Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

9. Culture

9.1 The Information Management Strategy published by the Scottish Government in 2022 is a comprehensive and well-thought through piece of work. It highlights the role and importance of culture and behavioural change. The document also says, 'government information has yet to meet the digital challenge.' The two are linked. Meeting the digital challenge is not only an issue of technology, but also of people, behaviour, and culture.

9.2 The Scottish Government ran a 'continuous improvement programme' from January 2021 to December 2022 which focussed on culture and behaviours. After the programme concluded, ongoing work was incorporated into 'business as usual' with Propriety & Ethics playing a key role. The content of the final report^[38], provided to the Scottish Parliament in January 2023 points to an understanding of the relevance of these issues at the highest levels. It is hoped that this review will support and energise those ongoing workstreams by re-emphasising the critical role they play, especially in light of new and evolving technologies which can have wide ranging impacts.

9.3 This review seeks to understand and engage with those issues because it is not enough to draft policies and procedure if they are not read or adhered to. Nor is it enough to roll out new technology if people do not engage with or understand the associated risks. Simply giving people information is rarely likely to change behaviour. A change in environment and in culture will.

9.4 Examples of the danger of assuming the provision of information is sufficient and will result in compliance are not hard to find in the context of this review.

9.5 In the reprimand issued by the UK Information Commissioner to NHS Lanarkshire in January 2024^[39], reference was made to the organisation's failure to conduct a data protection impact assessment (DPIA). It also points out that WhatsApp was not approved for use by the organisation but was nonetheless used by staff without organisational approval or knowledge.

9.6 In the context of the Inquiry Module 2B, despite MMAs not being approved for use by the Welsh Government, it became clear during the course of the hearings that, as had been the case in England, Scotland and Northern Ireland, WhatsApp had been extensively used by Ministers and officials. Even more concerning was the admission that some staff even felt pressurised to breach the policy (which prohibited its use).

9.7 Despite rolling out an updated policy aimed to strengthen governance of MMAs, the Constitution Society noted that "[W]hilst superficially signalling a move towards improved practice, the new Cabinet Office policy appears to have had little impact on the extent to which WhatsApp is used"^[40].

9.8 These examples show us all too clearly what the reality of frameworks of laws, policies, procedures, and guidelines can look like in the absence of organisational and cultural buy-in.

9.9 We need to understand the role of the framework in place, whether that is legislation, policy, or training, we also need to understand how people behave. "It is important not to treat them as though they are mutually exclusive entities. In fact they are part of a whole."^[41](Blick & Hennessy, 2022, p.122)

9.10 Choices and decisions made, as well as those not made, are influenced by many things including our experience and knowledge, what others around us are doing, and the context within which we are acting. There is no such thing as neutral choice architecture and there is much that can be done to build a framework and a culture that encourages, supports, and incentivises individuals to do the right thing. The culture of an organisation can enable formal governance as much as it can defeat it.

9.11 The aim must be to create a culture of compliance and one that is blame-free but not accountability free.