Home
Publications
Progress Update Review - The Care Inspectorate (Social Care and Social Work Improvement Scotland (SCSWIS))

Progress Update Reviews Records and archives

Progress Update Review - The Care Inspectorate (Social Care and Social Work Improvement Scotland (SCSWIS))

Date published: 18 February 2025

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Contents

Public Records (Scotland) Act 2011
Progress Update Review (PUR) Mechanism
Executive Summary
Authority Background
Assessment Process
Progress Update Review (PUR): The Care Inspectorate
The Public Records (Scotland) Act Assessment Team’s Summary
The Public Records (Scotland) Act Assessment Team’s Evaluation

1. Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) received Royal Assent on 20 April 2011. It is the first new public records legislation in Scotland since 1937 and came into force on 1 January 2013. Its primary aim is to promote efficient and accountable record keeping by named Scottish public authorities.

The Act has its origins in The Historical Abuse Systemic Review: Residential Schools and Children’s Homes in Scotland 1950-1995 (The Shaw Report) published in 2007. The Shaw Report recorded how its investigations were hampered by poor recordkeeping and found that thousands of records had been created, but were then lost due to an inadequate legislative framework and poor records management. Crucially, it demonstrated how former residents of children’s homes were denied access to information about their formative years. The Shaw Report demonstrated that management of records in all formats (paper and electronic) is not just a bureaucratic process, but central to good governance and should not be ignored. A follow-up review of public records legislation by the Keeper of the Records of Scotland (the Keeper) found further evidence of poor records management across the public sector. This resulted in the passage of the Act by the Scottish Parliament in March 2011.

The Act requires a named authority to prepare and implement a records management plan (RMP) which must set out proper arrangements for the management of its records. A plan must clearly describe the way the authority cares for the records that it creates, in any format, whilst carrying out its business activities. The RMP must be agreed with the Keeper and regularly reviewed.

2. Progress Update Review (PUR) Mechanism

Under section 5(1) & (2) of the Act the Keeper may only require a review of an authority’s agreed RMP to be undertaken not earlier than five years after the date on which the authority’s RMP was last agreed. Regardless of whether an authority has successfully achieved its goals identified in its RMP or continues to work towards them, the minimum period of five years before the Keeper can require a review of a RMP does not allow for continuous progress to be captured and recognised.

The success of the Act to date is attributable to a large degree to meaningful communication between the Keeper, the Assessment Team, and named public authorities. Consultation with Key Contacts has highlighted the desirability of a mechanism to facilitate regular, constructive dialogue between stakeholders and the Assessment Team. Many authorities have themselves recognised that such regular communication is necessary to keep their agreed plans up to date following inevitable organisational change. Following meetings between authorities and the Assessment Team, a reporting mechanism through which progress and local initiatives can be acknowledged and reviewed by the Assessment Team was proposed. Key Contacts have expressed the hope that through submission of regular updates, the momentum generated by the Act can continue to be sustained at all levels within authorities.

The PUR self-assessment review mechanism was developed in collaboration with stakeholders and was formally announced in the Keeper’s Annual Report published on 12 August 2016. The completion of the PUR process enables authorities to be credited for the progress they are effecting and to receive constructive advice concerning on-going developments. Engaging with this mechanism will not only maintain the spirit of the Act by encouraging senior management to recognise the need for good records management practices, but will also help authorities comply with their statutory obligation under section 5(1)(a) of the Act to keep their RMP under review.

3. Executive Summary

This Report sets out the findings of the Public Records (Scotland) Act 2011 (the Act) Assessment Team’s consideration of the Progress Update template submitted for the Care Inspectorate (Social Care and Social Work Improvement Scotland (SCSWIS)). The outcome of the assessment and relevant feedback can be found under sections 6 – 8.

4. Authority Background

The Scottish Government set up The Care Inspectorate to provide assurance and protection for people who use care, social work and child protection services in Scotland. They operate out of offices across Scotland, from the Borders to the Islands. They are accountable to Scottish Ministers.

