National Records of Scotland

Preserving the past, Recording the present, Informing the future

Model Plan Guidance to Element 8

Model Plan Guidance to Element 8

Information security

Information security is the process by which an authority protects its records and ensures they remain available It also maintains privacy where appropriate and provides for the integrity of the records.
This is a compulsory element under the terms of the Public Records (Scotland) Act 2011 Section 1 2(b)(ii)

In line with the Keeper of the Records of Scotland's (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act) the following guidance is issued regarding an authority's information security code:

In the course of their business it is likely that public authorities will create records containing sensitive information about people, or details of business transactions, that the authority may wish to protect from general consultation. Similarly, it may create records that hold information which should not be amended or deleted without appropriate authority. In both these cases an information security code should advise staff. As part of a full RMP the Keeper would expect to see that such a code exists and is generally available to staff involved in the creation of records. As evidence he will also want to view the authority's code.

It is important to note that the Keeper will not want to see any information, policy documents or other material that might compromise the security of a public authority. If you have any concerns regarding this please submit redacted samples only, perhaps accompanied by a short explanation of why you have taken this decision.

British Standard ISO 15489-1: 2001 states:

The regulatory environment, in which the organisation operates, establishes broad principles on access rights, conditions or restrictions that should be incorporated into the operation of records systems. There may be specific legislation covering areas such as privacy, security, freedom of information and archives. Records may contain personal, commercial or operationally sensitive information. In some cases, access to the records, or information about them, should not be permitted. [footnote 1]

As well as the security of the information contained in a record, an authority must consider the physical safety of documents (in whatever format). This would include attending to the proper storage of paper records and the protection of servers if they are used to store electronic material. The Keeper would expect an authority to have policies in place to assure that records cannot be lost due to poor storage.

If your organisation is vacating premises you must take particular care of the security of records. You might consider having a formal policy on this matter.

Evidence

Potential evidence that an authority is properly considering information security might include a formal information security policy, approved by the senior accountable officer; details of the password protection and encryption systems in operation; information regarding access restrictions to record storage areas; description of electronic record back-ups held on separate servers and staff information security manuals, regulations and/or circulars and routine information security reports or updates to senior management.

Sample Security Documents

The following samples suggest an information security code might include and how it might be styled.

 

Scottish Enterprise provide this security policy;
[Scottish Enterprise information security policy - Acrobat PDF 288KB, new window]

Glasgow City Council offer their 7 key principles of information security with a governance 'map':
[Glasgow City Council Security Policy - Acrobat PDF 297KB, new window]

The NHS has supplied these two guidance notes regarding the security of records (http://www.scotland.gov.uk/Publications/2010/08/23091144/0)

Decommissioning of premises (http://www.scotland.gov.uk/Publications/2010/04/22093718/0)

National Records of Scotland 2011 Census Information Assurance Policy Statement (PDF 107KB)

Guidance Specific to Information Security

The Information Commissioner's Office has a small publication offering advice on IT security for small businesses. This may be of interest to small public authorities as well. (http://www.ico.org.uk/news/latest_news/2012/ico-launches-it-security-guide-for-small-businesses-18062012?hidecookiesbanner=true)

The Security Policy Framework (SPF), issued by the Cabinet Office, describes the standards, best practice guidelines and approaches that are required to protect UK Government assets (people, information and infrastructure). It focuses on the outcomes that are required to achieve a proportionate and risk managed approach to security that enables government business to function effectively, safely and securely. (http://www.cabinetoffice.gov.uk/resource-library/security-policy-framework)

HMG publishes an information assurance model with guidance and suggestions for self assessment regarding the security of the information held by UK government departments. Obviously, many of the principles in this document have relevance to Scottish public authorities. (http://www.cesg.gov.uk/PolicyGuidance/IAMM/Pages/index.aspx)

See also this link direct to other security standards and guides published under the HMG's Communications-Electronics Security Group (http://www.cesg.gov.uk/policyguidance/IAMM/Pages/Guides-Downloads.aspx)

Section 61 Code of Practice Statements:
[Section 61 Security and Access 2011- Acrobat 222KB, new window]
[Section 61 Storage and Maintenance of Records 2011 - Acrobat 227KB, new window]

The Information and Records Management Society Local Government Group has suggested some things to think about regarding the security and storage of paper records (http://www.irms.org.uk/resources/873)

Edinburgh University provide guidance to records storage areas (http://www.recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/RecordStorage/RecordStorageAreas.htm)

The 2011 UK census required strict information security procedures to be put in place. Public confidence that personal census information will be securely handled was a vital ingredient for success. The independent report into this project can be found here (PDF 262KB)

Complete Guidance Documents

Scottish Ministers' Code of Practice on records management by Scottish public authorities under the Freedom of Information (Scotland) Act 2002 - 16 December 2011(Section 61) (http://www.scotland.gov.uk/About/FOI/18022/13383)

Information and Records Management Society Toolkit for managing paper records
(http://www.irms.org.uk/resources/873)

Information Governance Records Management Guidance for NHS Boards (http://www.scotland.gov.uk/publications/2010/04/nhs-record-management)

Edinburgh University Records Management Advice (http://www.ed.ac.uk/schools-departments/records-management-section/records-management/staff-guidance)

If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at publicrecords@nas.gov.uk.

Return to Model Plan

Return to Model Plan or read the complete guidance to Model Plan.

Footnotes:

1. BS ISO 15489-1:2001 Information and documentation - Records management Part 1: General section 9.7