority’s agreed RMP or any RAG assessment within it. Instead the PUR Final Report records the Assessment Team’s evaluation of the submission and its opinion on the progress being made by the authority since agreeing its RMP. The team’s assessment provides an informal indication of what marking an authority could expect should it submit a revised RMP to the Keeper under the Act, although such assessment is made without prejudice to the Keeper’s right to adopt a different marking at that stage.

Key

Green

The Assessment Team agrees this element of an authority’s plan.

Amber

The Assessment Team agrees this element of an authority’s progress update submission as an ‘improvement model’. This means that they are convinced of the authority’s commitment to closing a gap in provision. They will request that they are updated as work on this element progresses.

Red

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Assessment Team may choose to notify the Keeper on this basis.

6. Progress Update Review (PUR): Food Standards Scotland

Element 1: Senior Officer

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change to personnel but job title changed to Deputy Chief Executive.

The Assessment Team thanks you for this Update which has been noted.

No change.

No immediate action required. Update required on any future change.

Element 2: Records Manager

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

Change in personnel: the new Records Management Support Officer for FSS is supporting the Information Governance Manager (formerly Information & Records Manager).

Thank you for confirming the other Key Contact’s job title. The Assessment Team has been given a name and contact details as required under Element 2. Update required on any future change.

No change in personnel. The Records Management Support Officer is now supporting the Business Management Performance Unit.

Thank you for this update. The support for the Performance Unit is noted.

No immediate action required. Update required on any future change.

Element 3: Policy

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Records Management Support Officer reviewed and updated Records Management Policy following completion of Practitioner Certificate in Scottish Public Sector Records Management training course.

All Information Governance policies and procedures are reviewed annually.

No change to personnel but job title changed to Deputy Chief Executive.

Thank you for this positive update on Records Management Policy review, and confirming that all IG Policies and procedural documents are reviewed annually.

For comments on training, see Element 12.

All Information Governance policies and procedures are reviewed annually. FSS recently updated the Government Security Classification & Marking – Flow Chart and the FSS Government Information Management Strategy according to the SG guidelines.

At the time of the Keeper’s original agreement of Food Standards Scotland’s RMP it was noted that supporting policy and guidance documents should be routinely reviewed and updated. It is welcome to acknowledge that this is being done in the authority.

There is no requirement, under PRSA, for the authority to provide the Keeper with a new version of its security documents, but should they wish to do so the Assessment Team will add it to the authority’s file to keep the submission up-to-date.

Element 4: Business Classification

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. Ongoing monitoring and review of FSS Information Asset and Data Inventory. FSS File Plan sits on SG eRDM Records Repository.

Thank you for this update on continuing monitoring and review of Information Asset and Data Inventory which had been noted.

Update required on any future change.

No change. Currently restructuring of FSS’s governance structure. When it is finalised it may impact on the information asset owners who will have responsibility for the information assets within their respective business areas.

The restructuring of the information asset owner structure in Food Standards Scotland should have no effect on the Keeper’s agreement that all public records of the authority are managed in a robust system. However, this restructuring work is noted.

In previous updates Food Standards Scotland have indicated that they were pursuing a programme to reduce the volume of hard-copy records held in a third-party outstore. From statements against element 11 below, it is recognised that this objective is currently being pursued.

Element 5: Retention schedule

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. Operational Delivery Retention Schedules are reviewed and updated annually. All records and documents on eRDM follow the File Type Retention Schedules.

The Assessment Team appreciates this update on Records Retention arrangements at Food Standards Scotland. It is great to hear that Retention Schedules are reviewed annually.

No change. But Corporate and Operational Delivery Retention Schedules are reviewed and monitored annually. All records and documents on eRDM follow the File Type Retention Schedules.

Thank you for this update. A retention schedule is a living document liable to alter in response to changing business needs. It therefore requires periodic review to address this. It is clear that Food Standards Scotland recognise this.

Element 6: Destruction arrangements

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

We will continue to follow the appropriate destruction arrangements based on the new hybrid way of working e.g. shredders for paper records at home and secure disposal bins in Pilgrim House.

This update on impact of hybrid working on records destruction arrangements is noted with many thanks.

No change.

No immediate action required. Update required on any future change.

