We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Independent report

Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

Published
17 December 2024
From
Deputy First Minister and Cabinet Secretary for Economy and Gaelic
Directorate
Digital Directorate, +4 more … Communications and Ministerial Support Directorate, Covid Inquiries Response Directorate, People Directorate, Propriety and Ethics Directorate
Topic
Public sector
ISBN
9781836019367

Emma Martins' report of her independent review

View supporting documents Supporting documents

17. Appendix 3. Timeline of learning opportunities*

*Some reports do not specifically relate to devolved administrations but nonetheless could have been noted as part of active risk horizon scanning.

Each one of these sources contains insights/references/recommendations into matters relevant in the context of government records management.

  • January 2018 – 'Get it Minuted Campaign' – The Campaign for Freedom of Information in Scotland[58]
  • 2020 – Office of the Scottish Information Commissioner (OSIC) -Decision 131/2020. Request for WhatsApp messages[59] (NB there are a number of FOISA requests relating specifically to WhatsApp messages)
  • 2020 – Statement by International Council on Archives[60]

"It is essential that the basis for these decisions, the decisions themselves and the senior decision-makers involved are thoroughly documented in order for governments to remain accountable both during and after the emergency and for future generations to be able to learn from our actions. Urgent steps should be taken to address record keeping in ephemeral technologies that have to be deployed rapidly."

  • March 2020 – 'Mastering Messaging in the Workplace' [61]– Guild

"Messaging as a medium is exploding, but it's currently unmanaged and not legally compliant in many workplaces across the world."

  • May 2020 – 'Why the UK Government's approach to WhatsApp is an issue'. Research findings.[62]

"Media headlines highlighting government use of consumer messaging apps for communications should make us all aware that perhaps that the UK government and advisors are not focusing on the right questions about the use of messaging apps."

  • December 2020 – Boardman Review of Cabinet Office COVID-19 Communications Procurement[63]

"This is particularly important in times of crisis, where there are certain decisions that can and should only be taken by the most senior civil servants. Effective record-keeping should be central to this process."

  • 2021 - A Review of Information Management in the Scottish Government[64]

"The Scottish Government (SG) has reached a strategic tipping point in its approach to information management. There is now a compelling case for the organisation to re-evaluate and reset its approach to information management to ensure that it minimises the risks and takes advantage of the opportunities associated with global changes in technology and supports its future business and digital strategies."

  • 2021 – Legal challenges by the Good Law Project[65]

"They seem to believe this is a loophole to avoid scrutiny. If politicians think they can evade oversight from the Courts or dodge Freedom of Information requests by using private email and WhatsApp, the question becomes: what have they got to hide? Government does have a policy in place about the use of private email, but we don't think it is fit for purpose - not least because it fails to set out when and why it would ever be acceptable for politicians to use their own accounts. And it seems unlikely the policy is being followed in any event, because there's no evidence that steps are generally being taken to ensure that information held by Ministers on private emails or WhatsApp is recorded on Government systems"

  • June 2021 - National Cyber Security Centre (NCSC) – Device Security Guidance[66]

"However, ensuring that these new ways of working can be sustained in the longer term will likely require some revision of practices that have been implemented hastily, particularly as the risks and rewards to an organisation become clearer.

Although the conceptual aims of BYOD are an attractive prospect to most organisations, it comes with a conflicting set of security risks and challenges."

  • July 2021 – IRMS Bulletin (article by Gillian Mapstone, NRS)[67]

"Concern amongst recordkeepers includes that the unplanned data sprawl and creation of public records, with inadequate governance and security, has seen a proliferation of records created outside the authority recordkeeping systems. Just over one-third of respondents confirmed they were not always certain that they could locate information… Significant work will be required over coming months and years to re-establish holistic business classification schemes and embed rigour and security across all these new information spaces"

  • November 2021 – 'Commissioner reflects on FOI in 2021'[68]

"New ways of working and the use of new technologies have been essential as part of the response to the pandemic and the challenges of closed offices and lockdowns, but they also create their own issues. Looking purely at a few of the systems used, authorities will hold information contained in WhatsApp or other messaging systems operated by them and their staff. This will also catch MS Teams chats. Authorities must know what systems are being used and have processes in place to record, retain, identify, and search for any such content. Documentation of decisions has never been more important or indeed challenging in a high tempo environment, particularly (to echo the ICIC) when those decisions may have impacted on public health, civil liberties, and people's prosperity. That includes decisions recorded in such messaging systems. These records are essential not only for FOI but also for any forthcoming inquiries into the response to the pandemic. As the ICIC put it: "It is essential that the basis of those decisions, the decisions themselves and the senior decision-makers involved are thoroughly documented in order for governments to remain accountable both during and after the emergency and for future generations to be able to learn from our actions."