The Care Inspectorate is scheduled by the Public Records (Scotland) Act 2011 as ‘Social Care and Social Work Improvement Scotland’ which is the Inspectorate’s formal name. For the purposes of this report, they will be referred to as The Care Inspectorate.

https://www.careinspectorate.com/

5. Assessment Process

A PUR submission is evaluated by the Act’s Assessment Team. The self-assessment process invites authorities to complete a template and send it to the Assessment Team one year after the date of agreement of its RMP and every year thereafter. The self-assessment template highlights where an authority’s plan achieved agreement on an improvement basis and invites updates under those ‘Amber’ elements. However, it also provides an opportunity for authorities not simply to report on progress against improvements, but to comment on any new initiatives, highlight innovations, or record changes to existing arrangements under those elements that had attracted an initial ‘Green’ score in their original RMP submission.

The assessment report considers statements made by an authority under the elements of its agreed Plan that included improvement models. It reflects any changes and/or progress made towards achieving full compliance in those areas where agreement under improvement was made in the Keeper’s Assessment Report of their RMP. The PUR assessment report also considers statements of further progress made in elements already compliant under the Act.

Engagement with the PUR mechanism for assessment cannot alter the Keeper’s Assessment Report of an authority’s agreed RMP or any RAG assessment within it. Instead the PUR Final Report records the Assessment Team’s evaluation of the submission and its opinion on the progress being made by the authority since agreeing its RMP. The team’s assessment provides an informal indication of what marking an authority could expect should it submit a revised RMP to the Keeper under the Act, although such assessment is made without prejudice to the Keeper’s right to adopt a different marking at that stage.

Key

Green

The Assessment Team agrees this element of an authority’s plan.

Amber

The Assessment Team agrees this element of an authority’s progress update submission as an ‘improvement model’. This means that they are convinced of the authority’s commitment to closing a gap in provision. They will request that they are updated as work on this element progresses.

Red

There is a serious gap in provision for this element with no clear explanation of how this will be addressed. The Assessment Team may choose to notify the Keeper on this basis.

6. Progress Update Review (PUR): The Care Inspectorate

Element 1: Senior Officer

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Update required on any change.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Change here from Edith Macintosh, Executive Director of Strategy and Improvement (SIRO) to Gordon Mackie, Executive Director of IT, Transformation & Digital (SIRO) at Q4 23-24 - NRS has been notified of updates and training has been completed.

Progress update review - 21 February 2025

Show this section

Thank you for notifying the Assessment Team of the change in Senior Responsible Officer for Education Scotland.

Update required on any future change.

Element 2: Records Manager

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Update required on any change.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

No changes made here.

Progress update review - 21 February 2025

Show this section

Since the PUR was submitted, a new records manager has taken post, and is now the person named under Element 2. The authority has been in touch with the PRSA Team to confirm this and to meet with the Team.

Update required on any future change.

Element 3: Policy

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Update required on any change.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

No changes but due to be reviewed by the end of December 2024 in-keeping with our regular review cycle of policies and procedures (every 2 years unless major change prior to this).

Progress update review - 21 February 2025

Show this section

Thank you for confirming that the Records management Policy and other relevant policy documents are being kept up to date following the set review schedule. Update required on any future change.

Element 4: Business Classification

Status:

08 December 2021 - element under agreed plan - Amber
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The RMP says the authority does not have an on-site hard copy storage facility, but it confirms that staff are required to destroy locally held hard copies of digitally held information in line with the agreed Government Security Classification Procedure (evidence 08a). The plan further confirms that the IG Policy and retention schedule guidance is being amended to emphasise this requirement. The Keeper will be pleased to learn about progress with regard to this initiative under a future update.

The Keeper agrees this element of the Care Inspectorate Records Management Plan under ‘improvement model’ terms. This reflects the fact that the authority is rolling out a new governance system under its Maturity Model. Evidence submitted satisfies the Keeper that this solution is being progressed and is assured of senior management commitment, but it remains to be fully implemented to cover all business areas. The Keeper’s agreement is conditional on his being updated as this work progresses.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY 22-23 (time of RMP and first maturity assessment) to Q4 FY 23-24 we have maintained 100% maturity in accordance with our maturity assessment.
The work to embed our IAR and ROPA on our OneTrust system is now complete with the Business Classification Scheme - Business Continuity and Vital Records, Information Asset Register now all reflected in this system.

