Records Management in Scottish Public Authorities is Changing

backgrounds-building-exterior-builtstructure-calton-hill-edinburgh-castle-scotland-1

The Public Records (Scotland) Act 2011 (PRSA 2011) requires public bodies in Scotland to develop a Records Management Plan and submit it for the approval of the Keeper of the Records of Scotland. Many of these plans, usually approved on a five year basis, are now approaching the time when they will need to be revised and put through the approval process once again. Moreover, the Keeper’s team have been actively revising their “Model Plan” and will be expecting more from authorities on the submission of their new plans over the next couple of years.

Background

The PRSA 2011 received Royal Assent on 20 April 2011, aiming to fill a gap in information governance which had long existed. Although there had been some sector specific records requirements there was no overall legislative framework guiding the creation, management or retention of information in the Scottish public sector.

The Act came in on the back of the 2007 Shaw Report which blamed poor record keeping for many of the difficulties faced by former residents of residential schools and children’s homes. The Scottish Government took  a broad view of the implications of Shaw; this in turn led to the PRSA covering a broad range of named public authorities including the Scottish Government and Parliament, local authorities, NHS, police and the courts.

Despite concerns, strongly expressed at the time by COSLA among others, that the Act would present yet another onerous burden during a period of particularly harsh austerity, it is probably fair to say that the PRSA has been a success, giving Scotland a solid statutory basis for its record keeping for the first time.

Records Management Plans

The core of the Act is the requirement to develop and maintain a Records Management Plan. This, in theory, can take any form but in practice authorities have tended to closely follow the Keeper’s “Model” comprising (originally) 14 elements:

  1. Senior management responsibility 
  2. Records manager responsibility 
  3. Records management policy statement 
  4. Business classification 
  5. Retention schedules 
  6. Destruction arrangements 
  7. Archiving and transfer arrangements 
  8. Information security 
  9. Data protection 
  10. Business continuity and vital records
  11. Audit trail 
  12. Competency framework for records management staff 
  13. Assessment and review 
  14. Shared information

Changes 

One significant change to the way that the Keeper will be assessing authorities’ Records Management Plans is that there is now an “Element 15” in the Model Plan, covering third party records. S2 and S3 of the Public Records (Scotland) Act always defined the scope of the legislation broadly so as to cover the records of external agencies carrying out functions on behalf of the public authority, but that is now going to be more explicitly defined and the Keeper will expect to see evidence of policies and procedures under this “Element 15”.

The Keeper is currently undertaking a review of these requirements so it is as yet unclear exactly what will be required. The issue was covered in some detail at the Stakeholders’ forums which the Keeper hosted last year, and there is some guidance and model contractual clauses available from the National Records of Scotland, and from the Scottish Council on Archives and Quality Scotland.

Another significant change in the Keeper’s approach to what will be required from Records Management Plans is a general refocussing on data protection. This had always featured in the Model Plan with element 9 dedicated to the appropriate management of personal data but now data protection runs through the Keeper’s guidance like the writing through a stick of rock. As well as beefing up element 9, each section of the Keeper’s guidance now includes a data protection theme as an example of good practice.

The scope of the PRSA continues to broaden. The Keeper is currently going through the approval process of the Integrated Joint Boards, and (as with Freedom of Information?) there will be pressure to extend the list of bodies covered by the Act. The position of Trusts and some other arms-length authorities remains unclear but all organisations of a public nature would be well advised to get up to speed with the requirements of the Public Records (Scotland) Act 2011.

Throughout the process of the passage of the Bill, the Keeper always made a commitment to use the carrot rather than the stick. This has worked well, with the very helpful team at the NRS providing support and guidance on a range of records issues. As the records environment matures, however, and as more is expected of authorities, might we see a more robust approach from the regulator? In retrospect, some of the early schemes which the Keeper approved now look somewhat thin; it may be unlikely that these would have passed had they been submitted today.

