Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

13. Review Questions

Responses to the specific questions set out in the review term of reference.

13.1 Should Ministers and officials use mobile messaging apps (including WhatsApp, text messaging and others) in relation to the conduct of Scottish Government business?

Ministers and officials working for Scottish Government should only use mobile messaging apps within a mobile device management (MDM) environment with appropriate security and data retention facilities to comply with corporate policy.

13.2 What is the value of mobile messaging apps in emergency and emergent situations?

Mobile messaging apps can support communications and the delivery of services in emergency and emergent situations but must be referenced in business continuity policy and guidance. Individuals must know, in advance, what is expected and what is acceptable. The policy should be effectively communicated and well-rehearsed.

13.3 If mobile messaging apps are to be used, what information from these apps should be retained, beyond that which is required to meet the requirements of records management policy?

Ministers and officials working for Scottish Government should only use mobile messaging apps within a mobile device management (MDM) environment with appropriate security and data retention facilities to comply with corporate policy.

The Scottish Government should take this opportunity to produce clearer and more consistent guidance relating to the definitions around information which is of business value (see Recommendation 10).

13.4 How should that information be retained (for example, should the saving of this information require the source of information be retained)?

See Question 3.

13.5 Given that the UK Covid-19 Inquiry has adopted the approach that all texts and mobile messages are potentially relevant to its investigations, is there a change needed to the definition of corporate value in relation to mobile messages and texts?

See Question 3.

13.6 What is the position on use of mobile messaging apps in the rest of the UK (including other devolved administrations), and in selected other countries across the world considered best practice in this area.

Whilst it has proved challenging to get information in sufficient time to include in this review, it is possible to see that the picture is remarkably similar across the whole of the UK.

England

UKG – Guidance - Non-corporate communication channels for government business

Cabinet Office Guidance^[49] allows for use. Required to use 'professional judgement.'

"The guidance is a framework for individuals (ministers, officials, and others) to make informed judgements about whether to use such channels. It requires them to exercise professional judgement; assessing the context and significance of information; its sensitivity and the security of the device and channel being used."

There has been some commentary raising doubts about the impact of the guidance:

"Whilst superficially signalling a move towards improved practice, the new Cabinet Office policy appears to have had little impact on the extent to which WhatsApp is used."^[50]

Wales

The (WhatsApp) app is banned from Welsh government phones, but not on phones given to Members of the Senedd by the Welsh Parliament.

It is important to note that during the Inquiry it became apparent that not only was this policy widely breached even at senior levels, but there were also reports that some individuals felt pressured by others to breach it. This is precisely why it is essential to take a broader view of the issue and ensure organisational understanding and acceptance of the governance in place. Having a policy is necessary but not, on its own, sufficient.

Northern Ireland

Whilst it is not immediately clear whether MMAs were allowed, it is obvious from the Inquiry hearings, that WhatsApp was used extensively.

Other jurisdictions:

• ⇒ Canada – have noted the increasing use of MMAs across government and reminded individuals of the need to document information with 'business value,' as well as their FOI duties. "The configuration and use of mobile devices must comply with the Management of Information Technology Security Standard"^[51]
• ⇒ Ireland – no prohibition but clear reminders about the need to record government information.
• ⇒ EU Institutions – largely prohibited for 'business as usual' but approved platforms may be used for BCP purposes where additional security measures will apply.

(No responses were received from a further five jurisdictions.)

NB/ This review has not seen evidence of what could be described as 'best practice.'

Appendix 7 provides further information regarding the picture across the UK in the context of the Inquiry findings.

13.7 Should non-corporate devices be used in relation to the conduct of Scottish Government business by Ministers and officials?

Non-corporate devices may be used in relation to the conduct of Scottish Government business by Ministers and officials only within an MDM environment. The BCP policy may provide for the use of non-corporate devices in emergency and emergent situations.

13.8 What is the value of non-corporate technology in emergency and emergent situations?

The use of non-corporate technology can support communications and the delivery of services in emergency and emergent situations but must be referenced in business continuity planning policy and guidance. Individuals must know, in advance, what is expected and what is acceptable. The policy should be effectively communicated and rehearsed.

The Scottish Government should work proactively to identify emerging technologies which may impact any area of activity to consider their impact and whether it may be appropriate to make further enquiries and issue/update policy and/or guidance.

13.9 In relation to devices, both corporate and non-corporate, is there adequate process in relation to changing devices, both for reason of updates and in case of accident?

There is no evidence that the process for changing corporate and non-corporate devices is inadequate. The team responsible appear competent and readily available to provide the necessary support.

Individuals using corporate and non-corporate devices in the course of their duties need to work within a clear and accountable framework of compliance.

See Recommendation 12.

13.10 What is the position on use of mobile messaging apps (non-corporate technology) in the rest of the UK (including other devolved administrations), and in selected other countries across the world who are considered to follow best practice in this area?

See Question 6.

I have not seen an example of what could usefully be described as 'best practice,' which appears to point to the nature of the challenge.