  • March 2022 – Institute for Government. WhatsApp in government: How ministers and officials should use messaging apps – and how they shouldn't.[69]

"Risks include - poor decisions being made with incomplete information, record keeping and scrutiny more difficult, accountability and transparency undermined."

  • July 2021 - Independent Office for Police Conduct (IOPC) – Independent Review into the use of WhatsApp and other instant messaging applications within the police service[70]

"By its nature, WhatsApp presents significant risks relating to data protection and disclosure."

  • 2022 – Scottish Information Management Strategy[71]

"Information is absolutely fundamental to us being able to carry out our business effectively and plays a major role in helping us meet the priorities outlined as part of 'In the service of Scotland – our vision for the Scottish Government'. Managing, gathering, and using our information – while protecting it sufficiently and sharing appropriately with the public and stakeholders - is the responsibility of each and every one of us. In recent times we have rightly been challenged about our information management and governance, including our ability to respond to formal Inquiries related to a range of matters. And it's right that we should be held to high standards."

  • July 2022 – 'Behind the Screens' - Report of the Information Commissioner[72]

"It is essential we examine and address the impact these technology changes are having and that clearer methods are put in place to ensure this happens each time new technology becomes available. As was made clear by my predecessor at the outset of this investigation, it is not unlawful for ministers and officials to use private channels for conducting official business. The pandemic placed extreme demands and stress on our public services. It is understandable, therefore, that some Ministers, advisors, NEDs, and senior officials have relied on new technologies to make their work and their lives more manageable.

In our view, however, the deployment of these technologies failed to appreciate the risks and issues around the security of information and managing transparency obligations. This is not solely a product of pandemic exigencies. But rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present for information management across government over several years preceding the pandemic."

  • 2022 – 'Freedom of Information during and after the Covid-19 pandemic' Report of the Scottish Information Commissioner[73]
  • March 2022 – 'WhatsApp in government' – Institute for Government[74]

"The government needs to get a grip on how these kinds of apps are being used in government."

  • March 2023 – The Constitution Society – The Constitution in Review 4[75]

"The United Kingdom Constitution Group has identified ongoing problems with adherence to key constitutional standards in the UK. We rely on holders of public office to know what the rules are, to follow them, and to encourage others to do the same. Some hoped that the removal of Boris Johnson would signal a return to more acceptable behaviour, but so far, the signs are not encouraging."

  • January 2023 – World Economic Forum – Global Risks Report 2023[76]

Identifies new technologies and cyber threats as 'strong driver of other risks'.

  • February 2023 – ICO – Audit Outcomes Report for Scottish Government[77]
  • June 2023 – Cabinet Office-v-Covid-19 Inquiry[78]
  • August 2023 – Ofgem fines Morgan Stanley £5.4M for failure to record and retain information[79]
  • August 2023 – ICO Reprimands NHS Lanarkshire for sharing patient data via WhatsApp[80]

"Before deploying new apps, consider the risks relating to personal data and include the requirement to assess and mitigate these risks in any approval process.

Ensure explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed."

  • November 2023 – OSIC Statement on the status of 'non-corporate' messaging tools under FOI law[81]
  • December 2023 – 'End government by WhatsApp, urges former GCHQ head'[82]
  • The former head of GCHQ has called for an end to the government handling crises over WhatsApp, saying the platform might suit gossip and informal exchanges but is inappropriate for important decision-making.
  • April 2024 – WhatsApp Westminster 'honeytrap'[83]
  • May 2024 – House of Commons Public Administration and Constitutional Affairs Committee. Lobbying and Influence.[84]

"We do note the comments of a former Director of GCHQ, Sir David Ormand, that their (nccc's) use is entirely unsuited to proper policy making. If an appropriate transparency regime cannot be found that can command public confidence, which we consider the current arrangements do not, the use of any NCCCs should be blocked on official devices."

  • Model Records Management Plan – Public Records (Scotland) Act 2011 (National Records of Scotland)
    • Element 5 – Retention
    • Element 6 – Destruction
    • Element 7 – Archiving
    • Element 8 – Information Security
    • Element 9 – Data Protection
    • Element 10 – Business continuity
    • Element 11 – Audit
  • Scottish Public Finance Manual. Annex 2: internal control checklist[85]

1. Risk Management

1.1 ensure right people are involved

1.2 utilise diverse perspectives

1.3 risk champions. emerging risks, continual learning

1.7 business continuity

10. Information

10.14 find relevant information quickly and easily (for FOI)

Contact

Email: helen.findlay@gov.scot

Back to top