Records are held in accordance with information security compliance requirements.
In line with the Keeper of the Records of Scotland’s (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act), the following guidance is issued regarding an authority’s information security processes:
In the course of their business it is likely that public authorities will create records containing sensitive information about people or details of business transactions that the authority may wish to protect from general consultation. Similarly, it may create records that hold information which should not be amended or deleted without appropriate authority. In both these cases information security policies and procedures should be implemented by staff at the time of document creation.
As well as the security of the information contained in a document, an authority must consider the physical safety of records (in all formats). This would include attending to the proper storage of hard-copy records and the protection of servers used to store digital material. The Keeper would expect an authority to have policies in place to assure that records cannot be lost due to poor storage.
If your organisation is vacating premises you must take particular care of the security of records. You might consider having a formal policy on this matter.
As part of a full Records Management Plan (RMP), the Keeper would expect to see that such policies and procedures exist and are available to staff involved in the creation of records. S/he will also require confirmation that an authority has relevant staff-monitoring in place to ensure the security of its information assets. As evidence S/he will expect to be provided with copies of all relevant documentation.
The Keeper understands that in some rare cases the authority may be unwilling to share full security documents with him/her. For example, sharing a document that details out-of-hours access to building, or where records are stored, might be considered to compromise the general security of the authority’s estate if it is shared beyond officers of that authority. If you have any concerns regarding this, please submit redacted samples accompanied by a short explanation of why you have taken this decision.
British Standard ISO 15489-1: 2001 states:
Evidence
Potential evidence that an authority is properly considering information security might include a formal information security policy, approved by the senior accountable officer; details of the password protection and encryption systems in operation; information regarding access restrictions to record storage areas; description of electronic record back-ups held on separate servers; staff information security manuals, regulations and/or circulars; and routine information security reports or updates to senior management.
Sample Security Documents
The following samples suggest some of the documents that make up an information security framework and how these might be structured. Many authorities have chosen to provide the Keeper with a suite of security documents under this Element.
Any samples should not be taken to represent the current procedures operational in the authority that provided the sample; they are for ‘inspiration’ only.
Most authorities have a stand-alone Information Security Policy, although some choose to embed it in a larger Information Governance Strategy document. Here are three examples of how a separate Information Security Policy might be presented:
File 01 - Angus Council
File 02 - Audit Scotland
File 03 - Aberdeenshire Council
The Information Security Policy may be supported by a framework of other related policy and guidance documents
File 04 - Aberdeenshire Council acceptable use policy
For some authorities it makes sense to combine information security and data protection instructions for staff. See also element 9 below.
File 05 - Ayrshire Valuation Board data protection and information security guidelines