IG Policy and Retention Schedule:

Since the last RMP submission, we have reviewed and re-published our Information Governance Policy in Q3 FY22-23 (see evidence 4a) to ensure this was up to date and to reflect the capture of our IAR and ROPA in our OneTrust system. This is next due for review in December 2024 and will go through review in accordance with our review and approval cycle.

We also updated our DPIA Procedure which reflects roles and responsibilities in relation to processing activities and approach to capturing in OneTrust (see evidence 4b).

We also report on all DPIAs and processing activities captured each quarter and report this to the relevant Information Asset Owners (see evidence 4c) which shows an example from the most recent Q4 FY 23-24 report to our Intelligence IAO).

Hard Copy Relaunch Project:
In FY 22-23 we also completed a Hard Copy Relaunch project, to address on-site storage and improve the indexing of existing and arrangement of new hard copy records to be indexed and stored at our hard copy records at our third-party storage provider, Iron Mountain. Most of these records were over the course of Covid (2020-2022). This ensured that Covid records were removed from homes and appropriately transported, indexed and stored at Iron Mountain- for more detail please see our update at Element 10.

Maturity Model and Benchmarking:

We have also progressed, since the last RMP submission, the maturity implementation of our bespoke maturity tool on our OneTrust system, with the first baseline maturity assessment undertaken in Q1 FY22-23 (see Element 13 Assessment and Review section below for reference to evidence for full update details).

Progress update review - 21 February 2025

Show this section

Thank you for this detailed update on the work that has been completed with regard to business classification arrangements at the Care Inspectorate. The team also acknowledges the receipt of relevant evidence as submitted by the authority.

The specific update on paper records is also acknowledged with thanks.

The assessment team understands that the gap identified under Element 4 when the RMP was agreed has now been closed. Accordingly, this element has been turned from Amber to Green for the PURs. While this does not change the status of the RMP Element, it reflects progress made, suggesting that if the Care Inspectorate was to resubmit, it is likely that this Element would receive a Green status.

Element 5: Retention schedule

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The authority, as part of its transition to M365, has completed an assessment and review of its digital assets to apply disposal decisions and prevent the migration of unsuitable and duplicate records to its SharePoint solution. Legacy records on shared drives remain to be similarly reviewed, but this is in hand. The Keeper will be pleased to learn about progress against this initiative under a future update.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Review and Retention has increased from 50% readiness to 67% readiness as at Q4 FY 23-24.

This increase in maturity is attributable to improvement in Element 5.6 of our maturity assessment Q4 FY 23-24 (evidence 13b) where we ensure that when our processing activities are captured in OneTrust, we review and associate each processing activity with its relevant retention period in accordance with our review and retention schedule.

We can update that we are still to conduct a comprehensive review and update our organisational review and retention schedule to reflect additions and changes in OneTrust, however this has been identified as an exercise to progress.

Legacy records on shared drives:

We can also update that legacy records on shared drives remain to be reviewed, however as at Q1 FY24-25 we are in the process of planning a review and identifying options for how disposal decisions might be achieved. This includes with a paper being produced for our Senior Management Group to decide on priorities and actions in relation to legacy disposal.

Additionally, the M365 Phase 2 (to advance initial transition to M365) project commenced in November 2022 and its aim was to review the current information architecture in M365 and identify the best way to achieve good information governance with the M365 ‘out of the box’ administration tools. This was reported on last year.

This year we have progressed the Phase 2 project without external resource as part of our Transform activity using existing IG resources.

Progress was made in:

Identifying redundant Teams, Groups and SharePoint sites.
Identifying the preferred approach to the new Channels in Teams in M365: Private and Shared Channels
Identifying the preferred overall Information Architecture approach for Care Inspectorate
Identifying the governance required for any new sites requested
Identifying an implementation process to be embedded on Assyst.

Internal resources at present have been redirected to other priority areas, but a workshop was held with SIRO, Head of IT Service Delivery and DPO/IG lead in Q1 FY24-25 to identify how best to progress the M365 architecture redevelopment to allow application of retention against repositories in a clean fashion. This also requires upskilling of our IT service delivery team, and a piece of work is now being undertaken to assess how well we are utilising the tools in M365 and what our priority areas are for resources and training.

