Review of corporate information management

Strategic case for change

In this section:

• the value of information management
• the growing case for change
• information compliance
• responding to public inquiries and external scrutiny
• the impact of inefficiency
• case studies in inefficiency
• digital technology advancements: opportunities and risks
• the use of social media and mobile telephony

The value of information management

Information is a precious commodity for the organisation and is crucial to the success of the business of government and the SG’s vision of being open, capable and responsive. To support this the SG needs to enhance the degree to which it recognises and values its information. It should be valued in equal measure to other key assets like people, finances and infrastructure.

Information management is the term used to describe all activities concerned with using information in all its forms. It is the means by which an organisation plans, identifies, creates, receives, collects, organises, governs, secures, uses, retrieves, controls, disseminates, shares, maintains, preserves and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.

Information management should be more than just a collection of individual policies and procedures for certain disciplines like records management, data protection and freedom of information. In the digital era and with the expectations of the public, the Scottish Parliament and other stakeholders around the availability of and access to government information, the organisation needs to fully appreciate that its information is its record of work and as such should be protected by best practice handling and corporate discipline.

Government records are defined as recorded information in any form, created or received in the day to day work of government. They are characterised by their essential purpose and value which is to provide reliable evidence of actions, decisions and events – the 'who, what, when, and why' something happened. The SG’s records should be primary sources of information which include unpublished documentation in any format. To demonstrate the value of such information it should be viewed as a corporate entity, managed in a consistent and corporate manner and maintained and protected in the corporate electronic documents and records management system known as eRDM. The review found a prevalence of localised non-corporate behaviours around information management which can increase risk and potentially undermine the true value of the information the organisation creates, receives and manages.

The growing case for change

The case for change in the SG’s model of information management has been building over time. Key drivers for change continue to emerge and when taken with the conclusions of previous strategic reviews and assessments have brought into sharp focus the SG’s strategic management of information. Collectively these drivers can now be seen as representing a ‘tipping point’ for the organisation to re-evaluate and reset its approach to information management. This review has reaffirmed and builds on the conclusions of preceding bodies of work which previously highlighted the challenges facing the SG around information and records management. These included:

• UK Cabinet Office Review of Government Digital Records  December 2015
• UK Cabinet Office Better Information for Better Government January 2017
• SG eRDM Improvement Programme Full Business Case July 2017
• SG Corporate eDiscovery Project -  Outline Business Case May 2019

Their key conclusions and recommendations are further detailed in Annex A of this report and they remain applicable to the SG today and continue to serve as key drivers for change. Common problems and conclusions made during these assessments and validated by this review include: 

• Insufficient priority given to information management
• Significant prevalence of unstructured information and data which is not properly managed
• Policies & guidance not being fully implemented in practice
• Lack of corporate behaviours
• Limited readiness for digital advancements
• Impact on performance, efficiency, compliance and information security
• Need for culture change, strong governance and leadership

Information compliance

The SG is committed to complying with a range of legal obligations including, but not limited to, the keeping of public records, data protection, freedom of information. To support these obligations long established corporate teams are in place staffed by dedicated, experienced and knowledgeable practitioners in these discipline who provide advice, guidance and operational support and oversight to the wider business on meeting these obligations.

The review found that the efforts and work of these teams and wider operational staff can be hindered by the current information environment, culture and working practices. The organisation’s information management legal obligations, such as the Public Records (S) Act 2011, are not being best served by the volume and unstructured nature of information currently stored in unstructured repositories which do not have the level of business governance measures in place that exists around the corporate eRDM system. Optimising the organisation’s capacity and capability to comply with information management related law and indeed its own policies should act as a compelling driver for change and improvement.  

Responding to public inquiries and external scrutiny

Responding to public inquiries, external and parliamentary scrutiny is now a constant and permanently embedded feature of SG’s ‘business as usual’ environment. Inquiries relating to the SG’s Covid 19 response are inevitable. Recent other examples include:  

• The Scottish Child Abuse Inquiry
• The Buchanan/St Ambrose High Schools ‘Bluewater’ Inquiry
• The Hospitals Inquiry
• The Sheku Bayou Inquiry
• The Inquiry into the Scottish Government’s Handling of Harassment Complaints

The SG’s response to these inquiries has highlighted the challenges posed by the current information management environment not least the numerous and unconnected information systems used by the business and the sheer volume and largely unstructured nature of information they hold. The current approach to responding to these inquiries is generally reactive and tactical in nature with business areas creating dedicated teams to try and collate, structure and analyse all relevant information that may relate to or provide evidence of key actions and decisions having been taken or not. The work of these teams can be impeded as they try to overcome the complexity and inefficiencies inherent in the current information environment.

During the review it was noted that the DG Health and Social Care has developed a bespoke information governance model to support and manage decision making processes across a range of activities as part of their Covid 19 response. This model has had to highlight the importance of information being stored and managed in the corporate eRDM system. This information led decision making  model is good practice in itself as well as being a tool designed to encourage best practice information and records management generally.

Crucially of course, it is not just at the point of reactively responding to any inquiry or information requests that challenges are encountered. Difficulties can also arise at the very point of responding to or planning for an event itself when the organisation relies on real time, reliable, accurate, well-structured and accessible information in a consistent manner that wherever possible follows the principle of a ‘single source of the truth’. The business requirement for strong information management can equally apply to spontaneous major events, policy development, procurement decisions, project delivery etc.

The impact of inefficiency

It is important to recognise that there can be substantial economic benefits from better information management. Additionally, improved information management practices can improve the quality of business decision making, particularly where decisions are based on best evidence, and this in turn can lead to savings in business operations and service delivery. Reduced costs can be achieved simply by adopting a ‘get it right first time’ approach.

The current information environment can lead to widespread multiplication of effort across a range of business functions in the SG particularly in the pursuit and reuse of information held across various sources. Recent business critical events have served to highlight the difficulties which the current information landscape presents. These demonstrate the manual and technical effort that is required to create retrospective tactical solutions to issues. The root causes are varied but typically are due to

• information management best practice not being fully applied in the first place
• the importance of the information not being fully understood
• information and records management not being considered a high priority
• staff not having sufficient time
• staff not understanding key processes or eRDM system functionality available to them
• the widespread availability of unstructured information stores which can be used as alternatives to eRDM
• cultural apathy and negativity towards using eRDM
• limited process automation

Case studies in inefficiency

During the review several examples emerged of tactical solutions being developed to overcome gaps and risks created by guidance and good practice not being followed at the outset. For example some business areas, including those gathering information relating to the response to Covid 19, were faced with huge backlogs of emails containing important business related information requiring to be filed in the corporate eRDM system. Significant business and technical resources were deployed to develop interim solutions to migrate this information to eRDM. This included consultancy support from the eRDM supplier and content having to be restructured and cleansed by the newly acquired corporate eDiscovery tool. The cost of this work can be significant and is potentially avoidable.

In these instances corporate email management guidance is available but like other training resources may not have been fully exploited. Functional integration between Outlook and eRDM and the new eRDM user interface has greatly simplified the filing of emails. There is also an email capture tool within eRDM which can automatically import emails in certain high volume mailboxes types such as those of senior civil servants or busy support teams. These tools should be fully exploited to reduce risk and inefficiency.  

Similarly the new corporate eDiscovery solution should be fully exploited to achieve its original strategic purpose of supporting the business to structure, analyse and cleanse legacy unstructured information which is not fully managed. Until now the tool has been largely deployed for specific information retrieval requirements for inquiries.

Digital technology advancements: opportunities and risks

In the wake of the global Covid 19 pandemic one of the top information priorities set out by government organisations is to accelerate their digital business and technology initiatives. A current example of this has been the recent rapid deployment of Microsoft Teams to 16,000 staff using the SG SCOTS network to support mobile and remote working, secure video conferencing and digital collaboration. These will be followed by other information platforms in the Microsoft 365 suite of applications such as One Drive and Sharepoint.  

There are both opportunities and risks in governments keeping pace with the global roadmap of digital information systems. Implementing the latest digital platforms also means introducing the next generation of information repositories for the business to create, collect, store and manage information and the business needs to fully understand both the benefits and the implications of this. If the SG accepts that there are gaps, risks and issues in the current information environment which need to be addressed, then it must also safeguard the organisation going forward. Care should be taken to balance the benefits of digital technology with the core information needs of the business and its capability to keep up with, accept and successfully adapt to change.

As well as taking remedial action to address challenges of the legacy information environment, careful planning should also be applied to mitigate the risks of repeating the mistakes of the past during the delivery of new digital information systems. Future information risks should be mitigated now by applying lessons learned. Information and records management should not be afterthoughts in the delivery of new technology. The development of clear information management guidance, policy and governance should be planned in from the outset as core dependencies and workstreams in any projects delivering new or upgraded digital information systems. In essence the SG should do all it can to avoid creating a ‘digital heap of tomorrow’ containing poorly structured, poorly managed and difficult to find information which is created and managed in a non-corporate manner.

The use of social media and mobile telephony 

Information management in government is typically seen through the lens of physical, written information in the organisation’s internal and official systems of work. Where necessary and appropriate, the SG’s management of information needs to also consider how to capture  the outputs of the dynamic world of digital working involving the use of mobile platforms, devices and social media.  

Increasingly information can be received and communicated in ways that aren’t always immediately visible to the wider organisation nor able to be immediately recorded for example in a corporate system. This simply reflects the often dynamic nature of business and availability of digital platforms and mobile devices rather than any deliberate act to avoid proper recording of information. This can sometimes include information that may relate to official business but not always in a formal business environment system, for example on telephony or social media platforms such as SMS texting, WhatsApp, Facebook, Twitter, Instagram etc. In fact business related information can often also be created and managed through verbal communications in person or via mobile platforms, for example chat at a social event attended by work colleagues or business partners, or on a video or audio conference call.

The SG has quite comprehensive policy and guidance on the use of social media and SMS texting. However this could provide greater clarity around the need, in some circumstances, for the official recording of information concerning key business related actions and decisions which are created, received, stored and communicated via these platforms and should apply equally to the use of work issue or personal mobile devices. Clarity on this is important to ensure such information is properly reflected in, or directly transferred to, official information systems, especially eRDM, either in real time or retrospectively.