Progress

ICO completed a desk-based follow-up audit during the week of 16 September to measure the extent to which PSoS had implemented the agreed recommendations. This was based on a management update and accompanying supporting documentary evidence.

The progress made towards completion of the original recommendations was acknowledged (19 of the recommendations completed (36.4%), and the remaining recommendations all in progress).

There remains progress to be made in some areas where a continued residual risk remains, and these continue to be the focus of effort with a prioritisation being given to those marked URGENT.

14 recommendations relate to SOPs, Policies, guidance & forms in draft. The Policies/SOPs are subject of the consultation process and when concluded the recommendations will be discharged. The guidance development was paused due to staff vacancies and retirals but has recommenced and is a roadmap activity for completion by end of financial year.

7 recommendations relate to their being no Record of Processing Activity (RoPA). Currently a technological solution is being explored and data mapping is underway to ensure PSoS has a single version of the truth for all data, assets and processing activities, inclusive of end-of-life activities.

The mapping extends to include critical data elements for RoPA.

Whilst it is accepted that the priority placed on the recommendation by ICO is to assist the data controller in terms of prioritisation it is unclear how PSoS could affect this change at a faster pace. Activities are underway and articulated on the roadmap however, the body of work is vast.

8 recommendations relate to training; Compliance - 100% of officers and staff must complete the course annually, but to mitigate risk, a target of 80% must be ‘in ticket’ at any given time. Mitigations are in place, however the completion training rate remains below the 80% target rate. Work is underway to assess whether the baseline target is appropriate or should be modified. Training package for Personal Data Breach reporting has been delayed due to vacancies within the Information Security team and newly appointed Information Security Manager. Disclosure practitioner training package is still in development by the Disclosure team and remains in progress.

1 recommendation in dispute.

1 recommendation outstanding which relates to lack of compliance and audit checks (Tier 2). This is due to demand for services outstripping ability to dedicate resource to this key area. A review of the risk is scheduled in November and options to address will be progressed thereafter.

1 recommendation relates to s.62 requirements (monitoring system access – logging). Significant work undertaken in this space to date resulting in the decommission of several non-compliant legacy applications. The recommendation has not been discharged as there remains a weeding interdependency with National UNIFI (DEPP COS) scheduled to take place in the summer of 2025.

Continuous Improvement - A business case for investment in a technical solution for the retiral of legacy systems is being submitted which will provide future proofing enabling capabilities for the management of end-of-life legacy applications inclusive of an ability to weed data past due retention.

1 recommendation regarding Data Processor Contracts (RoPA interdependence); at time of final review, Police Scotland had 114 Data Processors and assurance for same which in turn provides a growing overall confidence that DPIAs created with effect from 2021 (legislative implementation) that relay on a data processor have appropriate contracts in place with suitable controls.

Detailed mapping exercise for RoPA will likely highlight areas that pre-date DPIA statutory requirement and therefore result in due diligence exercise upon identification.

Refer to Appendix A – ICO Report

Refer to Appendix B – Recommendations Action Summary