Progress update review - 21 February 2025

Show this section

Thank you for providing this update on continuous improvements being implemented, especially with regard to legacy drives and files.

Element 6: Destruction arrangements

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Digital records, recently migrated to the new SharePoint/M365 platform are in the process of having disposal labels applied to facilitate destruction, Legacy arrangements, not compatible with the authority’s agreed retention schedule, have been addressed and a new retention label mechanism is being scrutinised for roll out across the authority’s SharePoint solution. The Keeper commends this approach and looks forward to an update on progress in due course.

Back up tapes. In line with industry best practice, the Care Inspectorate’s back up tapes have a retention of 1 year, at which point they can be overwritten and/or destroyed. Evidence of digital record (and digital hardware) destruction is supplied to the Keeper (evidence 06d) This is fully operational and the authority is undertaking a review to bring all back up tapes out with this period under the agreed procedure. The Keeper will look forward to learning about progress under the exercise in a future update.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to destruction arrangement has increased from 33% readiness to 67% readiness as at Q4 23-24.

This increase in maturity of 34% is attributable to the fact that in accordance with 6.2 (maturity assessment element see Evidence 13b) we have robust arrangements now in place for the disposal of hard copy material.

Back up tapes: In FY23-24 our IT Team conducted a project to decommission on-prem servers and manage back-ups in Microsoft Azure Cloud, meaning that physical data tape destruction and deliveries are no longer required. All back up tapes out with the retention period have been destroyed with the exemption of data tapes from 2020-2021 which are on hold due to the Covid 19 Inquiries.

Digital records: In regard to the arrangements for digital disposal of information (6.2 maturity assessment evidence 13b) this is an area where we acknowledge that there is still progress to be made in this area. Since our last RMP submission we had started Phase 2 of our M365 Project (advancing on the initial transition to M365) in November 2022 and its aim was to review the current information architecture in M365 and identify the best way to achieve good information governance with the M365 ‘out of the box’ administration tools. This including the application of retention labels in-keeping with our authority’s agreed review and retention schedule.

Progress was made in:

Identifying redundant Teams, Groups and SharePoint sites.
Identifying the preferred approach to the new Channels in Teams in
M365: Private and Shared Channels
Identifying the preferred overall Information Architecture approach for
Care Inspectorate
Identifying the governance required for any new sites requested
Identifying an implementation process to be embedded on Assyst.

As also detailed above for our Element 5 update, internal resources at present have been redirected to other priority areas. However, a workshop was held with SIRO, Head of IT Service Delivery and DPO/IG lead in Q1 FY24-25 to identify how best to progress the M365 architecture redevelopment to allow application of retention against repositories in a clean fashion. This also requires upskilling of our IT service delivery team, and a piece of work is now being undertaken to assess how well we are utilising the tools in M365 and what our priority areas are for resources and training.

Progress update review - 21 February 2025

Show this section

Thank you for this positive update, echoing those made under other elements. It is clear that the Care Inspectorate has made progress since the agreement of their Records Management Plan (RMP).

Element 7: Archiving and transfer

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Update required on any change.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

No change. We have identified however, the additional resource required to complete this project.

Progress update review - 21 February 2025

Show this section

Thank you for confirming that there have been no major changes to archiving and transfer arrangements, and that need for additional resource has been identified.

Element 8: Information security

Status:

08 December 2021 - element under agreed plan - Amber
08 December 2021 - evidence under agreed plan - Amber
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The Care Inspectorate, as part of its transition work and its ambitions for better overall information governance, is developing new policies and procedures to address specific information security matters. This includes developing a Government Security Classification Policy, Digital/Cyber Incident Management & Recovery policy and an ‘Approach to Digital Security and Risk Management’ policy. When finalised these policies will be owned by the Head of Finance and Corporate Governance. The authority will be pleased to have sight of these documents when they are authorised and operational.