Element 7: Archiving and transfer

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. We are currently reviewing and updating our Memorandum of Understanding with NRS.

Thank you for notifying us that there has been no change to this element. It is also very positive to hear that FSS is in the process of reviewing and updating the formal agreement in place with NRS.

No change. Still working on the MOU with NRS looking to finalise as soon as possible.

The Keeper encourages all public authorities that deposit their public records for permanent preservation with NRS to ensure that they have the latest transfer agreement in place.

It is clear that Food Standards Scotland are actively pursuing this with their NRS Client Manager jean.crawford@nrscotland.gov.uk

Element 8: Information security

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

SG DTS awarded the contract to Sopra Steria to undertake a short review of FSS ISO27001 Gap Analysis, Statement of Applicability (SoP) and existing Risk Management Processes. A report was produced in September 2021, FSS achieved 82% fully compliant score across 113 controls. The majority of the partially compliant controls fall in the domain of Scottish Government iTECS (IT managed services provider).

We currently have Cyber Essential certification and looking towards the Cyber Essential Plus or ISO27001 accreditation in the future.

In December 2021, FSS IT contacted all our non-SCOT system suppliers to understand the degree of exposure of our systems to the recent Apache Log4j vulnerability. All FSS system suppliers confirmed their awareness of the Apache vulnerability and none of our systems are exposed or affected.

We asked all our key system suppliers to provide documented assurance that all our systems are compliant with relevant information security standards. The suppliers were further asked to provide documented evidence of business continuity plan, and that security principles and guidance are dutifully followed.

All Information Security Policies and Procedures are reviewed and updated annually.

It is great to hear that the project to conduct an ISO27001 Gap Analysis, assessment of Statement of Applicability, and review of existing Risk Management processes has now been completed, and that the results for areas managed by FSS are positive.

The Team also commends FSS for maintaining its Cyber Essential Certification, and that FSS is considering more advanced-level certification in the future.

Maintaining awareness of possible software vulnerabilities and pursuing suppliers about these to establish confidence is very positive. The requirement of high Information Security compliance standards with external suppliers is also noted with thanks.

Thank you also for confirming that FSS continues to review its Security Policies and Procedures annually, as scheduled.

Our approach at FSS is to adopt a ‘defence-in depth’ cybersecurity governance using layers of defence with several mitigation controls at each layer. The SCOTS Connect infrastructure and corporate systems are covered by SG iTECS, but we have our local controls to ensure that our bespoke systems are protected against malware infection, cyber-attacks, malicious/disgruntled internal staff action, system vulnerabilities, online security breaches to mention a fewx. Our system owners complete a quarterly system monitoring and user access review to provide assurance on the systems that they managed.

As noted above, it is important that an authority keeps its policy and guidance documents under review and it is welcome that Food Standards Scotland clearly does this.

This is particularly important around the area of information security. It is vital that an authority guarantees that it can react to changes in information security threat and that it has policies in place that ensure all the public records it manages are retained within appropriate security controls (for example when considering local threats). It is clear from this PUR that Food Standards Scotland understand this.

Many of the recent information security breaches stem from human error. It is therefore important that staff are trained on the authority’s information security requirements and that this training is routinely repeated. Again, it seems clear that Food Standards Scotland are actively pursuing this principle

Element 9: Data protection

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. Ongoing Data Protection advice and support to the business including the production of relevant Data Protection documentation.

Thank you for updating us on FSS’s continuing good practice in terms of its approach to Data Protection.

FSS Data Protection area sits now with Business Management Performance Unit (BMPU). Ruth Dewar and Maria Alina Zangelidou both attended the following training course:

•QACGDPRP, Certified Data Protection Foundation and Practitioner

Both deal with any Data Protection queries across FSS.

Food Standards Scotland is registered with the Information Commissioner as a data controller:

Information Commissioner's Office - Register of data protection fee payers - Entry details (ico.org.uk)

They publish a Privacy policy online:

This includes details of service user's rights as a data subject.

This element retains its Green RAG status.

Element 10: Business continuity and vital records

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

The BCP has been renamed to Business Incident Management Framework (BIMF) where the structure now reflects the one used across the Incident Management Framework (IMF) – used to manage food and feed incidents across FSS - due to its layout, accessibility, clarity and provenance.

