Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

12. Recommendations – detailed

The following recommendations aim to support the Scottish Government both in the context of new and evolving technologies as well as in relation to its more customary activities. The issues are broader and deeper than any one policy or any one technology but, despite its brevity, this report (and recommendations) provide an opportunity for a broader roadmap to be drawn in the Scottish Governments response to the challenges it had faced.

1. Build on the strong foundation of existing work to embed 'In the Service of Scotland' organisational mission/vision/purpose into all activities and communications of Scottish Government.

Integrate the messaging into all 'touchpoints,' both public-facing and internal.

The circumstances of this review should be used to crystallise the Scottish Government's purpose and values and re-energise the ITSOS project.

The work already underway to help increase organisational awareness must continue to be prioritised and supported.

It is recommended that 'In the Service of Scotland' should become the internal and external facing mission statement. The core purpose (the 'why') of Scottish Government, as well as the vision and values should flow from this mission and must be considered a strategy, not just a slogan. This messaging should be embedded into every touchpoint of government, both internal and external. This clarity of purpose and commitment is important for the citizens of Scotland as much as it is for those that work in their service and will support the foundations for all the recommendations in this review.

Appendix 6 gives examples of where such messaging may be added.

2. Update the Scottish Ministerial Code and the Civil Service Code.

A review done by the Committee on Standards in Public Life^[43] (CSPL), states "[T]he Seven Principles (of Public Life) are the bedrock that underpins and gives meaning to public office."

The values contained within the Principles of Public Life, the Scottish Ministerial Code, and the Civil Service Code have largely withstood the test of time. It is hard to argue that any of them are no longer relevant or desirable.

There is, however, a noticeable absence of collaborative or service-led values. There needs to be a shift from the 'I' to the 'we.'

These values should be seen as the ethical underpinning of the work of all politicians and public servants, affirming the privilege and significance of holding office and working as a public servant. Group culture is a powerful and influential force and if these values are to be 'lived' rather than simply written on a piece of paper and rarely referred to, they must be embedded into the organisational culture and nurtured by everyone. This requires a shared vision, strong relationships, collaboration, loyalty, and high standards of legal and ethical conduct. All those working in government should have a clear sense of public purpose and service.

It is therefore recommended that the values of 'collaborative' and 'service' are added to both Codes.

It is further recommended that the values of 'selflessness' and 'accountability' (that are in the Scottish Ministerial Code) are added to the Civil Service Code.

'In the Service of Scotland' should not reference a separate set of values (as it does currently) but should point to those contained within the Civil Service Code. These values should not be part of an annex (i.e. they are not 'extra' or 'subordinate to'). They should be seen, lived, and communicated as the bedrock, not an optional extra.

Appendix 8 sets out the current and recommended lists of values.

The CSPL go on to emphasise the need to ensure all those to whom the Code applies are properly informed and educated about their responsibilities and the role their conduct plays in upholding standards, delivering on their purpose, and supporting democracy. Values need to be the cultural norm within the organisation but will only become so with active and ongoing attention.

In addition to Recommendation 1, Ministers and officials need to be aware of their responsibilities, supported in acting at all times by the values in the codes, and held accountable for their delivery. All individuals should receive regular communications referencing the codes and specific training/awareness programmes should be explored.

The Civil Service Code is not a devolved matter, and the Scottish Government does not have the power to unilaterally change its contents. The Scottish Government should therefore raise this recommendation with the UK Government to consider opportunities for improvement and consistency in this area.

3. Use skills/knowledge/resources around behavioural science to support a stronger culture of compliance.

During the pandemic, the Scottish Government embraced the opportunities presented by an understanding and appreciation of, and thoughtful approach to, human behavioural science. Those opportunities present themselves not only at times of crisis and should be explored in progressing the recommendations from this review.

4. Consider developing the role of Propriety & Ethics (P&E) to be more visible, proactive and involved across the organisation.

Many of the observations and recommendations from this review relate in some way to questions of propriety and ethics.

There is evidence that the Scottish Government understand the key role P&E plays. As recently as May 2024, the Finance and Public Administration Committee in the Scottish Parliament was provided with an update on developments^[44] since the conclusion of the 'continuous improvement programme' by Lesley Fraser (Director General – Corporate).

This high-level engagement is to be commended, as is the embracing of initiatives such as hosting the first 'four nations' propriety and ethics discussion in Edinburgh in March 2023.