The Keeper can agree this element of the Care Inspectorate’s RMP on an improvement model basis. This means that he is satisfied the authority has identified gaps in its current provision and has submitted sufficient evidence to satisfy him that it is committed to closing them. Securing our public records is of paramount importance and the Keeper recognises the authority is working hard to improve and address the identified risks that currently exist. He will expect the authority to provide him with evidence of progress against these risks under the annual Progress Update Review.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Information security has increased from 35% to 96% readiness as at Q4 FY23-24.

This increase in maturity is attributable to the fact that we:

Have an information security awareness programme implemented for all new starters with regular information security communications and awareness monitoring. This has been implemented from October 2022 ‘Stay Safe Online’ training mandatory.
We have an established information security policy (see evidence 8ai) which is available on the staff intranet.
In addition we have associated procedures and guidance which has associated document control process which provides an avenue to review, monitor and update all information security documentation as a matter of course. This includes:
- - A Digital Strategy in accordance with our maturity assessment Q4 FY23-24 (8.22, see evidence 13b)
  - We also have in progress (awaiting final approval) an:
  - A draft Government Security Classification Policy, (see evidence 8a), Approach to Digital Security and Risk Management Policy.’ (see evidence 8b) and a Security Incident Response Plan (see evidence 8c).
We acknowledge however that we have not reached 100% maturity in this area yet. Though we have an information security policy suite, this has not been published and communicated internally yet, due to a delay in organisational policy governance processes being finalised to include partnership forum, but it has been through our internal Information Security and Governance Working Group which has representation from across the business including partnership.
We have also developed an effective SIEM Security Incident/Information and Event Management capability with reporting on Security Events using key performance indicators. As of Q4 22-23 we have engaged with Brightsolid who provide security and operation centre as a service with 24/7 monitoring for security incidents.
Our Information Security Officer has also been trained and supported with the skills to conduct the role, as evidenced through their completion of a BCS Foundation Certificate in Information Security Management Principles in Q2 FY 23-24 (see evidence 8d).

Progress update review - 21 February 2025

Show this section

Thank you for updating the team on significant progress made under this element. It is great to hear that the policies that had been identified as under development have now been completed and are operational. The team also acknowledges the receipt of requested evidence with thanks.

While a 100% maturity has not yet been achieved, as reported, the assessment team understands that the gap identified when the RMP was agreed (“developing a Government Security Classification Policy, Digital/Cyber Incident Management & Recovery policy and an ‘Approach to Digital Security and Risk Management’ policy”) has now been closed. Accordingly, this element has been turned from Amber to Green for the PURs. While this does not change the status of the RMP Element, it reflects progress made, suggesting that if the Care Inspectorate was to formally resubmit its RMP for assessment, it is likely that this Element would receive a Green status.

Element 9: Data protection and element 14: Shared information

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The plan cites the authority’s ambitions to improve under this Element, particularly in relation to work to be commenced and concluded under the ‘safer and more secure’ stage of the agreed maturity model (evidence 03b). The Keeper applauds the work that has already been concluded under this initiative and that which is to be taken forward. He will look forward to learning more under a future update.

The plan states that “all new staff are required to complete an induction programme which is a blended approach of ‘face to face’ or Teams training and online modules.” There is also an Information Governance induction course which incorporates Data Protection and Records Management. (evidence E012h) There are proposals under development to record this training and upload it to the authority’s Learning Management System (LMS) to be advertise to staff as a continuous training opportunity. This is commendable and the Keeper would welcome an update on progress against this initiative.

The authority’s ‘Safer and More Secure’ transformation programme, part of the Maturity Model initiative, includes training for all Information Asset Owners on the principles and accountability associated with their role (evidence E012i). There is also a recently developed mandatory Data Protection training module which forms part of the authority’s LMS to be rolled out Q3-4 Financial Year 21-22. Again, the Keeper commends the authority for its ambitions under this element and will look forward to learning more about the roll out of this training under a future update.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Data Protection has increased from 71% to 79% readiness as at Q4 FY23-24.

This increase in maturity is attributable to the fact that we have accountability now embedded within the organisation with Information Asset Owners (IAOs) (Part 9.4 see evidence 13b) and the data protection policy has been reviewed in the last two years (Part 9.10 see evidence 13b), with a review conducted in February 2023 and subsequently published. The next review has been scheduled for February 2025.