Some of Changes across the BIMF include:

Desk instructions and process developed for the use of GroupCall to add resilience to the messaging service across FSS
Section included on Risk Assessments relating to incident and any associated action tracking
Updated Hyperlinks throughout Included and Adapted Roles and Responsibilities in line with FSS Incident Management Framework
Inclusion of Business Continuity Classification Matrix
Development of Master Business Impact Assessment for each Division/Branch to highlight key deliverables/requirements across each business area
Development of playbooks to highlight actions required in the event of an incident towards restoring business critical activities
Structures in place to assign roles across the BIMF with role cards and training provided.

There will be further structural change of the Business Incident Management Framework (BIMF) in line with resource capability to refine system and align with Divisional scopes and requirements.

Element 10 (Business continuity and vital records) stipulates that record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning. This means that an authority’s business continuity arrangements should include the recovery of records made temporarily unavailable due to an unexpected event.

Thank you for updating the Assessment Team regarding a restructure and rewrite of the FSS Business Continuity Plan, which is entirely a business decision. We note this is now called the Business Incident Management Framework (BIMF), and that is addressing the same core need as the previous BCP. The reviewed BIMF will hopefully make the authority more resilient in the face of any unexpected future events.

No change but ongoing review and discussion with branch heads to ensure that business continuity plan is up to date and can be activated when required.

All relevant play books (power outage, loss of personnel, loss of head office and loss of IT) are reviewed annually as part of FSS’s disaster recovery process.

Changes in circumstance and new threats to the operation of an authority should be routinely considered with a mind to recovery from an unexpected situation. This should include testing the efficiency of back-up record-recovery processes. It seems clear from the authority’s previously agreed RMP and from the statement in this PUR that Food Standards Scotland recognises this and have procedures in place to ensure their business continuity arrangements are up-to-date.

Element 11: Audit trail

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. We are currently review our off-site records at Iron Mountain. When this exercise is completed we plan to scan and save some of the remaining paper records to eRDM.

Ongoing off-site record review and upcoming scanning project is noted with thanks.

No change. However, off site paper records are reviewed and securely disposed of when no longer required.

Most FSS records requiring permanent preservation are captured digitally in eRDM.

Thanks you for this update (see element 4 above). The Assessment Team looks forward to updates in subsequent PURs.

Element 12: Competency framework

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

The Records Management Support Officer is part of the Information and Records Management Society (IRMS) and has completed the following trainings:

Practitioner Certificate in Scottish Public Sector Records Management
Practitioner Certificate in Scottish Freedom of Information
Data Governance Coaching

The Records Management Support Officer provides 1-1 refresher training to IMSOs and staff on Records Management and the use of eRDM.

Information Governance Manager has completed BCS Practitioner Certificate in Information Risk Management.

The Records Management Support Officer continues to advice and support FSS colleagues on Information and Records Management best practices.

Thank you for this positive update on continuing engagement with developments in the sector (through Information and Records Management Society) as well as the RM Support Officer’s completion of Practitioner Certificates in Scottish Public Sector Records Management and Scottish FOI, as well as Data Government Coaching training. That they, in turn, are providing training and continuing support for other staff in all records management matters is great to hear.

It is also excellent to hear that IG Manager has completed a BCS Practitioner Certificate in Information Risk Management.

These updates indicate a robust continuing investment in key records management competencies within Food Standards Scotland and are very commendable.

The Records Management Support Officer is part of the Information and Records Management Society (IRMS) She is also volunteering for IRMS with the role of the Data Protection and Digital Officer.

Thank you for this information. The Keeper’s PRSA Assessment Team has a good relationship with IRMS and recognises the voluntary commitment the individual identified at element 2 has offered the body.

The Keeper’s PRSA Assessment Team also note (from comments against element 9 above) that the Records Management support Officer has also undertaken data protection training recently.

Element 13: Assessment and review

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. Both the Information Governance Manager and Records Management Support Officer are members of IRMS, and FSS Digital Group. They are actively looking for continuous improvement opportunities through webinar and conference attendance. The knowledge acquired informs the development or review of policies and procedures.

Knowledge and Information Management (KIM) policies and procedures are reviewed and managed by Records Management Support Officer as a standard objective.