It seems clear that there is an increasing momentum behind the work being done in this area. The P&E Directorate are increasingly involved in all staff events, and they are involved in supporting the induction programme for new Ministers. There are also targeted outreach programmes in place.

It is also the case that this formal area of activity in the Scottish Government is currently largely reactive. There is an emphasis on complaints handling. This may be because of deliberate strategic direction or a question of resources (or both).

However, P&E must be relevant and part of everyone's daily working life, rather than seen as a department that deals with complaints. Creating and nurturing an ethical, values-led culture is not something that can be delegated to a compliance function or department. The commitments required in the Ministerial and Civil Service Codes are front and centre of P&E. They should, collectively, be seen not simply as sanction-related, but rather as commitments that reflect the values of all public servants.

The opportunity to consider the role P&E plays across the organisation, beyond responding when things go wrong, should be explored. There is the potential for P&E to play a key role in supporting the proactive embedding of the values referred to in Recommendation 2.

This approach could be supported by considering the manner in which staff are provided with information about P&E. The P&E Directorate page on the Scottish Government intranet (Saltire) has, again, a strong emphasis on the role of P&E as a point of contact for raising concerns, dealing with harassment or abuse, and conducting investigations. These elements are of course an essential element of P&E's role but as much as individuals need confidence in a process that is there to support them if problems arise, it would be a powerful message to have the purpose and values of P&E as the starting point. Being clear about what you stand for (in this case acting with propriety and ethically) as important as being clear what you stand against (in this case misconduct, harassment etc).

There are a several different 'ambassadorial' roles across the Scottish Government (e.g. risk champions). Consideration should be given to supporting individuals to become 'ethics champions.' These could serve as visible and constant reminders of the purpose and values of the organisation and, if appropriately empowered, could play a supporting role for individuals across government who want to raise any issues or concerns regarding conduct. Although out with the terms of this review, the importance of a responsive and accountable 'whistleblowing' function for all areas, but particularly those relating to ethical conduct, cannot be overstated. This may be an opportune time to review the whistleblowing policy that is in place for the Scottish Government.

This recommendation can serve to support the ongoing work following on from the 'continuous improvement programme' to 'develop and evolve the Propriety and Ethics function.'^[45]

5. Include mandatory regular training on Propriety & Ethics for all Ministers and officials.

In addition to Recommendation 1, P&E should be included and/or referenced in specific, regular, and mandatory training, starting at the point of induction. This should support the current training in place for cyber security and the safe use of mobile messaging. Building on the current induction programme, thought should be given to positioning P&E within a broader framework to encourage awareness and engagement beyond reactive complaints handling.

6. Develop a risk assessment framework incorporating the Ministerial and Civil Service codes, and Propriety & Ethics.

The nature of risk is constantly changing and is increasingly complex. To ensure good governance, the Scottish Government needs to put in place mechanisms (including policies, processes, skills, and knowledge) to identify the risks to which they are exposed.

There are mature and well-rehearsed practices in place for most risks across the organisation. The programmes of risk assessment and audit in place are well resourced and clearly taken seriously. It is nonetheless the case that the risks in the context of the terms of this review were not adequately identified. This must result in reflection by the Scottish Government upon the nature of the risks to which they have been exposed (and continue to be exposed), the missed opportunities to address them proactively, and what they can learn from those to put in place more effective mechanisms throughout all departments.

Many traditional programmes approach risk as something static, and once a checklist is ticked or a policy written, consider the job to be done. This is to misunderstand the reality of risks in our current technological and political era. That misunderstanding has consequences.

It is recommended that risks relating to the Ministerial and Civil Service codes, and P&E more widely, are approached as seriously as all other risks. A framework of risk identification, response, and management in these areas must be developed to mirror those already in place in other areas. However, it is imperative that this framework works in real-time and is forward-looking as well as reflective. It should respond in a timely manner on an ad-hoc basis to risks identified or issues flagged, as well as being subject of regular (i.e. annual) assessments.

The process must also be aware of the fact that risk, in this context, is not something exclusively external to the organisation against which it must defend itself. Risk increasingly manifests itself in a myriad of different and novel ways and the organisational approach must respond and adapt to that.

It is noted that the P&E outreach programme aims to assess forward risk (in relation to conduct and P&E issues), and the Scottish Government Internal Audit team carry out reviews of the processes in use in P&E (as was required under the 'continuous improvement programme'). This approach is welcomed. It must also consider the issues from an increasingly broad perspective because of the evolving and novel nature of risk.

