Letter to Head of Northern Ireland Civil Service
19 October 2018
Dear David,
I refer to our recent meeting regarding information governance in the NI Civil Service (NICS) and, in particular, the need to record and preserve decision-making appropriately in the interests of accountability and transparency.
I found our discussions very helpful and I was also encouraged by the views expressed at the Permanent Secretaries' Stocktake the following day. I now have greater confidence that the leaders of the Civil Service in Northern Ireland are committed to improving practice. Taking the opportunity now to review and revise procedures during the suspension of the NI Executive with an aim to implement them in advance of its re-establishment will, I anticipate, result in much more effective governance in future.
We agreed in our meeting that I would provide you with some recommendations relating to principles I would urge to be adopted within those revised operating procedures. In part, these principles reflect the new technologies which are becoming integral to day-to-day working practices in government but which, without due diligence, may impact negatively upon transparency. In summary, the procedures should:
• Command buy-in from all staff, including senior management;
• Be supported by regular information governance training for all staff;
• Record all key decisions and actions, and the rationale behind them;
• Ensure integrity in the use of new communication technologies; and
• Manage all information effectively and appropriately according to need.
More detail underlying these principles is contained in the Annex to this letter.
Effective record-keeping is essential for transparency of government and it also assists organisations demonstrate compliance with all forms of statutory requirements.
As you will know, my own remit is in relation to the upholding of people's information rights as stated within data protection and freedom of information regimes. It is now a statutory requirement for organisations to properly record their processing of personal information and the decisions lying behind that processing. The same duties are not stated explicitly within the freedom of information legislation but I am nevertheless strongly advocating that public authorities adopt a "duty to document" as a matter of good practice.
I am also advocating this to the UK Government as a future amendment to the Freedom of Information Act 2000 or in other appropriate legislation. Adopting these principles - which we also will be promoting to other administrations - as part of your revised procedures, would put you in a strong position should this become a legal requirement in the future.
I also welcome your commitment to review the Northern Ireland Civil Service Code to ensure it reflects modern responsibilities in relation to transparency and open government. In doing so, I do hope that you will give these principles your due consideration.
As agreed at our meeting, my team in Northern Ireland, headed by Ken Macdonald, will be happy to work with your own staff in developing the new approach to be adopted by the NICS.
With best wishes,
[Signature]
Elizabeth Denham
Information Commissioner
ANNEX
• Command buy-in from all staff, including senior management
In order to achieve all the key elements of good practice, the NICS must have in place organisational arrangements that support effective information governance. This includes leadership of the Permanent Secretaries and their Senior Management teams to ensure information governance is viewed as a core corporate function, as well as a statutory obligation, with clearly defined roles and responsibilities for all staff. By endorsing these arrangements, a culture of accountability will be promoted.
This may be achieved through a top level information and knowledge management strategy together with policies and procedures that are supported throughout all levels of the organisation. It is, of course, also essential to ensure departments are properly resourced to implement the new practices.
Departments may already have introduced new policies and procedures in relation to aspects of information governance as part of their preparations for the introduction of the new data protection regime. It should be possible to adapt many of those policies and procedures to apply to other types of information as part of a wider move to strengthening information rights compliance.
• Be supported by regular information governance training for all staff
The policies and procedures adopted by NICS to achieve good information governance will only be fully effective if staff understand the importance of proper record keeping. This can be achieved through the provision of regular - and compulsory - information governance training.
On commencement of their employment, all NICS staff should undertake mandatory information governance training regardless of their role or function. Compulsory refresher training should also be provided at appropriate intervals. Training packages should be regularly reviewed and updated to reflect best practice (including ICO guidance) and to ensure that new and emerging techniques and technologies are properly considered.
At a minimum, all information governance training should contain key modules covering:
• Roles and responsibilities
• Recording information, including documenting key decisions and actions
• Status of records
• Use of technologies
• Statutory obligations
• Responding to information requests
• Information sharing
• Retention and disposal schedules
• Security of records and information
• Breach reporting
Temporary or agency staff, contractors and consultants should also receive clearly defined procedures in information governance. Roles and lines of responsibility should be set out clearly. This should ensure that all staff and workers who create records in the course of NICS business are adhering to these procedures.
• Record all key decisions and actions, and the rationale behind them
Documenting decision-making is a good governance measure. It leads to accountability for the decision, promotes knowledge transfer and helps to ensure legal rights and obligations are met. Individuals expect accountability from public bodies in their actions as well as their information rights practices. An accurate record of actions is essential to this process. It will provide the narrative behind decisions that will affect the lives of the ordinary citizen, explaining how the decision was reached and subsequently whether to proceed or not proceed with a proposal.
The Information Commissioner expects public authorities to implement a "duty to document" all decisions made by them as a matter of standard practice. This would reflect to some degree the new accountability principle of the GDPR which requires data controllers to be able to demonstrate compliance with their accountability obligations. Again, the procedures adopted under the accountability principle may be easily adapted for other forms of record keeping. However, and crucially, a public body must be able to demonstrate the basis of any decisions taken by it.
Access to information rights depend on public authorities documenting their key activities and decisions. Unrecorded decision making - either orally or through the use of new messaging technologies - will undermine public accountability and the public's trust. A duty to document will address this by establishing a positive duty for public servants to create a full, accurate and complete record of their important business activities including, for example, decisions made regarding resource management, budgeting and policy. By creating those records showing the 'what' and 'why' of public decision making, accountability, transparency, good governance and public trust will all be enhanced.