Data Protection Training:

As noted in the last RMP, there were proposals under development to record our Information Governance induction training and upload to our Learning Management System (LMS).
We can update that this has now been implemented. Recordings of Information Governance induction sessions are available on LMS with training session diarised and advertised on LMS for FY 24-25 (and organised each FY on a rolling basis thereafter).

Sessions are advertised by our Organisational Workforce Development colleagues and by our team through our Viva Engage site which we established in November 2022.

Data Protection Training:

A mandatory Data Protection training module: (‘GDPR Essentials: UK’) which was rolled out on LMS in Q4 FY22-23, is available for all staff to complete. There is also an optional Advanced Data Protection training module (‘GDPR UK: Advanced’) which is also available to all staff and is assigned to the learning records of all Information Asset Owners to complete as recommended.

Information Asset Owners Training:

In addition to assigning as recommended the Advanced Data Protection training module to all Information Asset Owners, a mandatory Information Asset Owner specialist training session is also available which outlines the accountabilities and principles associated with their role.
We schedule an annual session to allow the opportunity Information Asset Owners to refresh their knowledge and sessions are arranged whenever an IAO changes to ensure new IAOs are also upskilled.

These sessions are also opened up to all staff in the organisation who are Business Process Owners, which has been in place since Q3 FY 22-23.

Progress update review - 21 February 2025

Show this section

Thank you for this update on data protection. It is clear that gradual improvements continue to be implemented, and the Care Inspectorate ius commended for this.

The team also acknowledges the receipt of evidence documents with thanks.

Element 10: Business continuity and vital records

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The Keeper agrees the Care Inspectorate has robust arrangements in place sufficient to comply with his expectations under this Element. He acknowledges that the authority continues to transition to a new records platform which will roll out and embed new processes, and he’ll look forward to learning more about this.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Business Continuity and Vital records has increased from 75% to 100% readiness.

This increase in maturity is attributable to the fact that we now have robust arrangement in place for the back-up of digital records (10.4 see evidence 13b).

Storage of back-up tapes in now within Microsoft Azure Cloud and digital back up services are supplied as part of our contract.

Third-party digital back-ups of our Sharepoint sites is also in place which ensures that, should Microsoft Azure Cloud be compromised or brought down, we can independently restore our Sharepoint files.

In addition we have also fully embedded our data breach reporting and management process into our OneTrust platform with a new breach procedure published outlining this change and available on the intranet to all staff since Q4 FY22-23 (see evidence 10a). This breach procedure is subject to regular review, with the next full review due in April 2025

Progress update review - 21 February 2025

Show this section

This reassuring update has been noted with thanks, alongside the accompanying evidence. It is clear from this update that sufficiently robust business continuity arrangements remain in place.

Update required on any major change.

Element 11: Audit trail

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Under the agreed IG Improvement Plan the authority is, as part of the ‘Safer and More Secure’ module, implementing improved accountability and reporting by IAOs. This is planned to conclude in the financial Year 2020-2021. This work will specifically address on-site storage, to include a registration system to better track hard copy files, and arrangements for homeworkers, with regard to digital and hard copy information. This is commendable and the Keeper will be pleased to learn more about this is work progresses.

The Keeper recognises the authority’s transition to a new operating platform will further improve its arrangement under this Element, but he agrees it has sufficiently robust operational processes and procedures to meet his requirements with regards to audit trail provision and version control.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Audit trail has remained the same, at 60% readiness.

In regard to implementing improved accountability and reporting to IAOs however, we have progressed this and as at Q4 FY 22-23 an Information Asset Owner Forum has been in operation to provide support and assurance to Management that the organisation is operating in compliance with agreed Information Governance standards and managing information risk appropriately.

On-site storage and homeworkers arrangements:

In FY 22-23 we completed a Hard Copy Relaunch project, to address on-site storage and improve the indexing of existing and arrangement of new hard copy records to be indexed and stored at our hard copy records at our third-party storage provider, Iron Mountain. Most of these records were over the course of Covid (2020-2022). . This work also included are view the policies and procedures in place for hard copy records in light of changes brought hybrid working. This included:

Reviewing of existing guidance, policies and processes for hard copy records to reflect new working practices and
Reinstating the process of transferring hard copy records to Iron Mountain off site archive.