A conscious approach of 'disruptive thinking' is also prudent from a propriety and ethics perspective as it can help to challenge the thinking and practices of the organisation that are in place. This is a particularly useful tool in the current environment considering the speed and nature of developments relevant to the area of this review.

It is often the case that a crisis prompts senior leaders to prioritise action. That has certainly been the case here. The objective must be to take a more initiative-taking, informed, and disciplined approach to risk with the aims of avoiding (or at least mitigating) risk and building a more stable environment. This will better protect the organisation from the spikes of time and money which are often required in a reactive environment when having to respond to things which have gone wrong.

It is further recommended that the pilot Information Risk Assessment Template be reviewed in light of the findings of this review.

This framework could be incorporated into existing programmes of work or be considered as a standalone programme.

Appendix 3 gives examples of where real-time information could usefully inform such a process.

All identified risks should be tracked and reported to the Executive.

7. Commit to Ethical Business Practices (EBP) to support a culture of compliance and provide a foundation for Scotland's vision to be an Ethical Digital Nation.

Becoming an Ethical Digital Nation is a key ambition for the Scottish Government. The Digital Strategy states that:

"Our vision is for a society where people can trust public services and businesses to respect privacy and be open and honest in the way data is being used… A place where children and vulnerable people are protected from harm. Where digital technologies adopt the principles of privacy, resilience and harm reduction by design and are inclusive, fair, and useful."^[46]

The strategy is an impressive piece of work and one which the Scottish Government should be proud of. It highlights the opportunities that exist by taking an ethical approach in this digital era. It also refers to the need to secure trust in government. The innovative vision is certainly at risk if the issues raised in this review are not comprehensively addressed.

For the Scottish Government to lead from the front with such an initiative, and there is no reason why it cannot, it needs to proactively develop and nurture the reciprocal trust needed in the social contract between itself and the Scottish community. For it to lead on digital ethics, it has to live and breathe the values that necessarily underpin it.

It is recommended that the Scottish Government support the advancing of the vision of an Ethical Digital Nation for Scotland by committing to EBP.

It is noteworthy that Scotland is referenced as engaging in EBP in Hodges & Steinholtz (2017)^[47], and Hodges (2022)^[48]. There are, therefore, strong foundations already in place to further develop this across government and in support of the Ethical Digital Nation vision. The appendices of that book contain a comprehensive framework designed to assist the embedding of EBP into organisations. This could be used by the Scottish Government as a useful tool or starting point.

8. Incorporate assessment of how individuals' values and performance align with ITSOS framework and the Civil Service Code into all processes around recruitment and selection, and performance management.

The Scottish Government should include clear, visible, and consistent messaging of their purpose, mission, vision and values in all recruitment and selection documents and information. (See Recommendation 1.)

This information should also be reflected in employee performance review and appraisal processes and professional development.

Individuals whose values align with those of government will be incentivised to apply for positions of employment and those working in public service will know that their values align with their employer. Public servants should be required to demonstrate that they are upholding the values contained within the Civil Service Code throughout their employment and particularly when assessments are made of their performance.

9. Update the hybrid working policy.

The policy on hybrid working should be reviewed and updated. There should be clarity on the definition of hybrid and consideration should be given to requiring coordinated in-person days or sessions to encourage a culture of strong relationships, teamwork, collaboration, learning and improvement.

The current policy refers to the offer of 'hybrid working where business needs allow.' This wording should be reviewed with a view to more closely aligning it to the mission of the Scottish Government and the values that underpin it.

10. Consider changing definitions and updating guidance to avoid confusion around 'corporate value,' 'business information,' 'corporate records,' 'salient information' and 'evidence of decision-making.'

It has been clear in evidence at the Inquiry, that there is a degree of uncertainly, ambiguity and subjectivity about these terms across the organisation. Clear definitions must be made available to all staff with guidance and examples.

Adoption of Recommendation 13 will reduce the challenges for the organisation in this respect. The less opportunity there is for personal, subjective judgements to be required, the less opportunity there will be for inconsistency and non-compliance.

The findings of the Inquiry and outcome of the Information Commissioner's Intervention should also inform policy and guidance.

11. Scheduled reviews for existing policies/guidance should be put in place.

It has not been possible to locate evidence of an overarching policy setting out the timings and process for reviews of policies and guidance.