Thank you for letting us know there have been no major changes to this Element. It is reassuring to see that the FSS continues to keep up with their robust assessment and review processes, particularly with regard to the regular informed review of the Records Management Plan as well as relevant supporting Policies, Plans and Procedures.

Records Management Support Officer is member of IRMS. She is actively looking for continuous improvement opportunities
through webinar and conference attendance. The knowledge acquired informs the development or review of policies and procedures.

Knowledge and Information Management (KIM) policies and procedures are reviewed and managed by Records Management Support Officer as a standard objective.

Section 1(5)(i)(a) of the Act says that an authority must keep its RMP under review.

Statements in the PUR, and the completion of the PUR itself, are clear indications that Food Standards Scotland are complying with this requirement.

The assessment Team looks forward to any updates resulting from any review of policies and procedures in the next PUR.

Element 14: Shared information

Status:

25 January 2018 - agreed plan - Green
7 September 2023 - review - Green
10 December 2024 - review - Green

Update required on any change

No change. eRDM Connect remains the default tool for collaborating and sharing of documents with external stakeholders up to official sensitive government classification.

FSS staff have been reminded of our collective responsibility for Information and Cyber Security- especially in the sharing of, and accessing information from external sources.

Thank you for this update on FSS information sharing practices, including the use of eRDM Connect for collaboration and sharing official sensitive government records. The Additional positive focus on cyber security is also acknowledged with thanks.

Update required on any future change.

No change. eRDM Connect remains the default tool for sharing documents and records with relevant external stakeholders up to Official Sensitive classification.

FSS staff has been asked to review their eRDM Connect workspaces. Also, awareness across FSS staff was promoted to ensure the correct use of eRDM Connect.

A sample data sharing agreement was provided to the Keeper at the time of the original agreement (2018) and clearly agreements like this are subject to review. The routine review of arrangements for sharing information is best-practice.

It is important that staff members are made aware of the risks of sharing information. Confirmation that this is provided for relevant staff is welcome.

The Keeper agrees that Food Standards Scotland consider the records management implications of information sharing as is appropriate.

Update required on any change to this element.

Element 15: Public records created or held by third parties

As this Element was not assessed separately in 2018, no RMP baseline RAG-status exists. However, the Keeper’s Assessment Team can agree that Food Standards Scotland, is aware of their responsibilities under this element.

If you would like more information around this please contact public_records@nrscotland.gov.uk.

7. The Public Records (Scotland) Act Assessment Team’s Summary

Version

The progress update submission which has been assessed is the one received by the Assessment Team on 9th April 2024. The progress update was submitted by Maria Zangelidou, Records Management Support Officer.

The progress update submission makes it clear that it is a submission for Food Standards Scotland.

The Assessment Team has reviewed Food Standard Scotland’s Progress Update submission and agrees that the proper record management arrangements outlined by the various elements in the authority’s plan continue to be properly considered. The Assessment Team commends this authority’s efforts to keep its Records Management Plan under review.

General Comments

Food Standard Scotland continues to take its records management obligations seriously and is working to maintain all elements in full compliance.

Section 5(2) of the Public Records (Scotland) Act 2011 provides the Keeper of the Records of Scotland (the Keeper) with authority to revisit an agreed plan only after five years has elapsed since the date of agreement. Section 5(6) allows authorities to revise their agreed plan at any time and resubmit this for the Keeper’s agreement. The Act does not require authorities to provide regular updates against progress. The Keeper, however, encourages such updates.

The Keeper cannot change the status of elements formally agreed under a voluntary submission, but he can use such submissions to indicate how he might now regard this status should the authority choose to resubmit its plan under section (5)(6) of the Act.

8. The Public Records (Scotland) Act Assessment Team’s Evaluation

Based on the progress update assessment the Assessment Team considers that Food Standard Scotland continues to take their statutory obligations seriously and are working hard to maintain all the elements of their records management arrangements in full compliance with the Act and fulfil the Keeper’s expectations.

The Assessment Team recommends authorities consider publishing PUR assessment reports on their websites as an example of continued good practice both within individual authorities and across the sector.

This report follows the Public Records (Scotland) Act Assessment Team’s review carried out by

Pete Wadley
Public Records Officer

File downloads

Food Standards Scotland Progress Update Review (PUR) 10 December 2024

File type: PDF,
File size: 240.31 KB