The outcome of the hard copy relaunch is that updated guidance, policies and procedures for hard copy records is now available on the intranet for the organisation (see evidence 11a-e). In addition, a return of hard copy files (many of which were Covid records)and ingest to Iron Mountain instigated resulted in approximately 50 new boxes as of 31 March 2023 now in storage and approximately 1700 files indexed and searchable on Iron Mountain.

This has both reduced information risk and made the information ‘searchable’ via the hard copy records system.

Progress update review - 21 February 2025

Show this section

Element 11 stipulates that the location of records is known and changes recorded, and that a complete and accurate representation of all changes that occur in relation to a particular record. Audit trail information must be kept for at least as long as the record to which it relates.

The Assessment Team thanks the Care Inspectorate for this update on improvements to audit trail arrangements, particularly with regard to hard copy records. It is clear that the authority maintains and continues to improve the operational processes and procedures to meet the Keeper’s requirements with regards to audit trail provision and version control. The receipt of appropriate evidence is also noted with thanks.

Element 12: Competency framework

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The plan states that “all new staff are required to complete an induction programme which is a blended approach of ‘face to face’ or Teams training and online modules.” There is also an Information Governance induction course which incorporates Data Protection and Records Management. (evidence E012h) In addition, there are proposals under development to record this training and upload it to the authority’s Learning Management System (LMS) to be advertise to staff as a continuous training opportunity. This is commendable and the Keeper would welcome an update on progress against this initiative.

The authority’s ‘Safer and More Secure’ transformation programme, part of the Maturity Model initiative, includes training for all Information Asset Owners on the principles and accountability associated with their role (evidence E012i). There is also now a mandatory Data Protection training module developed and added to the authority’s LMS to be rolled out Q3-4 Financial Year 21-22. Again, the Keeper commends the authority for its ambitions under this element and will look forward to learning more about the roll out of this training under a future update.

The Keeper is confident the authority takes the issue of general and IG staff training seriously. He agrees the arrangements in place are sufficient to achieve his agreement. He notes that the authority has ambitions and plans in place to further improve its arrangements and he looks forward to learning more about this under a future update.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 our maturity in relation to Competency Framework has increased from 80% to 100% readiness as at Q4 FY23-24.

Training availability:

This increase in maturity is attributable to the fact that, as detailed in the update against Element 9 ‘Data Protection’, our Good Information Governance induction session is now recorded and available through our Learning Management System (LMS) with quarterly training dates arranged and available to all staff to access. This is advertised on both our Viva Engage pages and by our OWD team.

Data Protection Module:

Please see the update against Element 9 ‘Data Protection’ for full details of the update against this element. Mandatory data protection training is available and has been rolled out on our LMS for all staff since Q4 FY22-23.

Employees of the authority are therefore trained in good records management when joining the organisation (as per Part 12.4 see evidence 13b) with regular opportunities to refresh training provided.

Progress update review - 21 February 2025

Show this section

Element 12 is focused on staff competencies and training with regard to records management. It is great to hear that increase in maturity can now be reported. Thank you also for providing appropriate evidence to support the reported developments.

The training reported on is noted with thanks. The assessment team commends the Care Inspectorate’s focus on ensuring its staff receives appropriate training.

Element 13: Assessment and review

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

The plan states that “the RMP will be reviewed at the end of each quarter, as the Model Records Management plan factors are being incorporated into a maturity model which will now be part of the SIRO quarterly reporting and be submitted annually to the Care Inspectorate’s Audit and Risk Committee.” The authority’s commitment [to a routine and regular review mechanism reporting to senior management] is commended by the Keeper and helps assure him of the determination to establish a robust assessment and review process. The Care Inspectorate continues to develop the mechanism it will use to deliver the review. It is clear under the plan that it is committed to understanding its performance against information and data management external benchmarks and statutory requirements. Their finished mechanism, to be an internal assessment process, will therefore draw on available tools to include, the Keeper statutory guidance, NHS Data Security and Protection toolkit and the ICO’s Data Protection Self-Assessment. It is committed to having a first iteration of this bespoke mechanism in place by September 2021. It will be used in the first instance to demonstrate the authority’s baseline maturity position and areas for improvement which will be part of an action plan. The Keeper commends this action. He will expect to learn more about how this is working under an informal progress update review one year after agreement of this plan.