A duty to document should not be onerous but instead be proportionate to the significance of the decision taken. Its focus is not on the creation of more records, but rather on the efficient and effective recording of the right records reflecting the business needs of public authorities and community expectations. It must be accompanied by strong information governance practices and standards in order to be effective.
• Ensure integrity in the use of new communication technologies
Retention and accessibility of records can be complicated by the introduction and adoption of new communication technologies which may impact upon the volume and variability of records. New approaches to the transmission of information should be encouraged where it is appropriate to do so. However, risk assessments focussing upon information governance issues should be undertaken before adoption of the technology takes place.
It is understood that there may no longer be as clear a distinction between devices used for work purposes and those for personal use as there have been previously. The use of instant messaging services and social media applications as well as private email accounts often significantly blur the line between personal and business communications. This challenges the ability of public authorities to document and preserve decisions and may erode a proper record of decision making. Accordingly policies and procedures adopted by NICS must incorporated guidance on the use of personal devices for business purposes. Those who use personal devices to communicate about work matters - including government officials, special advisors and Ministers - must be made aware that such electronic conversations will be subject to the Freedom of Information Act. If such records are not retained by the relevant departments, there becomes a greater reliance on "oral" government to the detriment of transparency, accountability and good governance.
New technology does not change the statutory information rights obligations of public authorities subject to the Freedom of Information Act. As such, those obligations also extend to ensuring that these novel communication technologies are sympathetically integrated into the work of government departments in a way that will not abuse the proper duty to maintain records, hamper their information rights obligations as public authorities or discredit their information rights handling with the general public.
• Manage all documents effectively and appropriately according to need
NICS departments should review and manage their records effectively throughout the entire life cycle from creation to transfer for preservation or disposal. Guidance for public authorities on good records management is provided by the Lord Chancellor's Section 46 Code of Practice.
The Code applies to "Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business" irrespective of how it has been stored. This includes both paper files and digital records and also business and information systems (eg, case management systems and financial records). All government departments need to be certain of the scope and nature of the documents and information that must be kept to meet their business, legal, regulatory and accountability requirements. Staff should be advised of these during their information governance training.
As part of the preparations for the implementation of GDPR, the ICO advised all organisations to undertake an information audit across all areas of their business. Having completed such audits, NICS departments should already know what records of personal information they hold, the legal basis for holding the information, the purpose it is held for and the relevant retention period. A similar audit should be undertaken for other categories of recorded information. This exercise may be informed to a large extent by the earlier work already undertaken.
Public authorities subject to the Public Records Act (Northern Ireland) 1923 should also have arrangements in place to ensure the timely and effective review and transfer of public records where applicable. Disposal of records should be undertaken only in accordance with clearly defined policies. In this regard, it is important for staff to be aware of the distinction between a transitory and non-transitory record; this often poses a difficulty for staff. Crucial to this is understanding the content and context of a record, than just its form.
END
The public might well have expected all of this to be well established current practice. Indeed, the Office of the Information Commissioner has provided Model Publication Schemes** for numerous types of public governance, including advice on making available agendas, minutes and officers' reports so that those who are interested can discover how decisions are reached.
Ironically, this letter has been provided in PDF image format which can't be word-searched - yet word-search is an essential ingredient of transparency - so I've gone to the trouble of making it more accessible!
** The Northern Ireland Audit Office subsequently provided reports which were cut-and-pasteable, word-searchable and user-friendly.
Added
Email to RHI solicitor [18 September 2018] "I've listened to some of the RHI inquiry sessions and word searched some of the transcriptions. However, the Inquiry website should be searchable but isn't. Can this weakness be remedied? My request is based on the Information Commissioner Office's Model Publication Scheme's direction that information should be 'easily identified and accessed by members of the public'."
Email from RHI secretary [18 October 2018] "Your email below was passed to me, as the design and maintenance of the website is an administrative matter. I apologise for the delay in getting back to you, but I wanted to investigate whether it would be possible to provide the type of search facility you envisage. There are some difficulties because of the varied formats in which documents have been provided to us, but we have now been assured that a search facility can be installed that will cover most, but not all, of the information we hold. I have therefore asked our IT team to take this forward. It will have to be designed, applied and tested, but we hope to have it available to the public in the next couple of weeks. I hope this will be of assistance to you."
Email from RHI secretary [23 November 2018] "Thank you for your email. Our IT Team (which sits outside the Inquiry) has produced a search facility that was found to require further refinement when tested. They have been in contact about it again this week and I will let you know as soon as we are able to offer it on our website."
Email from RHI admin [19 December 2018] "I have been advised that the search facility for the Inquiry website is still undergoing testing but should be available for use in the New Year. I apologise for the delay to date."
Email from RHI secretary [6 February 2019] "It is a long time since you first raised the matter of a search facility on our website. We have experienced a number of difficulties along the way, but I am pleased to say that our IT support team has now given us a version that should be of some assistance to those seeking to navigate through our archives. I hope this will be of help to you and I apologise for how long it has taken."
Added
Email from a senior ICO case officer: [18 October 2018]: "There is nothing in the requirement that the information in a Model Publication Scheme should be easily accessible and identifiable that would require a website to be word searchable. As such we would not be able to intervene in asking the RHI Inquiry to provide that functionality."
This ICO assertion is at odds with regular references to 'easily identified and accessed by members of the public' in publication schemes!!!