INTERNAL AUDIT REPORTING

2.1 INTERNAL AUDIT REPORTS
Members considered three new internal audit reports.
Electronic Data Retention and iVPD
Claire Robertson (CRobertson) highlighted a number of key points as detailed within the report.

In discussion the following matters were raised:
• Regarding the not accepted and partially accepted auditor findings, the Committee sought assurance that Police Scotland have alternative mitigating measures that address the risk identified by internal audit. DCC Bex Smith (DCCSmith) responded that a target of 100% for training was not feasible but it was felt 80% was achievable. CRobertson reasoned that the auditors felt it was important to target 100% in training, even if it’s not achievable, to show importance and allow for further mitigations. DCC Alan Speirs (DCCSpeirs) added that with an average abstraction rate of 27% and not all officers using the database, 80% was a reasonable target. Attendees agreed that part of the recommendation response would be to review who has access to the database and to work to a target of 100% of those who have access and use it.
• Members agreed it would be useful to have a target date against the information sharing agreement recommendations to which DCCSmith advised the gap analysis is expected to show a few rather than many. Rather than adhering to a target date, Police Scotland were focussed on completing it properly. Members therefore requested a progress update at the next meeting, in lieu of setting a target date.
• The Committee were informed that Police Scotland do not monitor what other organisations do with the information shared, but joint working can be reported.
• Members sought and received confirmation from CRobertson that no issues with data quality had been identified.
• The Committee Chair thanked BDO for their audit work in reviewing controls and processes in place relating to data retention but noted Members were concerned that there were around 900,000 nominal records on the iVPD system. Police Scotland were asked if there was a clear policing purpose of adding records and detail was sought on the value of having the information. DCCSmith described how 80% of calls to Police Scotland were not crime related so the database was created to record vulnerable detail in a wellbeing capacity.
• Members sought more detail on the adding and removal of records to which DCCSmith confirmed permission is not sought to add to the iVPD system but if requested, a person can be removed. DCCSmith emphasised that Police Scotland understand the duty involved in recording and sharing data and confirmed data is only shared following consent from the individual which is sought in an appropriate manner.
• Members asked how practicable it was to review the large level of records within the iVPD system and heard that whilst the volume was complex, clear retention and weeding policies assist in managing it. Members accepted the offer to be provided with detail on the process of how people are added and removed from the system, and requested examples on when the systems use has been successful and, when someone has been added and then removed.
• Members questioned if any broader data analysis was undertaken and were informed that Police Scotland are starting to analyse themes and demographics and are also exploring further partnership work in the preventative space.
• Members sought comment on system use in relation to new hate crime legislation and heard each hate crime report is assessed on a case-by-case basis, with follow up investigation if appropriate. DCCSpeirs confirmed information would only be added to the system after any follow up investigation, and third-party information would not be recorded.
• Members asked whether the data could assist in monitoring community tensions. DCCSpeirs responded that the system provides statistical information in the same way as crime data does and provides information on vulnerabilities of individuals. As such, DCCSpeirs stated he does not believe the data can provide information on community tensions.

Investment Prioritisation
CRobertson highlighted a number of key points as detailed within the report.
Resources Committee Chair, Grant Macrae, welcomed the focus on improving the transparency of prioritisation within the context of limited capital and reform funding available.
PBrown confirmed all recommendations have been accepted and Police Scotland is working on improvements in investment prioritisation.

Force Middle Office Review Project Review
CRobertson highlighted a number of key points as detailed within the report.

In discussion the following matters were raised:
• Andrew Hendry (AHendry) stated that the Internal Audit review provided lessons learned which have been acknowledged. AHendry assured the Committee the project was an exception and not representative of the portfolio.
• Members questioned whether SPA were aware that the project was underway as, although not a formal project, it would still have an opportunity cost. Chris Brown (CBrown) advised that SPA are not aware of all projects if they are not brought through formal governance. Whilst reassured by AHendry’s comments, SPA would be more vigilant following the report. CBrown stressed the need to ensure discipline as carrying out one project will reprioritise another; linking back to the recommendations from the previous investment prioritisation report.
• Members sought and received assurance that there were no other projects ongoing which had started in the same manner.
• Members asked how the outcomes are being taken forward and heard they were being used to help inform and understand resourcing as well as other ongoing projects.

The Committee RESOLVED to:
• NOTE the report.
• AGREE the following actions:
Progress update on working to discharge information sharing agreements recommendations to be provided to next meeting. 20240419-AUD-001
Members to be provided an overview of on the process of how people are added and removed from the system, and requested examples are shared on when the systems use has been successful and when someone has been added and then removed. 20240419-AUD-002