Progress Update Review - Scottish Public Services Ombudsman

Home
Publications
Progress Update Review - Scottish Public Services Ombudsman

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Progress Update Review (PUR) Mechanism
Executive Summary
Authority Background
Assessment Process
Progress Update Review (PUR): Scottish Public Services Ombudsman
The Public Records (Scotland) Act Assessment Team’s Summary
The Public Records (Scotland) Act Assessment Team’s Evaluation

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal Assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor recordkeeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Progress Update Review (PUR) Mechanism

Under section 5(1) & (2) of the Act the Keeper may only require a review of an authority’s agreed RMP to be undertaken not earlier than five years after the date on which the authority’s RMP was last agreed. Regardless of whether an authority has successfully achieved its goals identified in its RMP or continues to work towards them, the minimum period of five years before the Keeper can require a review of a RMP does not allow for continuous progress to be captured and recognised.

The success of the Act to date is attributable to a large degree to meaningful communication between the Keeper, the Assessment Team, and named public authorities. Consultation with Key Contacts has highlighted the desirability of a mechanism to facilitate regular, constructive dialogue between stakeholders and the Assessment Team. Many authorities have themselves recognised that such regular communication is necessary to keep their agreed plans up to date following inevitable organisational change. Following meetings between authorities and the Assessment Team, a reporting mechanism through which progress and local initiatives can be acknowledged and reviewed by the Assessment Team was proposed. Key Contacts have expressed the hope that through submission of regular updates, the momentum generated by the Act can continue to be sustained at all levels within authorities.

The PUR self-assessment review mechanism was developed in collaboration with stakeholders and was formally announced in the Keeper’s Annual Report published on 12 August 2016. The completion of the PUR process enables authorities to be credited for the progress they are effecting and to receive constructive advice concerning on-going developments. Engaging with this mechanism will not only maintain the spirit of the Act by encouraging senior management to recognise the need for good records management practices, but will also help authorities comply with their statutory obligation under section 5(1)(a) of the Act to keep their RMP under review.

3. Executive Summary

This Report sets out the findings of the Public Records (Scotland) Act 2011 (the Act) Assessment Team’s consideration of the Progress Update template submitted for Scottish Public Services Ombudsman. The outcome of the assessment and relevant feedback can be found under sections 6 – 8.

4. Authority Background

The SPSO was set up by the Scottish Public Services Ombudsman Act 2002. They handle complaints about public services in Scotland including councils, the National Health Service, housing associations and cooperatives, universities and colleges, most water and sewage providers, prisons, the Scottish Government and its agencies and departments, and most other Scottish authorities.

http://www.spso.org.uk/

5. Assessment Process

A PUR submission is evaluated by the Act’s Assessment Team. The self-assessment process invites authorities to complete a template and send it to the Assessment Team one year after the date of agreement of its RMP and every year thereafter. The self-assessment template highlights where an authority’s plan achieved agreement on an improvement basis and invites updates under those ‘Amber’ elements. However, it also provides an opportunity for authorities not simply to report on progress against improvements, but to comment on any new initiatives, highlight innovations, or record changes to existing arrangements under those elements that had attracted an initial ‘Green’ score in their original RMP submission.

The assessment report considers statements made by an authority under the elements of its agreed Plan that included improvement models. It reflects any changes and/or progress made towards achieving full compliance in those areas where agreement under improvement was made in the Keeper’s Assessment Report of their RMP. The PUR assessment report also considers statements of further progress made in elements already compliant under the Act.

Engagement with the PUR mechanism for assessment cannot alter the Keeper’s Assessment Report of an authority’s agreed RMP or any RAG assessment within it. Instead the PUR Final Report records the Assessment Team’s evaluation of the submission and its opinion on the progress being made by the authority since agreeing its RMP. The team’s assessment provides an informal indication of what marking an authority could expect should it submit a revised RMP to the Keeper under the Act, although such assessment is made without prejudice to the Keeper’s right to adopt a different marking at that stage.

Key

Green

The Assessment Team agrees this element of an authority’s plan.

Amber

The Assessment Team agrees this element of an authority’s progress update submission as an ‘improvement model’. This means that they are convinced of the authority’s commitment to closing a gap in provision. They will request that they are updated as work on this element progresses.

