Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

3. Recommendations – summary

1. Build on the strong foundation of existing work to embed 'In the Service of Scotland' organisational mission/vision/purpose into all activities and communications of Scottish Government. Integrate the messaging into all 'touchpoints,' both public-facing and internal.

2. Update the Scottish Ministerial Code and the Civil Service Code.

3. Use skills/knowledge/resources around behavioural science to support a stronger culture of compliance.

4. Consider developing the role of Propriety & Ethics (P&E) to be more visible, proactive and involved across the organisation.

5. Include mandatory regular training on P&E for all Ministers and officials.

6. Develop a risk assessment framework incorporating the Ministerial and Civil Service codes and Propriety & Ethics.

7. Commit to Ethical Business Practices (EPB) to support a culture of compliance and provide a foundation for Scotland's vision to be an Ethical Digital Nation.

8. Incorporate assessment of how individuals' values and performance align with the ITSOS framework and Civil Service Code into all processes around recruitment and selection and performance management.

9. Update the hybrid working policy.

10. Consider changing definitions and updating guidance to avoid confusion around 'corporate value,' 'business information,' 'salient information' and 'evidence of decision-making.'

11. Scheduled reviews for existing policies/guidance should be put in place.

12. A new policy for mobile messaging apps (MMAs) should be put in place to ensure all government communication is conducted in a managed environment.

13. The business continuity plan (BCP) should be updated to include reference to, and rules around, the use of MMAs.

14. The compliance requirements of articles 13 and 14 of the UK GDPR should be reviewed for government contact pages.

15. A central register for data protection impact assessments DPIAs (article 35 of the UK GDPR) should be in place and proactively reviewed.

16. Update the social media policy.

17. Consideration should be given to 'flash mentoring' for roles that impact records management and P&E.

18. Consideration should be given to ensuring a more coordinated approach to the roles that impact records management and P&E.

19. Reviews should be undertaken around device security for all politically exposed persons (PEPs).

20. Ensure all Scottish Government staff and Ministers are updated on the position taken by Inquiries in relation to the duty to provide evidence and the relevance for all records management activities and personal conduct across the organisation.

A detailed breakdown of each recommendation is provided in Section 10 of this Report.