Local Authority digital systems and use of artificial intelligence queries: FOI release

Information requested

1. Oversight of Local Authority Digital Systems and Software

What formal oversight does the Scottish Government currently exercise over the software systems and platforms used by Scottish local authorities?

Is there any requirement or expectation that councils maintain an up-to-date register of systems used across departments?

Are councils required to report to the Scottish Government on:

• Number or types of digital systems in use?
• Duplication or rationalisation efforts?
• Cyber security measures or vulnerabilities?

2. AI Use in Local Government

Has the Scottish Government issued any guidance, policy, or oversight mechanisms relating to the use of artificial intelligence (AI) by councils?

Are councils expected to report the deployment of AI tools (including in CRM, planning, social care, or internal operations)?

If such guidance exists, please supply copies of relevant documentation, standards, or communications.

3. Cyber Resilience and Risk

Has the Scottish Government conducted or commissioned any assessments, audits, or risk analyses regarding the exposure of local authorities to cyber threats due to fragmented or outdated software usage?

If so, please provide:

• Copies of these assessments
• Any recommended or enforced action plans
• Internal or cross-departmental communications related to this risk area

4. Enterprise Partnership Software Oversight

Has the Scottish Government reviewed or audited the software, data, and digital infrastructure used by Scotland’s Enterprise Agencies (Scottish Enterprise, HIE, SoSE)?

Is there any requirement for consistent reporting or rationalisation across the enterprise agencies?

Response

Oversight of Local Authority Digital Systems and Software

What formal oversight does the Scottish Government currently exercise over the software systems and platforms used by Scottish local authorities?

The Scottish Government shares cross public sector guidance available to all working in the public sector. Under the Verity House Agreement, Scottish Local Authorities are empowered as autonomous entities with significant control over their own funding and decision-making. The agreement establishes a "partnership of equals" between the Scottish Government and local councils, affirming that councils are best placed to determine how to serve their communities. It commits to reducing ring-fencing of funds, regularly reviewing powers and funding, and adopting the principle of “local by default, national by agreement.” This means that local authorities have full and exclusive powers unless otherwise provided by law, and the Scottish Government cannot unilaterally direct or limit their actions. In this regard, the Scottish Government does not exercise any oversight regarding the software systems and platforms used by Local Authorities. Scottish Ministers have no general powers that would enable them to call on a council to account for its actions.

Is there any requirement or expectation that councils maintain an up-to-date register of systems used across departments?

The Scottish Government expects that all public bodies manage their risks, including cyber, in an appropriate and reasonable manner. As long as Local Authorities act lawfully, it is up to each local authority how it manages its day-to-day business and decision-making processes. As such, there is no requirement for councils to maintain an up-to-date register of systems used across departments, however the Scottish Government recognises that it is good practice for local authorities to retain an asset register including devices, software, networks etc.

Are councils required to report to the Scottish Government on:

• Number or types of digital systems in use? No
• Duplication or rationalisation efforts? No
• Cyber security measures or vulnerabilities? No

The Scottish Cyber Co-ordination Centre (SC3) works with the wider public sector to highlight vulnerabilities and ensure that organisations have the necessary information to recognise and mitigate the risks posed by emerging vulnerabilities. SC3 publishes weekly and monthly vulnerability reports to the sector and the wider public through CyberScotland.com Threat Reports. However, given the aforementioned information about the Verity House Agreement, there is no requirement for Local Authorities to report on the above.

AI Use in Local Government

Has the Scottish Government issued any guidance, policy, or oversight mechanisms relating to the use of artificial intelligence (AI) by councils?

The Scottish Government maintains the Scottish AI Register, which will, in time, be rolled out across all public sector areas in Scotland, making the public sector use of AI more transparent. The AI Register is currently voluntary, however there is an expectation that Public Bodies will use it. More information can be found here: https://www.gov.scot/news/increasing-ai-transparency/

The Scottish Government is currently rolling out the AI Register across Scotland, but due to resource constraints, the initial focus has been on Scottish Government and our immediate agencies. Our intention is to start wider awareness raising with all public sector bodies in the next few months.

Are councils expected to report the deployment of AI tools (including in CRM, planning, social care, or internal operations)?

As mentioned previously, due to the Verity House Agreement the Scottish Government has no direct responsibility for directing Local Authorities around their day-to-day business and decision-making processes, so there are no expectations or legal requirements for Local Authorities to report on this issue.

If such guidance exists, please supply copies of relevant documentation, standards, or communications.

What is the Scottish AI Register? | Transparency Report
Public Sector AI - Taskforce — Scottish AI Alliance
Living with AI

The following sessions were delivered during an event in January 2025, with all members of the National AI Task Force (which include some Local Authorities) invited to attend. The sessions used the Saidot AI Governance Handbook as their base material. (AI Governance Handbook: Your guide to scaling AI responsibly)

Managing AI Risk in the Scottish Public Sector – General Overview
Managing AI Risk in the Scottish Public Sector – Governance Overview
AI Risk Awareness

Cyber Resilience and Risk

Has the Scottish Government conducted or commissioned any assessments, audits, or risk analyses regarding the exposure of local authorities to cyber threats due to fragmented or outdated software usage?

If so, please provide:

• Copies of these assessments
• Any recommended or enforced action plans
• Internal or cross-departmental communications related to this risk area

No, the Scottish Government has not, and would not, conduct or commission any assessments, audits, or risk analyses regarding the exposure of local authorities to cyber threats. As mentioned above, Local Authorities are entirely separate entities from the Scottish Government as set out in the Verity House Agreement. Their powers are set out in statute and it is up to each Local Authority to manage its day-today business, including their cyber security and software usage.

Enterprise Partnership Software Oversight

Has the Scottish Government reviewed or audited the software, data, and digital infrastructure used by Scotland’s Enterprise Agencies (Scottish Enterprise, HIE, SoSE)?

No, the Scottish Government has not reviewed or audited the software, data, and digital infrastructure used by Scotland’s Enterprise Agencies.

Is there any requirement for consistent reporting or rationalisation across the enterprise agencies?

There is no requirement - spend controls are in place for Scottish Government and its public bodies and these are reviewed on an ongoing basis.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

FOI 202500473823 - Information released - Annex

File type

PDF

File size

2.6 MB