Policy reviews should be put in place and diarised. In addition, any risks or developments highlighted (see Recommendation 6) should trigger responsive and timely ad-hoc reviews. This should be supported with clear information relating to policy ownership.

12. A new policy for mobile messaging apps (MMAs) should be put in place.

The use of informal communication channels has been the focus of attention across the UK throughout the (ongoing) Inquiry and this review conducted to consider their use.

Technological developments mean that there is the opportunity to easily work (and communicate) outside of corporate systems. The Inquiry has highlighted the extensive use of MMAs by ministers and officials across the UK.

The current policy on MMAs is not considered to be fit for purpose and it is recommended that it be withdrawn and replaced with a new policy reflecting, inter alia, the laws around data protection, freedom of information, and public records, as well as codes of conduct, that are in place for reasons that get to the heart of our democracy. The new policy should reflect Recommendation 1.

There has been an explosion in the use of MMAs. It is accepted that they can be a useful tool for communicating but if they are approved for government business use, e.g. Teams, they must only be used in a managed environment and in a manner authorised by the Scottish Government.

It is imperative for the Scottish Government to actively seek to mitigate risks in a balanced and pragmatic way to enable secure systems and ensure data integrity with minimal compromises.

Government business needs always to be conducted on devices and platforms which enable government management and control.

The Reviewer is aware that many organisations issue government-controlled devices including Scottish Government, Scottish Parliament, and the Crown Office.

In order to provide for a more robust governance framework for the use of MMAs, the following controls should be in place for all government communications:

• MMAs must only be used within an appropriate and formally agreed MDM (Mobile Device Management) environment and one which supports good cyber hygiene. This will make devices much more secure once configured correctly, enhancing the applications security.
• Unmanaged MMAs should not be permitted on corporate devices.
• Unmanaged MMAs should not be permitted for government communications on non-corporate devices.
• MMAs must not be used for information classified as 'SECRET' or 'TOP SECRET.'
• Any processing of personal data must comply with the UK GDPR with policies and procedures in place to ensure clarity about these requirements.
• Instant messaging applications, including WhatsApp, leak metadata such as IP addresses, which could expose location information. It is therefore important to ensure appropriate security through the use of a VPN or similar which will add a significant layer of security to MMAs, ensuring that traffic is routed through government infrastructure. It can be turned off when the user leaves the employ of the government.
• Where possible, MDM should be used to limit the installation of unauthorised MMAs.
• Where possible, the 'business versions' of MMAs should be used as they provide enhanced security.
• A PIN must be used on the device.
• Any data shared with the user that is sensitive should be marked as such and only communicated in line with policy and guidance. MMAs should be fully backed up for retention purposes meaning all data could be recalled if required to respond to a data protection, freedom of information, or inquiry request. This can be managed using MDM.
• MDM must ensure settings prevent messages being displayed on the home screen.
• MDM must ensure settings prevent photos etc. being downloaded by default.
• MDM must ensure appropriate governance around the setting up of groups to ensure appropriate addition, monitoring and deletion of members.
• All users require training and a high level of education so that they are aware of the possible risks, and to ensure that they practice good Cyber hygiene and understand the reasons for doing so. This training and awareness must also include explicit reference to the Ministerial and Civil Service codes and the expected standards of behaviour that apply.
• When an individual leaves their role in government, the data should be removed from the personal device. It is important to implement MDM with controls around the data or requiring an in-person visit to the IT department to perform the required sanitation.
• Risks remain regarding the way in which MMA users may have their contacts downloaded (often to gain knowledge and build a network around user behaviour and other connections) as well as members of groups being able to access the contact details of other members. Neither of these risks can be effectively managed by MDM. Users must be made explicitly aware of these risks and the Scottish Government must constantly assess them.
• Cyber security training must be included in mandatory training across the Scottish Government, with regular refreshers and awareness initiatives/updates. Cyber is a key attack entry point into government and training should not be elective.
• A program to better mark all data including documents and messaging and any data in transit or at rest should be embarked on to better protect government data and to remind users of the status and content of the data. This will serve to support a protective culture where it is understood that data and cyber security is everyone's responsibility, encouraging stronger cyber hygiene and more robust data leakage prevention practices.
• Shadow IT is only lightly addressed using MDM on managed devices as the policies would only be strong enough to control the use of approved applications. On unmanaged devices there will be evidence of shadow IT, and this will be harder to manage without a strong policy to guide users to only use government issued devices. Applications that find their way into mainstream use should be evaluated for security and applicability before being adopted for broader use and support from the Scottish Government. As part of this consideration, it is also advisable that the Scottish Government offer free MDM for their users to use on their personal devices should they choose to use them for government business. If the MDM is not opted for on personal devices, government data should not be allowed to exist on those devices.
• If the Scottish Government intends to use social media and/or MMAs to communicate, the official accounts must be published on their website to allow people to authenticate and identify their communications.
• There has been an explosion in the use of MMAs across society. Where MMAs cannot be managed, and are therefore required to be restricted or prohibited, is imperative for the Scottish Government to effectively communicate the reasons for such decisions and the importance of compliance (see also Recommendation 1).