The Keeper is satisfied he can agree this element on an improvement basis. This reflects his satisfaction that evidence exists to convince him of the authority’s commitment to comply, but that the system to bring this about and additional evidence remains to be fully developed and implemented. He will expect to be provided with evidence of the fully operational system or an update on progress under a PUR one year after agreement of this plan.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

Since Q1 FY22-23 to Q4 FY23-24,our maturity in relation to the Assessment and Review element has remained at 100% readiness.

Since Q1 FY22-23 when we conducted our baseline maturity assessment (see evidence 13a), we have fully embedded our maturity assessment bespoke mechanism in our OneTrust system. We run this maturity assessment each quarter, with the most recent being Q4 FY23-24 to assess progress (see evidence 13b).

We use this maturity assessment to report to senior management, including as part of the SIRO Quarterly reporting (see evidence 13c, our Q4 FY23-24 SIRO report) and annually to the Care Inspectorate Audit and Risk Committee (see evidence 13d).

Progress update review - 21 February 2025

Show this section

The Care Inspectorate’s bespoke maturity assessment process, now fully embedded, remains commendable. It is positive to hear that this is working well.

The receipt of evidence provided is acknowledged with thanks.

Element 14: Shared information

Status:

08 December 2021 - element under agreed plan - Green
08 December 2021 - evidence under agreed plan - Green
21 February 2025 - review - Green

Keeper's Report - 8 December 2021

Show this section

Update required on any change.

Self-assessment Update as submitted by the Authority since 8 December 2021

Show this section

No change since RMP.

Progress update review -21 February 2025

Show this section

Thank you for confirming that there have been no changes to this element. Update required on any future change.

7. The Public Records (Scotland) Act Assessment Team’s Summary

Version

The progress update submission which has been assessed is the one received by the Assessment Team on 2nd July 2024. The progress update was submitted by Molly Edmond, Information Governance Analyst.

The progress update submission makes it clear that it is a submission for The Care Inspectorate (Social Care and Social Work Improvement Scotland (SCSWIS)).

The Assessment Team has reviewed The Care Inspectorate’s Progress Update submission and agrees that the proper record management arrangements outlined by the various elements in the authority’s plan continue to be properly considered. The Assessment Team commends this authority’s efforts to keep its Records Management Plan under review.

General Comments

The Care Inspectorate continues to take its records management obligations seriously and is working to maintain all elements in full compliance.

Section 5(2) of the Public Records (Scotland) Act 2011 provides the Keeper of the Records of Scotland (the Keeper) with authority to revisit an agreed plan only after five years has elapsed since the date of agreement. Section 5(6) allows authorities to revise their agreed plan at any time and resubmit this for the Keeper’s agreement. The Act does not require authorities to provide regular updates against progress. The Keeper, however, encourages such updates.

The Keeper cannot change the status of elements formally agreed under a voluntary submission, but he can use such submissions to indicate how he might now regard this status should the authority choose to resubmit its plan under section (5)(6) of the Act.

8. The Public Records (Scotland) Act Assessment Team’s Evaluation

Based on the progress update assessment the Assessment Team considers that The Care Inspectorate continue to take their statutory obligations seriously and are working hard to bring all the elements of their records management arrangements into full compliance with the Act and fulfil the Keeper’s expectations.

The Assessment Team recommends authorities consider publishing PUR assessment reports on their websites as an example of continued good practice both within individual authorities and across the sector.

This report follows the Public Records (Scotland) Act Assessment Team’s review carried out by

Iida Saarinen
Public Records Officer

File downloads

Document cover image

NRS Public Records (Scotland) Act (PRSA) The Care Inspectorate Progress Update Review (PUR) 2023 Final Report Web Version 21 February 2025

File type: PDF,
File size: 286.47 KB

Contact details

Was this page helpful? *

Yes

Yes, but

Choose a reason for your feedback *

Your comments Your feedback helps us to improve our services.
Do not give any personal information.