13.11 Are updates required to the Scottish Ministerial Code and Civil Service Guidance?

See Recommendation 2.

13.12 Are the Principles of Public Life sufficiently considered in the use of mobile messaging apps and non-corporate technology?

See Recommendation 2.

13.13 Should separate guidance on interactions with Ministers and others on mobile messaging apps and non-corporate technology be developed?

See Recommendations 1, 10, 12 and 14.

13.14 Statutory duties of Ministers and officials: do these require specific types of communication? If so, what type and by what means? Does the use of mobile messaging apps or non-corporate technology interfere with the discharge of these functions?

Working within an appropriate MDM environment, in compliance with relevant policies, and in accordance with the Scottish Ministerial Code/Civil Service Code should serve to provide a robust, disciplined, and compliant regime for all government communications.

The current political and working environment across government does place pressure on individuals to be contactable, available, and responsive. This does not mean that boundaries cannot be agreed and communicated to manage expectations and support consistency.

It cannot be acceptable for expediency to trump legal and regulatory compliance without high quality checks, balances, and controls in place.

Used within a well governed environment, these communication platforms can contribute positively. Used out with a well governed environment, these communication platforms can compromise individuals, departments, and the Scottish Government.

13.15 The private lives of Ministers and officials – where do human rights considerations interact with formal, professional duties?

The use of MMAs on non-corporate devices has blurred the boundaries between the professional and personal lives of individuals. In the Closing Statement on behalf of the Cabinet Office, it talks of "informal messaging that was intended to be private."^[52]

It is inevitable that, with such blurring, it will prove challenging for statutory inquiries to navigate the identification, request, and collection of information. After Cabinet Office-v-Chair of Covid-19 Inquiry^[53], while there is evidence of such a proliferation of use of MMAs at the highest levels of government, inquiry powers will result in significant volumes of data being demanded.

Every individual is afforded the protections of Article 8 of the European Convention on Human Rights (right to respect for private and family life). Article 8 is a qualified right which means that, in certain circumstances, the right can be 'interfered' with.

The standards expected of Ministers and officials means that this question is not straightforward to answer. It is clear, however, that better discipline, governance, and standards of conduct around the entirety of records management (including communications) will reduce the likelihood of such interference being considered appropriate or necessary.

13.16 Where applicable and out with the terms of the Intervention or possible Keeper involvement, the interaction with existing legislation in relation to records management, freedom of information and data protection. What issues are raised and is use of mobile messaging apps practicable? Should the Keeper be invited to review practice, these terms would require to be adjusted further.

The problem is not one of new principles, but of a new environment. If new technologies allow for easy circumvention of the legislative, policy and governance requirements, decisions must be made about the most appropriate responses. It cannot be acceptable for any organisation who is bound by legislative obligations to fail to take steps to address weaknesses or vulnerabilities that may be created by novel or changing information processing practices and platforms.

It is to be expected that in light of recent events, there will be continued interest from regulators into the processing activities of the public sector.

It is also to be expected that considering recent events, the NRS consider taking a more proactive role in the assessment and oversight of compliance and promotion of higher standards.

13.17 The business of government – and how to undertake this efficiently and effectively.

The pressures of government and on those working within it are very real. It is vital that, as an organisation, communication channels are effective to enable the business of government to be conducted efficiently and professionally. Developments in communications and technologies offer opportunities to conduct government business in more efficient and effective ways but must only be considered for adoption after a meaningful risk assessment. The nature of risk for all governments is complex and far from static. The response must therefore be comprehensive and ongoing to ensure the protection of individuals, the organisation, and the ability of government to fulfil its duty in serving its citizens. Care should be taken to avoid 'can we?' overtaking 'should we?.'

13.18 Active versus passive choices on communication styles (telephone call versus message).

Accountability is one of the Principles of Public life and is contained in the Scottish Ministerial Code.

Recommendation 2 also suggests explicitly adding this as an additional value to the Civil Service Code.

All those working in public service must be clear of the critical importance of accountability and how it translates into their day-to-day activities and choices.

Information, as the SG acknowledges, if the lifeblood of the organisation. Decisions about that information must be taken within a framework of legislation, policies, guidance, skills and knowledge, and conduct. The organisation should make every effort to continuously develop and nurture that framework and must be alive both to the choice architecture and culture that is in place which are both powerful influences on people's behaviour and choices.

Individuals need to conduct themselves in accordance with the values contained in the codes. They must do so fully aware of the nature of the communication choices they make and the consequences that may result in.

Despite the fact that many who use them, mistakenly, consider them to be 'informal' or 'ephemeral,' the Inquiry has left no one in any doubt that conversations on MMAs are within scope.

13.19 Consider data security and data sovereignty in relation to mobile messaging apps and non-corporate technology. Consider aspects of National security. Consider implications of device support and data recovery.

See Question 1.

See Appendix 9.

See Recommendations 12 and 19.

The government employees charged with supporting Ministers and officials in the use of devices and records management are competent and professional and perfectly capable of managing the more robust governance framework recommended in this review. It is essential that they are appropriately empowered to ensure the standards are complied with.