13. The business continuity plan (BCP) should be updated to include reference to, and rules around, the use of MMAs.

MMAs were clearly seen by some as an appropriate platform to use during the pandemic because of the specific challenges of communicating during lockdown. The countrywide move to home and/or hybrid working resulted in a number of practical challenges, all of which should be considered as part of regular and rehearsed business continuity planning. The BCP must set out the rules that apply in all emergency and emergent situations. It should not be left to individuals to navigate trying to find effective communication channels during such times. Policies should be in place ex-ante, and they must be effectively communicated and well-rehearsed. The Scottish Government must determine these policies cognisant of the associated risks and benefits and must keep all risks under review. It must be made clear that risks are significantly amplified if personal devices are used or if communication occurs outside of a managed environment.

The policy should explicitly include cloud service and mobile messaging services, and the data stored in these systems.

14. The compliance requirements of articles 13 and 14 of the UK GDPR should be reviewed for government contact pages.

It is clear that a significant amount of information relating to communications to/from Ministers and officials has been provided to the Inquiry. There is every likelihood that these communications will include information about members of the public (e.g. constituents). Where contact details for Ministers (or officials) are made publicly available online (or by other means), a review should be undertaken to ensure compliance with all the requirements of the UK GDPR, but in particular (for the purposes of this review) the article 13 and article 14 requirements (information to be provided) to ensure that any individuals (e.g. constituents) who communicate using these details are appropriately informed of the potential data processing that may occur.

15. A central register for data protection impact assessments DPIAs (Article 35 of the UK GDPR) should be in place and proactively reviewed.

Information Asset Owners are responsible for undertaking, recording, and filing DPIAs. There is no evidence of a meaningful process to centrally log, review or action DPIAs. These should be considered key documents to ensure legal and ethical duties are fulfilled and risks mitigated. A coordinated process of recording and review should be put in place. This could be overseen by the DPO. Consideration should be given to interaction with Recommendation 6.

16. The social media policy should be updated.

The social media policy for Scottish Government should include clarity on the definition of social media to avoid any confusion about whether the policy relates to MMAs or not. It should also specifically reference public records and strengthen reference to FOI. Also see Recommendation 1.

17. Consideration should be given to 'flash mentoring' for roles that impact records management and P&E.

Records management is a horizontal issue for the Scottish Government in that it affects every individual in every department. All individuals, particularly those new in service, would benefit from contact with and insights from subject matter experts.

18. Consideration should be given to ensuring a more coordinated approach to the roles that impact records management and P&E.

Scottish Government has a number of roles that touch on records management and P&E. Some of these are formal, others voluntary.

Examples are – Accountable Officer, Senior Information Risk Owner, Information Asset Owner, Deputy Information Asset Owner, Information Management Support Officer, Security Awareness Champion, Risk Champion.

It is unclear how much coordination or collaboration goes on in these areas, but should consideration be given to the 'ethics ambassador role' referenced in Recommendation 4, efforts should be taken to reduce duplication and maximise collaboration.

19. Review device security for all politically exposed persons (PEPs).

Appendix 9 sets out the specific nature of the risks associated with WhatsApp. Risk mapping of this nature must be conducted for all platforms in use. Where PEPs (and other senior or at-risk individuals) may be exposed or vulnerable to particular risk, the Scottish Government must support those individuals to make informed choices about their own devices.

20. Ensure all Scottish Government staff and Ministers are updated on the position taken by Inquiries in relation to the duty to provide evidence and the relevance for all records management activities and personal conduct across the organisation.

Developments of this nature should be kept under constant review and all affected staff should be updated without delay. This should also be included in all future induction and training for Scottish Government staff and Ministers.