Red

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Assessment Team may choose to notify the Keeper on this basis.

6. Progress Update Review (PUR): Scottish Public Services Ombudsman

Element 1: Senior Officer

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

No change

Update required on any change.

Responsibility transferring to new Head of Corporate and Shared Services following Director’s departure at end May 2024.

Thank you for providing the PRSA Team with this update. This has been noted. Update required on any future change.

Element 2: Records Manager

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

No change

Update required on any change.

No change

Update required on any change.

Element 3: Policy

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

IMSOs added to policy under roles and responsibilities.

Thank you for this update on Records Management Policy review; this has been noted.

No change

Update required on any change.

Element 4: Business Classification

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

Updated regarding applying access restrictions within case management application.

The Assessment Team thanks SPSO for this update on Business Classification Scheme and access restriction rules to be applied within its case management system.

Update required on any future change.

No change

Update required on any change.

Element 5: Retention schedule

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

Migration of all Outlook mailboxes to Exchange Online in June 2023. EXO moves emails that are six months old to a new archive mailbox, where they are deleted after 2.5 years.

Thank you for this update on organisational email retention, including a change of email management platform to the cloud-based Exchange Online (EXO). The automated retention and destruction of emails is also noted with thanks.

Review of fields within our case handling system undertaken to ensure that they are capturing only information they require.

The Assessment Team is grateful for this update regarding rationalisation of data collection in the case handling system.

Element 6: Destruction arrangements

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

We continue to extend the standard case retention times for cases which relate or could relate to the subject matter being considered by four ongoing public inquiries.

Case file location audit completed and signed off. Next audit scheduled for Q2 2023-24.

File destruction recommenced (catch up exercise completed in June 2022).

eRDM file management carried out by IMSOs (replacements folders of those set to expire end 2022).

Thank you for this update on records retention arrangements. It is very appropriate to extend retention periods for records that may be required by ongoing or future public inquiries. Some of these records may also meet the threshold for permanent preservation.

Thank you for letting the Assessment Team know that a regular case file location audit has recently been completed; this is noted. It is also reassuring to know that eDRM file management tasks continue by IMSOs as usual.

No change to usual arrangements

Update required on any change.

Element 7: Archiving and transfer

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

No change

Update required on any change.

New online email archive in place following email migration.

Cloud mailbox migration sessions for staff.

Remaining paper case files held in the archive transferred to locked cabinets.

Element 7 stipulates that records that have enduring value are permanently retained and made accessible Section 1(2)(b)(iii) of the Act specifically requires a RMP to make provision about the archiving and destruction, or other disposal, of an authority’s public records.

It is good to hear that an online email archive is in place, and that all emails are now held centrally on the cloud. It is also very appropriate that paper case files are kept under lock and key until records selected for permanent selection, whether paper or born-digital, can be sent to NRS for permanent preservation.

The PRSA Assessment Team trusts that the formal archiving arrangements, which refer to permanent preservation of selected public records at a selected archival repository (in SPSO’s case, National Records of Scotland) are still in place.

Element 8: Information security

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

New working from home data security checklist created for staff.

Case file management guidance updated.

Case file location audit completed and signed off.

Procedures strengthened for sending/receiving documents (Records management and security guidance), with improved private and confidential labelling.

Ongoing preparations for closure of disc usb drives (secure email or file sharing services such as eRDM Connect used instead).

Cyber Incident Response Plans and Playbooks approved in Q2.

Achieved Cyber Essentials re-accreditation in Q3, meeting the new requirements for MFA being enabled for cloud admin accounts.

Simulated phishing exercises continued in Q4 as part of the think before you click campaign.

Cyber security training session for staff on how to spot phishing emails.

Cyber resilience and business continuity sessions attended by key staff.

Key staff attended ‘exercise in a box’ session on digital supply chain attacks.

Online safety and password session for staff.

Completion of phase 1 of drive management change programme, which involved the removal of documents from the H:drive.

The Team appreciates this update on the various information security arrangements within SPSO.

The development of new working-from-home guidance for staff, and review and update of other information management guidance, is noted with thanks. It is also good to hear that removable USB drives and H: drives are in the process of being retired.

