Further information relating to regulatory controls in technology projects: FOI release

Information requested

Thank you for your request dated 21 August under the Freedom of Information (Scotland) Act 2002 (FOISA) which followed up on your previous request (reference 202300365280).

Your request

You asked for further information on our response of 4 August to your previous request relating to:

1. the number of changes performed to these controls and policies/procedures and any information which exists on the preceding incidents which cause these changes to occur? If it is not possible to determine the preceding incidents then a timeline for the changes and a timeline for incidents would be helpful.

2. the number of contracts the government has had to enforce these procurement policies and procedures with the measured outcomes such as repayments or rework associated with consequences? If there is no such existing data then I would like to know the number of lessons learned, particularly by independent assurance reviews, particularly any measures of the complexity of the failures and the financial consequences?

Thank you also for your clarification response of 25 September which confirmed that you are interested in the last 10 years (2012 until today) with a particular interest in the breach of terms associated with the delivery of contracts, particularly centred around security or data loss events associated with technology purchases within the government.

Response

I enclose a copy of some of the information you requested in this letter. While our aim is to provide information whenever possible, in this instance the Scottish Government does not have some of the information you have requested. The reasons why we do not have the information are explained in the Annex to this letter.

1. The number of changes performed to these controls and policies/procedures and any information which exists on the preceding incidents which cause these changes to occur? If it is not possible to determine the preceding incidents then a timeline for the changes and a timeline for incidents would be helpful.

The Scottish Government records all data incidents and each one is investigated to identify the cause and any improvements that could be made. The current process was introduced in 2016 and there are around 120 data incidents recorded each year. Information about breaches has been published on the Scottish Government’s website following other Freedom of Information requests:

• Number of data breaches between 2016 and 2018 Data breach notifications submitted to the Scottish Government: FOI release - gov.scot (www.gov.scot)
• Yearly number of Information Commissioner’s Office data breach reports – these are ones where there is a risk or high risk to individuals. Number of data breaches from 2018 to 2022: FOI release - gov.scot (www.gov.scot)

There have been breaches recorded where a supplier under contract has had an issue but these have been technical or organisation breaches rather than a failure to comply with the contract.

A review of Information Management was commissioned by the then Permanent Secretary in 2020 in response to a number of considerations to:

• provide a strategic, corporate assessment of information management and its governance, building on work which had already commenced to develop an improved operating model around information and records management. This work was the final phase of a major technology enabled improvement programme around the Scottish Government’s digital information and records management capability.
• conduct an assessment of the most common day to day practices around general information management and its governance and highlight risks, opportunities and areas for improvement. The review did not focus on performance or compliance in any single information discipline such as Data Protection, Information Security, Freedom of Information (which have been subject to separate reviews and inspections by the ICO).
• assess the potential impact the current information management model may have on compliance with Scottish Government policies and information law generally, and in particular records management including compliance with the Public Records (S) Act 2011.
• assess the effectiveness of the current information management environment in supporting key business requirements and outcomes such as responding to current and future inquiries.
• evaluate the effectiveness of key components of the Scottish Government’s current information governance including the priority and profile of information governance; roles and responsibilities; policies, procedures and working practices; training and guidance; the use of the corporate electronic records and documents management system; the prevalence and use of other common desktop information systems; performance management and assurance measures.

The Information Management Review made 8 recommendations for change to the Scottish Government’s Executive Team in January 2021.These were approved by the Executive Team resulting in the initiation of a programme of work to deliver the changes and benefits. An Information Management Strategy was developed in response to one of the key recommendations of the review.

2. The number of contracts the government has had to enforce these procurement policies and procedures with the measured outcomes such as repayments or rework associated with consequences? If there is no such existing data then I would like to know the number of lessons learned, particularly by independent assurance reviews, particularly any measures of the complexity of the failures and the financial consequences?

There are a range of Scottish Government ICT related frameworks and contracts in place which provide goods and services to Central Government and the wider public sector. You can find more information about these on the Scottish Government website. There have been no reported regulatory data breaches in relation to these frameworks and contracts which required measured outcomes such as repayments or rework to be enforced.

There are data protection controls in place to manage contractors acting as processors via two mechanisms set out in the UK General Data Protection Regulation:

• any provider of IT systems or undertaking data processing is required to provide a statement of assurance on cyber security. This meets Article 28(1) that Scottish Government will only use processors providing sufficient guarantees.
• the standard Scottish Government contracts have a GDPR section and meet the requirements of A28(3) that a legally binding contract is in place.

Annex – Reasons for not providing Information

The Scottish Government does not hold the information requested
The Scottish Government does not maintain a record of data incidents caused by contract breaches. We do however have processes, controls and assurance reporting that provide safeguards. As set out above, the current arrangements for recording data incidents were established in 2016 and there are no records prior to that.

I hereby provide you with formal notice under section 17(1) of FOISA that the Scottish Government does not have the information you have requested.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.