Record recovery, prioritising vital records, is an integral part of the authority’s business continuity planning.
In line with the Keeper of the Records of Scotland’s (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act), the following guidance is issued to support authorities with regard to business continuity and vital records.
It is recommended that public authorities have a business continuity plan that includes access to records during an unexpected event, and that they can identify key records that facilitate the operation of the authority.
This applies whether the records kept are paper-based, digital, or both.
It is important to note that the Keeper will not want to see any information, policy documents or other material that might compromise the security of a public authority. If you have any concerns regarding this, please submit redacted samples accompanied by a short explanation of why you have taken this decision.
Evidence
The authority should provide evidence that, in the case of an emergency, recovery of records is appropriately considered.
The Keeper would expect to see evidence of this in the form of a business continuity plan or similar (featuring system/record recovery). Some authorities have an overarching business continuity policy and multiple local plans supporting the objectives of that policy. The Keeper would need to see the policy and a sample of one of the local plans.
Other potential evidence for this Element might include a ‘disaster plan’ or similar, or a policy approved by the senior accountable officer, identifying records that are vital to the operation of the authority, and explaining how they should be protected.
It is possible that vital records will be identified in a comprehensive information asset register (Element 4) or under the authority’s retention scheduling procedures (Element 5). If this is the case, an authority would not be required to submit a separate vital records policy. However, even in such a case, reference should still be made to the recovery of vital records in the authority’s RMP.
The identification of vital records and robust plans to recover them is particularly important when the authority cannot rely on the return of all records from a full immediate digital back-up.
For example, how are those vital records that are held in hard-copy format protected against loss in an emergency situation? This might mean that an authority needs a separate disaster recovery plan for its paper records.
The Keeper will expect to see evidence that staff have access to the appropriate business continuity arrangements and that these are tested routinely.
Business continuity plans may contain information that the authority considers as sensitive (a call out plan with home phone numbers for example). The Keeper has agreed that evidential documents can be heavily redacted if necessary. In lieu of evidence, s/he can also accept a guarantee from the individual identified at Element 1 (or above) confirming that business continuity arrangements are in place and are properly reviewed/tested. This Chief Executive confirmation is not normally accepted under any other Element.
Finally, it is commendable if any business continuity plan itself is listed under ‘vital records’. It may be the first thing you need to access in an emergency.