Phishing, online safety, and cyber resilience training is noted with thanks.

That SPSO continues to hold Cyber Essentials reaccreditation is noted with thanks.

The Assessment Team is confident that SPSO continues to ensure that robust information security are in place, and that these continue to operate as intended. See also Element 9.

Closure of disc usb drives (secure email or file sharing services such as eRDM Connect used instead).

New restricted cases guidance.

MFA enabled for all SPSO SAGE accounts.

Cyber Essentials re-accreditation achieved.

Cyber incident response plan and associated playbooks reviewed.

Decommissioning of outlook public folders as the final step of the removal of shared drives.

Improvements to eRDM Connect workspace request process.

In addition to usual cyber security training and awareness, the following is noted:

Cyber & Fraud Centre Scotland ‘Exercise in a box – sensitive data leaks’ attended by key staff.
Series of online events available to staff as part of Cyber Security Awareness Month.
Briefing by the Public Sector Cyber Resilience Network and briefing regarding protecting cyber security while hybrid working attended by key staff.
Cyber & Fraud Centre Scotland ‘Exercise in a Box 'Preparing your Organisation for a Cyber Incident: Building your Incident Response Plan and Testing’ attended by key staff.
Key staff attended the SCOTS security escape room sessions (security awareness training).
Staff informed of iTECS events running during Cyber Scotland week (cyber threats, password security, phishing).
Key staff attended security champion training course with iTECS.
Reminder session regarding the procedure for reporting phishing emails and cyber incidents.
Session on the latest cyber risks and the upcoming implementation of multi-factor authentication on case handling system.

Thank you for this thorough update on SPSO’s continuing information security compliance, including the development of updated guidance and procedures, extensive cyber security training and exercises, and the adoption of multi-factor authentication.

That SPSO continues to hold Cyber Essentials reaccreditation is commendable.

Based on this update, SPSO continues to ensure that robust information security procedures are in place, and that these are being followed.

Element 9: Data protection

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

Development of new Data Protection and Information Governance hub on the new SPSO learning platform.

Cyber-security e-learning added to new SPSO Learning Hub.

ICO training rolled out to all staff as compulsory (and as part of new staff inductions).

Data Protection and Information Governance All Staff Update and follow up Bulletin circulated in Q1 2023-24.

Learning also continues to be fed back to teams via our internal data protection group.

Case Assessment Seminar held for key staff covering Data Protection and case work.

New ‘Appropriate Policy Document’ produced in line with the DPA 2018.

Ongoing review of privacy information (updates to signatures and footers, leaflets and templates, process information, forms, and notices, along with additions regarding remote working and security).

Thank you for this update on Data Protection capabilities of SPSO. Especially the training, also noted under Elements 8 and 12, is noted with thanks.

Thank you also for letting us know that an ongoing review of privacy information is currently underway.

The Assessment Team has no particular concerns over this Element.

In addition to the usual data protection and information governance training and awareness that takes place, training on a new digital recording policy available to staff.

Case handling system reports access rights and restricted marking updates completed, and data protection policy and procedures updated with minor additions (relating to security risks and measures; storage and data minimisation; and protecting personal data).

Minor updates to SARs guidance following review of our internal whistleblowing policy.

Letter templates and information requests process guidance document updated to bring them in line with current processes.

Review of the Register of Processing Activities (RoPA) and the Information Asset Register (IAR).

Review of Privacy Notice.

Thank you for providing this update on data protection training. The changes made to data collected for the case management system, also mentioned under Element 5, is also noted.

Thank you also for letting us know that the SPSO Privacy Notice, RoPA, IAR, SAR and other information request guidance have gone through a review and been updated.

Update required on any future change.

Element 10: Business continuity and vital records

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

Cyber resilience and business continuity sessions attended by key staff.

Exercise in a Box event covering a ransomware attack for the Incident Response Team.

Thank you for this update on specific staff training on business continuity and cyber resilience. The ‘Exercise in a Box’ event also sounds like a great way to build resilience in the light of an unexpected event.

Attendance at the first Scottish Government Business Continuity and Security conference.

Attendance at the Scottish Parliament Business Continuity Co-ordinator training.

An authority’s business continuity arrangements should include the recovery of records made temporarily unavailable due to an unexpected event. It is clear that SPSO has recently invested in training on the subject.

For further comments on training, see Element 12.

Element 11: Audit trail

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

File location audit completed and signed off.

Additional check for returning documentation added to the SPSO leavers checklist.

The completion of the file location audit is noted with thanks.

No change

Update required on any change.

Element 12: Competency framework

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

There is a commitment in the Records Management Policy (page 4) (see element 3) that states “The identification of records management as a distinct stream within the organisation’s training portfolio, with dedicated training provided to all staff”. The Keeper commends this commitment and request that any training material relevant to this RMP should be sent to him when available.

Corporate Information Governance Officer (CIGO) completed ‘Assessing and managing risk for data protection’ and ‘Auditing data protection compliance’ training.

Thank you for updating the Assessment Team on the recent data protection training completed by the Corporate Information Governance Officer.

Update required on any future change.

SCOTS eRDM Information Management training available to staff (the Corporate Information Governance Officer attended the information management and eRDM basics webinar, and the records management webinar).

Corporate Information Governance Officer attending future ICT champs and IMSOs meetings (for cyber security and information management collaboration).

Thank you for letting the Team know that information management and records management training has been attended by the Corporate Information Governance Officer, and that future training is also planned.

It is also good to know that business continuity has also been a focus of recent conference attendance and training.

Element 13: Assessment and review

Status:

23 February 2016 - agreed plan - Green
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

Full annual review of the SPSO Information Governance Handbook, which incorporates our RMP, completed and signed off.

The Assessment Team thanks you for this update on the regular Records Management Plan review and formal update as part of the SPSO Information Government Handbook. SPSO is also commended for its continuing regular participation in the PUR process.

Annual PUR of RMP, and review of Information Governance handbook.

Thank you for confirming that the internal Information Governance Handbook has been reviewed.

SPSO’s continuing participation in the Progress Update Review (PUR) process is commended as a way to ensure the RMP remains fit for purpose.

Element 14: Shared information

Status:

23 February 2016 - agreed plan - N/A
1 December 2023 - review - Green
20 October 2024 - review - Green

Update required on any change

No change

Update required on any change.

No change

Update required on any change.

7. The Public Records (Scotland) Act Assessment Team’s Summary

Version

The progress update submission which has been assessed is the one received by the Assessment Team on 31st May 2024. The progress update was submitted by Helen Littlemore, Corporate Information Governance Officer.

The progress update submission makes it clear that it is a submission for Scottish Public Services Ombudsman.

The Assessment Team has reviewed Scottish Public Services Ombudsman’s Progress Update submission and agrees that the proper record management arrangements outlined by the various elements in the authority’s plan continue to be properly considered. The Assessment Team commends this authority’s efforts to keep its Records Management Plan under review.

General Comments

Scottish Public Services Ombudsman continues to take its records management obligations seriously and is working to maintain all elements in full compliance.

Section 5(2) of the Public Records (Scotland) Act 2011 provides the Keeper of the Records of Scotland (the Keeper) with authority to revisit an agreed plan only after five years has elapsed since the date of agreement. Section 5(6) allows authorities to revise their agreed plan at any time and resubmit this for the Keeper’s agreement. The Act does not require authorities to provide regular updates against progress. The Keeper, however, encourages such updates.

The Keeper cannot change the status of elements formally agreed under a voluntary submission, but he can use such submissions to indicate how he might now regard this status should the authority choose to resubmit its plan under section (5)(6) of the Act.

8. The Public Records (Scotland) Act Assessment Team’s Evaluation

Based on the progress update assessment the Assessment Team considers that Scottish Public Services Ombudsman continues to take their statutory obligations seriously and are working hard to maintain all elements of their records management arrangements in full compliance with the Act and fulfil the Keeper’s expectations.

The Assessment Team recommends authorities consider publishing PUR assessment reports on their websites as an example of continued good practice both within individual authorities and across the sector.

This report follows the Public Records (Scotland) Act Assessment Team’s review carried out by

Iida Saarinen
Public Records Officer

File downloads

Scottish Public Services Ombudsman Progress Update Review (PUR) 2024 Final Report Web Version 29 October 2024

File type: PDF,
File size: 238.6 KB