Review of corporate information management

Review of the Scottish Government's corporate processes for the storage, retrieval and deployment of corporate information to ensure they are fit-for-purpose.


Information governance

Key information governance gaps

“Records managers are not the only key players involved in managing organisational information, particularly where the transactions of an organisation’s activities are recorded in multiple business systems (e.g. human resource and finance systems, enterprise information management systems, and so on). There is a need for all information professionals to be able to work together collaboratively, each bringing their own particular expertise to the mix."  Records Management and Information Culture : Tackling the People Problem - G. Oliver & F. Foscarini, 2014.

 

The SG has some well-established individual operational policies, controls and processes in key information management disciplines such as records management, data protection, freedom of information, information security and ministerial correspondence.

Corporate teams in these specialist information disciplines work hard to deliver the needs of the organisation but often do so in isolation of each other. Whilst corporate in their intended nature and title, they tend to operate in silos, more as a collection of disparate operational functions and controls rather than forming an efficient and integrated end to end model of information management practices and governance. This can lead to inefficiency, gaps in the management of information and strong skills and knowledge not being shared and spread across functions. This can also create a culture of departmental or localised ‘tunnel vision’ and competing priorities around information management. There is no corporate level collective oversight of these information management processes.

 

Some gaps in information governance also exist at a strategic level. Roles have been assigned such as Accountable Officer, Senior Information Risk Owner and Information Asset Owner. There is however no executive level governing group which is either dedicated to information governance or has it as a core agenda item at meetings. Information management does feature in executive level scrutiny when it is tracked as a particular risk or issue. For example the current corporate risk register cites Covid 19 impacting on FOI response targets and also documents a risk relating to resources, capability and capacity to respond to public inquiries. Some of the root causes of the challenges facing these business requirements are already outlined in section 2 of this report.

The DG ODO has specific responsibility as the organisational Senior Information Risk Owner (SIRO). However information management is a core component of all business functions in all DG areas and Directorates.  It should not be separated out and viewed as a specific function or endeavour for one distinct area to own and deal with. It should be recognised that information governance is an equal and enterprise wide responsibility across all DG areas, Directorates and Divisions.

It was also noted that previous thematic audits and inspections by Internal Audit and the Information Commissioners Office focussed on specific areas i.e. readiness to implement GDPR and the management of data security incidents. The organisation should ensure it is well placed going forward to respond to future scrutiny in the event information governance forms part of that.  

Delivering some of the key recommendations in this review will unquestionably benefit from enhanced governance and visible strategic sponsorship at a corporate level. This could be established initially through DG Assurance Groups perhaps reporting to the Executive Team and Corporate Board. The remit of the latter includes overseeing that there is an effective model of internal controls, risk management, financial stewardship and other governance requirements. These groups could provide strategic support and oversight of information management and any key recommendations taken forward from this review.   

Establishing a corporate information governance group

As an immediate measure to bridge some of the key governance gaps the SG should consider creating some form of corporate information governance group at a senior operational level. This will help develop a greater sense of corporate and collective responsibility around information governance, as well as drawing on skills and expertise to improve and shape best practice now and going forward. Membership could be drawn from senior practitioners from key business areas and other representatives as listed below. 

  • Head of KIM
  • KIM Education and Business Engagement
  • Freedom of Information
  • National Records of Scotland
  • Corporate Records Management
  • Ministerial Correspondence
  • Data Protection
  • People Directorate
  • Legal Directorate
  • Cyber Security
  • Digital Directorate
  • Representative IAO
  • Representative from Business Management Units
  • Representative IMSO
  • Representative from Agencies/NDPBs
  • Non-executive/external representative 

This group could act as a senior business advisory body on information management to Executive level governance groups. An immediate focus of the group could be to support and oversee the delivery of recommendations and actions from this review. It could also consider the development of a business case to assess the viability of establishing a corporate Information Governance and Assurance Division. Such a function could potentially bring the various information management  functions into a single corporate multidisciplined Division to capitalise on the combined experience, skills and common business objectives of various disciplines which could provide both strategic assurance and operational oversight.  

The Welsh Government comparator  

Part of the benchmarking activities undertaken included analysis of the Welsh Government’s (WG) information management model where the business and technical information environments and challenges have significant similarities to that of SG. They too have been exploring and implementing ways to tackle the difficulties of brigading staff towards a more corporate model of information management and solutions which either resolve the problems of unstructured and insufficiently managed legacy data or at least prevent the situation getting worse. They also have the same corporate software applications for documents and records management, secure cloud collaboration, workflow and eDiscovery and are on a similar path as SG towards implementing Microsoft 365 products. 

The Welsh Government has implemented measures aimed at reducing information governance risk associated with unstructured and poorly managed information systems. For example they have closed off all access to shared network G Drives and have made the individual H Drives of all staff read only. This has helped brigade staff towards using their equivalent of eRDM for their core information management.

The Welsh Government also identified governance gaps in the organisation which they addressed by investing in new roles known as Knowledge and Information Managers based within each of their four DG areas. This is now seen as a crucial component in corporate information governance which provides:

 

  • a dedicated information governance and assurance function to encourage, develop and maintain high standards and compliance across the Directorates within their DG area
  • a conduit with corporate information management functions such as records management and data protection teams.
  • advice and support to officials/teams within their DG including IAOs
  • performance monitoring and quality health checks on information management

This review makes recommendations relating to managing down the use of these non corporate information systems, creating a corporate governance model and investing in the resourcing of information management. The action taken by the Welsh Government should help inform any measures taken forward by SG. 

Contact

Email

Email: ceu@gov.scot

Related information

Handling of harassment complaints

Back to top