Act Now has arranged a series of webinars and full day workshops on the themes raised by the developments within the PRSA. Among other issues, we will be looking at:

  • Records Management Policies. Some authorities conflate “policy” and “Plan”.
    I’d suggest a clear separation, with the Policy simply summarising the case for records management, allocating responsibilities, defining terms and setting out key principles. This element of the plan can also be used to include area-specific policies and procedures which perhaps don’t fit neatly elsewhere.
  • We’ll consider the standards and resources available. What are the standards that you need to know about? In developing or amending your plan, how far can you rely on off-the-shelf resources such as business classification schemes and retention schedules? What do you have to do to make these really work for you?
  • The Keeper has a self-review mechanism for already established Records Management Plans. The “Progress Update Review” mechanism is available and the Keeper has suggested that completing this process will delay the requirement for a full resubmission of your Plan. But what factors should be considered in deciding when to use the PUR and when to complete a full resubmission? 
  • Links to other relevant legislation. In particular, the GDPR, the Data Protection Act 2018 and the Freedom of Information (Scotland) Act 2004. As noted above, the start of the review of the model scheme was at the same time as the implementation of the GDPR and this seems to have very much focussed the Keeper’s attention on data protection. What will authorities need to do to ensure that their RMPs are up to speed with the new DP requirements?
  • Electronic Records Management. In theory, records principles are blind to the media by which the information is created, stored and managed. In practice, however, the Records Management Plan can be an excellent focus to develop and promote policies and practical guidance which relates specifically to information in alternative media.
  • Getting “buy in”. We will consider the best ways to get support for the Records Management Plan within your organisation. It is important that you are able to show the benefits of good records management – and not just in terms of statutory compliance or improved efficiency. By developing a culture of regarding information as a corporate asset you be able to demonstrate that records management is vital in evidencing the rights and responsibilities of the organisation and in maintaining a high quality corporate memory through the development of a proper archive service. 
  • Making it real. The RMP should not just be a paper exercise but should be a functioning set of tools which ensure that the organisation derives maximum value from its information resources. To be of real value, the Plan needs to be embedded throughout the organisation, rather than just a neat stack of policies on a corner of the Chief Executive’s desk. 

Craig Geddes is a qualified archivist and records manager, with 28 years’ experience working across the range of information governance activities. He has recently joined the Act Now team to deliver freedom of information and records management courses in Scotland

Blog Footer Blue and White 2

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

GDPR Subject Access Time Limits Reconsidered

Keeping paper records on the shelves.

Just like its predecessor (DPA 2018), the General Data Protection Regulation (GDPR) gives Data Subjects a right to make a Subject Access Request (SAR) to a Data Controller. This means that they can obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Time Limit

The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.

When does the one month to respond start from?

Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.

This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.

The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.

You may also be interested in Susan’s Wolf’s blog on the latest case on subject access for paper records.

 

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

GDPR and Brexit: What next?

canstockphoto15551787-1

We are heading for a No Deal Brexit it seems (at least today!). What are the implications for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018)?  Can we bin them on the 31st October with our red EU passports? The answer is no. GDPR and the DPA are here to stay albeit there will be immediate amendments coming into force if Boris does not “pull a rabbit out of the hat.”

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29thMarch 2019, with the rest coming into force on exit day (currently 31stOctober unless something happens in the next few weeks like a General Election!).

The new regulations will only apply if we crash out of the EU without a deal. If Boris gets a deal then GDPR will apply “as is” until the end of the transitional period (currently December 2020). But no deal will mean no transitional period and changes to GDPR as we know it.

The current (EU) version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The new regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

In a no deal scenario, the UK will immediately become a third country under GDPR and so EU Data Controllers will not be able to transfer data to the UK unless additional safeguards are in place. The regulations deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly. However the UK government has acknowledged that there would be no prospect of a positive adequacy decision in the foreseeable future.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context.Amongst other things, the new regulations merge this part into the UK GDPR.

All Data Controllers and Processors need to assess their EU/UK data flows and think what measures they can put into place to ensure continuity post No Deal Brexit.

The uncertainty around Brexit means that it is an interesting time for Data Protection Officers and advisers. Watch this space!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

%d bloggers like this: