Official Report 698KB pdf
Under agenda item 2, we return to our evidence gathering on the Freedom of Information Reform (Scotland) Bill. We are joined by Katy Clark MSP, who introduced the bill.
I welcome Gordon Martin, regional organiser and lead officer for CalMac Ferries, National Union of Rail, Maritime and Transport Workers; and Dr Kenneth Meechan, head of information and data protection officer for Glasgow City Council.
We will move directly to questions, and, as is the convener’s privilege, I will go first. My first question relates to the policy memorandum that sits behind the bill. The bill’s principal aim is to
“improve transparency by strengthening existing measures”
in the Freedom of Information (Scotland) Act 2002, and to deliver recommendations from the report of the Standards, Procedures and Public Appointments Committee in the previous parliamentary session. Gordon Martin, how timely are the changes and are they needed?
First of all, thanks for the invitation to come along. The changes are most definitely needed and are timely—although that will depend on the parliamentary process. The RMT hopes that the Government will grant the bill sufficient parliamentary time and that the committee will be allowed to do its work to get the bill in place before the Parliament is dissolved for the election next May.
I will touch on this later, but the RMT has submitted freedom of information requests fairly recently to companies that are Government funded, and those requests have been declined, so the legislation needs to go further, and we need far more accountability than there is currently.
So, this is the right time for the change and there is an imperative that it happens in this parliamentary session rather than waiting—
Yes, rather than it dragging on.
Thank you. Kenneth Meechan, do you have any comments about the urgency of change or the timeliness of the bill?
My organisation supports the transparency agenda, but our perspective is: if it’s not broke, don’t try to fix it. We spoke about this before the evidence session and, as has been said, very few requests made to my organisation result in our being ordered to release information by the Scottish Information Commissioner. The current figure is that about two in 1,000 requests result in our being ordered to disclose information that we had previously withheld. After 20 years of FOI, we have processed around 56,000 FOI requests; most of the people who have made those requests have received the information that they asked for without further ado.
So you have confidence that the system that we have, which the bill seeks to enhance, is working fine and that, although some small changes might be needed, no fundamental change is needed.
I do not see the need for a fundamental change. One of the proposals is to extend the scope to modern applications—WhatsApp being the classic example—but, as far as I am concerned, those are already in scope.
With regard to the environment of openness in public authorities in practice, do you not think that the bill would allow them to take the next step? As you said, you and those you represent are very open in your responses, but do you not think that it would aid all public authorities to take a step towards being more open with the people who, in effect, fund them?
I would like to think that we are already doing that. After more than 20 years’ exposure to FOI legislation, anyone working in the public sector must be aware that we are subject to it. At the moment, we operate in almost a goldfish-bowl environment, in which we know that our decisions can be open to scrutiny and external investigation and inquiry, and that is absolutely right—I completely support the principle of transparency.
The bill’s provisions would result in some improvements to the processes overall. The question is whether they are proportionate, given their resource implications.
We will look at that issue in subsequent questions. Gordon Martin, would the bill’s provisions add to openness?
That is certainly the intention. It definitely should do that and widen the scope. For example, with regard to a deal for CalMac and the RMT, CalMac is subject to freedom of information legislation, but other publicly funded companies that we deal with, such as Serco and NorthLink Ferries, are not subject to that scrutiny. As far as I am concerned, there must be a level playing field, and where public money is used to provide a public service—in our case, transport—full scrutiny should absolutely be available.
That is excellent. Thank you.
Good morning. Thank you for being with us. Section 1 of the bill proposes an amendment to the general entitlement by inserting a presumption in favour of disclosure. Most respondents to the committee’s call for views were in favour of that. Kenneth Meechan, I was struck by the fact that you used the phrase, “If it’s not broke, don’t try to fix it” to explain your position on the bill. I wonder whether the people who are requesting information would take that view, too. The committee obviously has to look at things in the round—from the point of view of not just the providers of information but the people who are requesting it. How do you decide whether to disclose information when applying qualified exemptions, and how might a presumption in favour of disclosure change the approach to practice in that regard?
In organisational terms, in response to an initial request, the decision whether to release information is taken by the operational unit in question. My involvement comes in more at the review stage, when we have a second assessment to establish whether the department that responded initially called it correctly. At that stage, we insist on people answering the question, “What will go wrong if we release this information?” Our reliance on qualified exemptions—certainly in the examples that come to the review stage that I have sight of—is fairly limited. We have a robust process for challenging people who say, “If we release this, we will be charged several million pounds more the next time we go out to tender”—to give an example of a commercial interest exemption.
Does the commercial interest exemption come up a lot?
It comes up less than it used to. In the early days of FOI, almost as a matter of routine, unsuccessful bidders for council contracts would ask to see the successful bidder’s tender, the tender evaluation sheets and everything else. That is not as prevalent now. We still get asked about commercial contracting details. We tend to be very open about giving headline figures. When we start getting into a breakdown that would disclose a contractor’s pricing models, we tend to be a bit more reticent about releasing that level of detail, but we are certainly generally happy to release headline information. Someone might ask, “How much did you spend on widgets?”, with the response being, “We spent £5 million on widgets last year.”
Gordon Martin, from the RMT’s perspective, what are your reflections on introducing a presumption in favour of disclosure? Would that change the way that public authorities engage with information requesters?
Yes, it most definitely should. As I have said, the legislation should, in our view, be broadened as far as possible to include anywhere that public money is being used, whether it be in transport, in Glasgow City Council or anywhere else. There must be full transparency. The citizens of this country deserve, and expect, nothing less, so the time has come for full transparency to be available. Too many companies and organisations hide behind commercial sensitivity and stuff like that, but when public money is being utilised, everybody has the right to know whether that is being done properly.
So you agree that the bill would have a positive impact on public trust and confidence in the process.
Absolutely, yes, if implemented in full. We will certainly lobby and campaign for that.
Thank you.
Kenneth, do you have a view on whether a presumption in favour of disclosure would change how those seeking information would behave in response to being told that information was being withheld?
That is difficult to answer. We are not allowed to ask why applicants want particular information, so the engagement that we can have with requesters is limited in that respect. Very often, applicants will volunteer the reason why they are making a request, which might—and sometimes does—have a bearing on our public interest balancing act.
However, as I said in our written evidence, we already effectively apply a presumption of disclosure. If we are asked for information, we require someone to come up with a good justification for withholding it—personal data aside, I should say. That aspect aside, we always apply the presumption that information should be released, unless someone can demonstrate why it should not be.
Finally, Gordon, from your perspective as an information requester, if the presumption were there, might it encourage users to be more proactive in seeking reviews and appeals of decisions?
That might very well be the case, yes. I do not know or understand how some corporations and companies think, including companies in the public sector. I can give you the live and fairly recent example of Caledonian Sleeper. I asked that company, through normal industrial relations, a particular question about money that it was giving an outside party to do shunting work—for joining the train at Carstairs. It would not give me that information, and when I put in a freedom of information request, it was declined on the ground of commercial sensitivity. This is still the case, but at that time in particular—it was maybe in May or June—there was a serious risk of that causing industrial conflict between us and that employer.
That information should be readily available, so that we can work out a solution to the problem. If it is withheld from us, it provokes further suspicion on our part, rather than good faith and good industrial relations. Therefore, I would say, from an industrial relations standpoint, and certainly in the transport sector, that the presumption can be only a good thing.
It is helpful to get that on the record.
I have a question for Gordon Martin. Dr Meechan said that, in his experience, there has been a reduction in the reliance on commercial sensitivity reasons to block freedom of information requests. Is that your experience, too? Have you seen a decline in refusals of your requests on the ground of commercial sensitivity, or is your experience different?
It is a bit of both, I have to say. The Caledonian Sleeper example was a surprise. In my opinion, there was no reason for it not to give us the information, but it declined to answer an FOI request on the matter, and then it denied a parliamentary request.
My experience, therefore, is a bit mixed. In cases when we approach Network Rail and others for information, sometimes we get it and sometimes we do not. It is a bit unclear at times why we do not get it.
Kenneth, can you share with us the major reason for refusals, if it is not commercial sensitivity? What requests for information are you being confronted with that cannot be disclosed by your front-line units?
The personal data exemption is the one that we see most often. To be fair, most applicants do not understand the subtle distinction between requests under data protection legislation and requests under freedom of information legislation. It is unusual for there not to be some personal data wrapped up in the information that we are asked for, so we have to carry out a major exercise of redacting a lot of third-party personal information, in particular. We will generally release the bulk of the information, but the names will be blocked out. That is by far the most common and prevalent exemption that we rely on.
09:15
Good morning. Do you support the proposal for the Parliament to have a more active role in reviewing section 5 reports? In your view, would that parliamentary scrutiny lead to more timely and transparent designation of bodies?
The short answer is yes. We want full transparency, or as much transparency as humanly possible.
We are talking about taxpayers’ money, and things are hard for working-class people and working-class communities. Nobody wants public money to be squandered, and we want accountability. You guys, as parliamentarians, are ultimately responsible for that and should be held to account for your actions and omissions. So, the answer is yes—absolutely.
We did not have a particular view on that element of the proposed legislation.
Could any more be done to ensure that FOI rights keep pace with changes in how public services are delivered?
I do not think that I could give you a comprehensive answer to that.
That is fine.
The legislation is technology agnostic at the moment. There is a lot of discussion about whether we need to reflect changes in technology and social innovation. As it is technology agnostic, I do not think that we need to do that. The legislation has managed to keep pace with the changes that have taken place.
I think that Emma Roddick’s question was more about the delivery of services and how it is changing.
When FOI originally came in, we had set up a number of arm’s-length external organisations—ALEOs—and we structured them in such a way that they were almost all initially subject to freedom of information legislation. In our case, moving to the ALEO service delivery model did not deprive anyone of freedom of information rights. Legislation was passed to bring in culture and leisure trusts because of the perception that people had lost FOI rights in that space. Our culture and leisure trust was subject to FOI from the outset, however. It is possible to have alternative service delivery models that do not deprive people of their FOI rights.
That is helpful.
Yes—that is really helpful. Thinking of instances where the situation is not quite as clear cut and where people may struggle to get information that they are looking for, Unison and others have suggested in evidence to the committee that FOI rights should follow the public pound. Would a criteria or funding-based approach to designation of public bodies be more desirable for information requesters than the current organisation-by-organisation model?
Providing such information obviously has a cost attached to it, but what is the cost of not doing it? That drives the wrong behaviours and the wrong thinking.
That model effectively followed public expenditure: wherever the money is spent, FOI should apply to that journey.
Yes—absolutely. It is taxpayers’ money; it is public money. People are finding it hard at the moment and they have been for a considerable number of years. For anything in the public sector, if people want to know the whys and wherefores of something, they have the right to that information.
We did not express a particular view on that. If we moved away from the list approach that we have now to a more open-ended, interpretative scope for FOI, it would lose certainty, and there are risks associated with that. If an organisation was subject to FOI but did not appreciate that it was subject to FOI, that would raise questions about the proposed offence or a failure to appoint an FOI officer, for example. Although we do not have a formal view on the issue, I would caution the committee that, in moving away from the list approach, you might lose the certainty that we have at the moment.
Sue Webber has a follow-up question.
It is on Kenneth Meechan’s comment that the move to ALEOs did not impact FOI requesting. I am curious about that. You seem to have a quite open and transparent culture in the council in Glasgow. Is it dependent on the ability of other organisations to have the same mindset as you and to be as transparent if such things are not to impact on requests?
Again, it is hard for me to speak for other organisations. However, I chair a network of local authority representatives in this space, and I do not think that our approach is fundamentally different in principle from that taken by other local authorities. We have discussions about the round-robin requests that are made to all 32 local authorities and, generally, we independently all reach much the same conclusion.
It is not always about local authorities, though.
I know, but that is the sector that I am most familiar with.
I understand that. I am just trying to figure out the effect of the culture of an organisation, although you seem to be quite open.
Emma Roddick is finished, so I will come back to you, Sue.
Evidence has been submitted to us on the current approach to clarifying information requests. We have heard that, when the time for compliance resets, things can feel somewhat adversarial to those who are requesting the information.
We are not supportive of the proposal on that. I understand that, from the perspective of an applicant, if you put in a request and, on day 19, you are asked, “Sorry, what did you mean?”, that will substantially increase the amount of time that it takes to get the substantive response. However, from the perspective of the information holders, we are often asked extremely technical questions, as there are a lot of very well-informed applicants out there using the legislation. The more technical the question becomes, the more you need somebody who understands the discipline to be able to analyse the question and say, as an expert in the field, that it is unclear whether the person means this or that. We will not necessarily find that out on day 1 after receiving a request.
We are a very large organisation, although we have a well-established network of feeder channels to send requests, as my team have been working in this space for a long time, so we have a pretty good idea of where it is likely that we hold the information. However, that is not an instantaneous process. Even though we do our best to expedite it and get information requests out to the services and departments for them to assess, there will be a time lag, and we cannot do any meaningful searches until that point.
If we take 10 days to find someone who understands what the question means and that person says that we need to ask for clarification on the point, when the request comes in as clarified, that gives us only 10 days rather than 20 to find the information that is in scope, determine any relevant exemptions, carry out the redactions and so on and so forth. That is challenging.
Do you believe that a pause mechanism would lead to a better relationship, between the public authority and the people who are looking for the information?
No. The problem that we would have is the significant difficulty in complying with that. We do not sit on requests and then issue a day-19 clarification request as a stalling tactic. That is not my style and, under my leadership, it is not the team’s style.
I get a sense that that is the culture.
Yes—that is not something that we do. With the best will in the world, a pause mechanism would be problematic.
Another point is that clarified requests are not usually just a clarified request. After the applicant has had a wee chance to think about the issue on the back of our saying, “What do you mean here?”, they will typically add additional parts, so we get fresh requests. If we had a pause mechanism, we would have to consider which parts were under the pause timescale and which were completely fresh requests for which we were on day 1 of 20.
What impact would that have on the resourcing in your team?
The impact would actually be felt more out in the services that hold the information. That is always hard to quantify, but you see the evidence on how much it costs to comply with an FOI request. I do not know.
Yes—it is time and resource.
It is time consuming and difficult. Even in a large organisation such as ours, we consist of an awful large number of fairly small teams so, when we get an FOI request, in practical terms, there might be only one or two people who can deal with it. If they have to commit up to 40 hours on that request, that has a significant impact on their ability to do the rest of their job.
We heard last week that, given the legal requirements around data, most requests for information should be heard; the process should be quite quick; and you should be able to respond. However, are you suggesting that that might not be the case in reality?
The reality is that we are not awash with money. When it comes to the information technology estate, public bodies—and certainly my own organisation—do what is known in the jargon as “sweating assets”. In the private sector, a laptop has an expected life of three years and a desktop computer—remember them?—has five years. We tend to run laptops for five-plus years, simply because it saves money. As a result, our technology tends to be a little bit older. Much as we would love to have all-singing, all-dancing IT systems that would allow us to interrogate the data at the drop of a hat, we typically do not. We have a line of business applications that were built for a specific purpose and which are not necessarily well designed to do the type of data mining that you have described.
That was helpful. Gordon, do you have anything to add?
I will be very brief. Speaking as a freedom of information requester, rather than from Kenneth Meechan’s perspective, I would say that we feel, very often, that this is a stalling tactic. I appreciate the point that Kenneth has just made that, sometimes, the issues can be fairly technical, but the companies that we deal with are publicly funded, big organisations, and they should have the staffing levels to be able to get us the answers. We are asking questions of, say, railway or ferry companies and, given that these are the experts in the ferry or rail sectors, it should not be difficult to get meaningful answers from them. I should also say that, yes, we support the pause mechanism.
How would the pause mechanism make things better for requesters such as you?
It is frustrating to get to, say, day 19, only to be asked, “Can you clarify what you mean?”. With that sort of mechanism, the clock would be paused but would start ticking again at a given point, with the answer expected to be given. We are hopeful that, if that comes in, it will assist in bringing a bit more transparency to the situation.
Okay, and I suppose that that goes back—
Before you move on, Sue, I just want to ask Gordon Martin something. Kenneth Meechan has said that Glasgow actively tries to answer freedom of information requests as soon as possible, and it is not a case of waiting until day 19. Is that your experience with other industries, or do you frequently wait until day 15 or 16 and then get a request for clarification?
On occasion, that absolutely happens and, from my perspective, there appears to be no particular need for it. It is as if they are trying to use stalling tactics, to use Kenneth Meechan’s words.
I was just about to say that that would feed into the rhetoric that an adversarial approach is taken to requests for information.
And that should not be the case. We do not want it to be like that, but very often—well, not very often, but from time to time—that is what happens.
The bill proposes to replace publication schemes with a statutory duty of proactive publication and a code of practice. I will come to you first with this question, Kenneth. What opportunities and challenges do you see in implementing that duty?
The model publication scheme does not work.
Okay. Tell me more.
I pulled the figures for our own publication scheme—well, it is not so much the publication scheme itself, but the guide to information that sits underneath it. The model publication scheme published by the Scottish Information Commissioner sets out classes of information that you are expected to produce, and sitting underneath that is a guide to information that says, “Here’s what we publish at the moment.”
It is a difficult document to maintain. Any time we re-platform our website, the information management team has to do a big painting-the-Forth-bridge job to fix all the broken links. When I checked the figures for about, I think, 10 months’ worth of data, I found that 26 people had looked at or downloaded our guide to information, so it is a lot of effort for not a lot of return—and it is not the public’s preferred way of accessing information. They are more likely to use the search function on a website to find the information, instead of using the guide to information. Therefore, I support getting rid of guides to information.
09:30As for the proactive publication duty, I am not opposed to that in principle, but we would simply want it to be recognised that this is not resource neutral. I think that the financial memorandum suggests that there is a cost saving associated with it, and I fundamentally disagree with that. We previously had what was called the city observatory, which we set up with United Kingdom Government technology funding; however, once that one-off funding ran out, we had no resource left to maintain what was kind of a real-time dashboard of information about the city. That was proactive publication of a lot of information, and we did not have the resource to maintain it. It provides, if you like, a worked example of the fact that, without adequate resources, maintaining proactive publication is extremely difficult.
We have found such an approach useful in isolated cases—for example, when we have done something controversial that has resulted in multiple FOI requests to the council. When I say “multiple”, they can sometimes get into the hundreds, and, in such cases, we have found it useful to have proactive publication to try to stem the flow. However, that is reactive proactive publication, if I can put it that way, because we only identify that there is a big interest in certain information once we start receiving requests for it.
The requests that we get are so diverse that it would be hard for us to predict what information that we do not already publish would be of interest to the public. Certainly, we do publish a lot of information. We already have an extremely transparent decision-making process through council meetings and in council committees where all the key decisions are taken; that information is already in the public domain. There are provisions under the Local Government (Access to Information) Act 1985 that allow us to exclude the press and public and not to publish committee reports, but that would be a very unusual power for my council to utilise. It would be a rare event for us to exclude press and public from an operational decision in that way.
In your view, then, do you think that the public sector in Scotland is ready to implement a proactive duty to publish? You have talked about resource and support challenges and certain technical, financial and cultural issues, but what do you think might be needed to make that sort of approach effective?
Again, that is a hard one to gauge. If the magic money trees were to bloom again—one can always hope—and we had the sufficient resources to say, “Here’s a whole raft load of data that we’re going to proactively publish”, we still would not know what the demand would be for that until we had published it and started analysing which parts were people looking at, which data sets were being downloaded and so on. You cannot easily judge what will be a success ahead of doing it—that is part of the challenge, too.
The question is: what information that we do not already publish would we be expected to publish? There is a suggestion that the code of practice on proactive publication would impose significant obligations on public authorities. In other words, you are being asked to legislate to impose significant burdens on public authorities, and we are unsighted as to what they might be.
Okay. Gordon—
I am sorry, Sue, but I think that Ruth Maguire has a little follow-up question for Kenneth Meechan.
I will be really brief. Dr Meechan, I acknowledge what you have said about meetings being held and decisions being taken in public and all of that being transparent, but is it not the case in local authorities that there are pre-meets between officials and politicians before the public part of the meeting? I acknowledge that meetings are often live streamed and are very accessible now, but that is not the whole picture when it comes to decision making in local authorities.
The pre-meetings to which I have been party have largely been procedural ones of a “Who’s going to come along and speak to this report?” nature. We do not have pre-meetings to predetermine the outcome of what will happen at the public meeting. I have never been involved in a pre-meeting where that has been the case.
Okay.
My next question is for Gordon Martin. If there were proactive publication, what opportunities would that provide to you, as someone who requests information? How would that benefit you?
I would like to think that it would take out any adversarial content. After all, if you are asking a reasonable question, you should expect a reasonable answer. As Kenneth Meechan was speaking, I thought that I could see this ending up with lawyers crawling all over it and with things that should be freely available becoming subject to a code of practice. I know from experience in my job that codes of practice are set out with good intentions but often become a bureaucratic minefield. I see the convener laughing—I think that members know exactly what I am saying.
It creates a whole new industry.
Yes—exactly that. I hope that that would not happen, because all this should be a democratic function in a democratic society, giving people the right to know and holding people accountable, including—ultimately—you guys as MSPs. I do not think that we are asking for much with that.
My next question is for Kenneth Meechan. The proposal to designate a freedom of information officer in each public authority draws on models from records management and data protection law. How feasible is designating that role for your organisation or other public authorities more widely?
All public authorities that are subject to FOI are also required to have a designated data protection officer. If that measure was implemented, the easy option for any public authority would be simply to say, “You are now the freedom of information officer as well as the data protection officer”. I do not want to put words into the mouths of my superiors, but I have a strong suspicion that that might well be what would happen in Glasgow.
Are the duties complementary?
They should be. If the FOI officer was separate from the data protection officer, I cannot imagine them ever being at loggerheads, with the FOI officer saying that something should be released and the data protection officer saying that it should not be. If the FOI officer was a different person—although I doubt that they would be in many cases—they would have to be cognisant of the exemptions for personal data that already exist in legislation. I see no inherent conflict there.
If there was a conflict for some reason, the data protection officer could not act in a conflict of interest situation—that is already in the UK general data protection regulation. Although I am the data protection officer in my organisation, a large element of our data protection compliance is done by a separate department and I do not have direct operational oversight of that. I am still a single point of contact for the Scottish Information Commissioner if they want to discuss what that department is doing; that is a slight issue that we have.
Compared with a lot of other authorities, we have quite a centralised FOI model, and it will shortly be slightly more centralised. If an organisation has a central team, it makes sense to designate an FOI officer as responsible for the team, but I know that a lot of other authorities have a distributed model of FOI compliance, and imposing a requirement to have a unitary FOI officer would not sit comfortably with their organisational structures.
What impact would professionalising the FOI officer role have on transparency and accountability?
I would like to think that we are already quite professionalised. Gordon Martin spoke about lawyers crawling all over this; I should probably say at this point that I am a lawyer.
Nae offence.
None taken. Dealing with FOI is a professional activity that is about applying legislation, and there is scope for legal advice. I imagine that most FOI officers—certainly in larger authorities—are legally qualified.
Smaller organisations might have difficulty, if they do not have an appropriately skilled person. The legislation is quite prescriptive about what an FOI officer needs to have and the resources that they have to have. Under the distributed model, or in a smaller authority, there would be some difficulty in implementing the proposal without more resources.
I want to delve into the roles. Some of the information that the committee heard last week and which has been submitted talks about the records management responsibility. Is it worth looking at bringing together GDPR, FOI and records management? You talked about the architecture that exists in Glasgow, which would, to facilitate the move to proactive publication in a way that was not prohibitive, in effect need to be redesigned.
Many public authorities that are already subject to FOI—but not all—are subject to the Public Records (Scotland) Act 2011. For the larger authorities that are subject to that act, the records management plan is almost like a quilt of the different elements stitched together. The plan has to address information security, data protection, FOI obligations and wider records management in terms of the care and feeding of records.
If an organisation is subject to the 2011 act, all those different strands are pulled together in its records management plan. Having a designated FOI officer would mean that there was another person that a body would probably have to name in its submission to the keeper of the records of Scotland.
The records management plan in my organisation has—I should know this off the top of my head—15 elements, a number of which I am responsible for as head of information and data protection officer. An information governance manager is responsible for a number of other elements, so, at the moment, we have split responsibility within the plan.
That is helpful. Would Sue Webber like to ask anything else?
No—that is all.
I have a final set of questions. Looking forward, among the challenges are technology and informal communication methods—the WhatsApps of this world and so on. What are your concerns about or views on information that should be subject to freedom of information legislation being potentially—or deliberately—put beyond its reach because of informal communication methods? I will come to Gordon Martin first.
There is a very real possibility of that. We all remember what the Covid inquiries heard—both the one at the Parliament down the road and the one in Scotland. Senior politicians were sending each other messages via informal communication methods and, when asked to produce those messages, they were unable or unwilling to do so—whatever the case may be. Is there not always a risk of that? There is always a risk that people will take stuff offline and talk about it rather than using WhatsApp or putting anything in any form of writing. That is always a risk, but it does not undermine the fundamental argument that we need better freedom of information provision in Scotland.
As I mentioned, I am of the view that, if you are conducting official business, it does not matter what channel you do that over, although if somebody chose to conduct it over WhatsApp, that would breach my organisation’s policies, as we have a very strict policy line that official business is done over official channels.
How that is policed is a completely different question. We have made a very firm policy statement to the effect that using official channels is how we do business. If someone chose to breach that policy line and we discovered that they were using an informal channel, I would regard such use as already being subject to FOI legislation.
That brings me to my final question. How workable is the proposal to extend the offence of altering or destroying records to situations where no information request has yet been made? Say that no FOI request has come in, but there is evidence that information has been put beyond reach or destroyed. How workable would it be to make that action an offence? My question is not so much about whether such an action would come about or be discovered but about how workable creating an offence would be.
You have to put something in place. There must be consequences for actions and omissions. How you legislate for something that has not happened yet is a million dollar question, but there must be notifiable consequences. If you are a senior executive in a publicly funded company or in Glasgow City Council, you have to anticipate that, at some point, somebody might ask about why something or other happened in relation to the work that you are doing now in 2025. Record keeping has to be established, and that is why official communication methods must be used. However, there is no way of stopping people doing things offline—that will probably always happen.
09:45
We do not support the provision, and there are a lot of reasons why, including the uncertainty element.
As I said already, the FOI requests that we get are incredibly varied, so we have no idea what someone might ask for. We know that we will be asked for information about key decisions and, under our existing records management practices, our records management plan says that any information that supports key decisions should be retained in the official repository for that information and for the length of time that we set out in the retention schedule. That information should be locked down and available for future scrutiny by anyone who asks for it.
However, a lot of information is peripheral and is of no enduring value. There is a danger that creating the offence might lead to defensive behaviour and to people not deleting anything because they do not want to be accused of deleting something that someone might ask for in the future.
There is a risk that we would overretain data. We have a data protection principle that says that we do not keep personal data for longer than is necessary and, at the moment, we understand how long is necessary for different categories of data, based on business need.
If we had a situation in which everyone was scared to get rid of anything, we would end up with a huge databerg—a sprawl of information that costs money to store. Our paper archives in the Mitchell library are so big that we now have a huge warehouse on Darnick Street in the north of Glasgow that is also full of papers. The last time I was up there, I estimated that we have 12 linear miles of paper files in that warehouse. It costs money to have that paper facility and for the environmental conditions to be appropriate for retaining documents.
Data also costs money. The IT world is increasingly moving to a storage as a service model, which means that every little extra email that you retain and every draft document where you do not think, “I don’t need that and can get rid of it,” although you have the final version, costs money.
Does the cost of all that outweigh the value of having primary legislation that says that it would be an offence for someone to deliberately destroy or remove from access something that they knew to be worrying? Can we live with failing to put that up as a principle that all public servants—and professionals—should deal with?
We are all aware of the instances that Gordon Martin referred to and of the WhatsApp sagas that came out of the Covid inquiries. It seemed to me as if those came from the behaviour of a small number of individuals in a small number of organisations, so the idea of applying changes across the entire public sector, and without any evidence base, came as something of a surprise to those of us working in the field when the bill was introduced. I do not think that the bill is a proportionate response to what has been identified as the mischief.
That is fine.
We move to questions from Katy Clark.
I have a couple of questions for Kenneth Meechan. It is good to hear that the existing legislation is working well for a large organisation such as Glasgow City Council. The policy intention behind the bill is not to add costs to such organisations or to move away from the structure of the existing legislation, known as FOISA, which uses a designation approach—I think that you referred to it as a list process—but to build on that, based on 20 years of feedback from organisations, the public and information commissioners.
One of the suggested changes is a move towards proactive publication. Would the code of practice that the Scottish Information Commissioner is to issue assist local authorities such as yours in knowing what must be proactively published? We know from evidence that technology has the ability to drive down publication costs.
Absolutely. As I said in response to an earlier question, we find it hard to predict what we are going to be asked for. We know in some cases that an FOI request is coming—if something makes the headlines, we can reasonably, and usually correctly, predict that FOI requests will follow. However, absent of headlines, that is hard for us to know.
We would be entirely dependent on a code of practice saying, “This is what you should be looking at,” particularly because there is a resource implication, as I said. I do not want to be unhelpful, but I would have to go to some kind of resourcing board to get additional resources to do anything that we, or other parts of the organisation that were tasked with proactive publication of data, were asked to do in this space. We would need to find additional resources to do that, so it would be good to know that what we were doing was in line with the expectations that were laid down in a code of practice.
It would be quite helpful if an indicative code of practice was produced before the bill is passed, to give us a bit more of a flavour and allow us to make a more informed submission to the committee about the resource implications of what is envisaged. At the moment, I am saying that there would be a resource implication. I cannot quantify that, because I do not know what volume of information we would be expected to publish proactively, the frequency of updating, the structure of that data and so on. There is a huge number of unknowns, and having an indicative code of practice would allow us to come back to you with a more detailed response and say, “If we’re expected to produce that, our analysis is that annual running costs would be this amount.” We would also be able to say, “We’ve had this many FOI requests that would have been addressed by proactive publication, so the reduction in FOI numbers would be X.” However, I cannot do that now. We could produce that information if we had a better idea of what was expected of us under the provision.
The proposal for FOI officers to have a statutory basis has come from FOI officers over an extended period, long before I got involved in the issue. FOI officers in many organisations have said that they are having difficulties in getting their organisations to comply with the legislation. I appreciate that that does not sound as if it is at all the case in Glasgow, but it is the case in other organisations. FOI officers—who are often also data protection officers, particularly in smaller organisations—are saying that having a similar statutory basis to that for data protection would give them the authority in an organisation to insist that the law was complied with. Does that make sense to you?
It does make sense. I have no problem with the idea of having a statutory FOI officer. The prescriptive way in which the provision is set out in the bill might sit uncomfortably in some organisations, but I fully appreciate that, if I were doing FOI and did not have the benefit of being a statutory data protection officer, as I am at the moment, I would probably be arguing that I should be given a statutory designation so that I had a bit more clout to say to departments, “You need to deal with this. It isn’t an add-on—it’s part of our core statutory functions.” I have not needed to wield that statutory clout, but I can fully understand that a number of my colleagues would welcome that. As I said, Glasgow City Council does not have a problem with the proposal in principle; we are just conscious that it would not sit quite as comfortably in all organisations.
Have I got time for one more question, convener?
A very short one.
My question is about the proposed criminal offence. The threshold for a criminal case is “beyond reasonable doubt”. The new offence is perceived to be about closing a loophole. It would have to be shown in court that someone was intending to avoid the law by destroying information. Do you think that the new offence would be used often, given that the criminal charges that already exist are rarely used?
I would hope that it would never be used.
Yes—exactly.
I am being realistic. I do not want to take this out of proportion, but what I would fear more is that a small number of individuals would weaponise FOI. There is legislation that says that we can regard a request as vexatious and refuse to comply with it. Under the tests that we need to meet to satisfy the commissioner on appeal that we were correct in regarding a request as vexatious, typically we have to take a few hits first in dealing with requests. We might think, “That’s obviously vexatious but, if we want to build a case to take to the commissioner, we’re going to have to deal with such requests a few times.”
Such individuals are never satisfied, and I fear that we would be giving them an additional weapon. On the one hand, they might go to the commissioner and say that we did not deal with their request. On the other hand, they might report to the police that we had deliberately concealed information. Following up requests or complaints of that nature would tie up time and resources, both at our end and at the police’s end. I have to say that I do have a fear about that.
I think that we have run out of time. Thank you.
I thank Gordon Martin and Kenneth Meechan for their evidence. If something comes to mind subsequently, please feel free to get in touch with the committee. I hope that you do not mind that, if we have additional questions, we will contact you.
I suspend the meeting while we change witnesses.
09:55 Meeting suspended.
Welcome back. I welcome our second panel of witnesses. Chris Milne is former chair of the Scottish higher education information practitioners group, and Fiona Stuart, who joins us online, is a member of the Law Society of Scotland’s privacy sub-committee. We will move straight to questions, if that is all right.
Fiona Stuart, the policy memorandum talks about the bill’s aims
“to improve transparency in Scotland by strengthening existing measures in the Freedom of Information (Scotland) Act 2002”,
and to deliver recommendations that came, some time ago, from the Parliament in the previous session. How timely are those reforms now?
Good morning. I am not sure that the Law Society has a specific view on timeliness. However, we are reviewing the provisions and are open to processes that would continue to enhance transparency in Scotland.
Thank you. Chris Milne, is the bill timely?
10:00
It is welcome. The legislation has been in force for a number of years, and it is useful to refresh it every now and then, to understand whether it is meeting the wishes of the Parliament and the public.
It was interesting to see in the written submissions the high rate of engagement and use of the 2002 act by the public. I was particularly pleased to see that there appears to be a higher level of engagement among the public as a group, compared with the perception that the act is predominantly for journalists. That is a welcome development.
The Law Society’s written evidence raised the issue of parliamentary time for scrutiny. Fiona Stuart, what are your comments on that, given where we are in the session?
You are correct; the Law Society wished to express that view. Obviously, a lot of consideration has gone into the detailed comments that have been provided, and it is important that a conclusion be reached.
Just for the public record, which areas do we need to scrutinise more today?
In general, there are concerns over the pausing of the 20-day compliance time limit; also, in the Law Society’s view, the proposed offence requires greater scrutiny. Although there is support in respect of a couple of provisions, including on the appointment of the FOI officer and the proactive publication duty, some elements of clarification are needed—for example, on the content of a code of practice and how FOI officers may be resourced in smaller organisations.
Thank you, Fiona. You have provided the perfect contents page for our questions.
Good morning. Some of the respondents to the committee’s call for views suggested that the proposal to introduce a presumption in favour of disclosure when public authorities are considering withholding information under a qualified exemption does not change the legal position in respect of information disclosure under FOISA. Others had concerns about confusing the existing position of information disclosure under FOISA. What is your opinion and view on the proposal?
The Law Society was unclear on that, largely because there is already a sense that that has been the position in Scotland since the implementation of the legislation—it is very much repeated in decisions by the Scottish Information Commissioner—so there is a question whether it is necessary to include it.
In the Law Society’s response to the call for views, we highlighted an opinion from Lord Marnoch in relation to a decision that, although the requirement to release information should be construed in as liberal a way as possible in terms of the general entitlement to disclosure, it is important that it is not interpreted too widely without regard for other laws that are in place.
The position of the Scottish higher education information practitioners group is that the law is relatively clear at the moment; it favours the release of information unless exemptions apply. From the point of view of practitioners and the public, that seems relatively clear, simple and straightforward. I would not want anything to complicate the position and dilute the advances that have already been made among practitioners and in case law.
Will you speak to how such a presumption in favour of disclosure might change the practice of FOI officers in universities?
It would not change directly until such time as the issue was tested as a point of law and new precedent had to be observed in terms of how we practise and respond to requests. The consensus is that the law is relatively clear. When we receive requests, we look to answer them as fully as we can, then we start to assess whether there will be any harm from disclosure. When we believe that there will be harm, we look for evidence and seek to apply exemptions accordingly—or not, as the case may be.
I have a couple of questions for the Law Society. Do you support the proposal for Parliament to have a more active role in reviewing section 5 reports? Would that parliamentary scrutiny lead to the more timely and transparent designation of bodies?
Unfortunately, the Law Society did not express a view on that provision. I am, however, happy to take that question away and report back in writing later, as I do not have a stated position.
More generally, the bill would give the Scottish Parliament the power to designate organisations that deliver public functions or services as public authorities. Do you have a view on that approach?
I apologise. That was one of the elements of the call for views about which no collective views were expressed, so it is difficult for me to answer that today. I am happy to take that question away and come back with views that reflect those of the Law Society of Scotland.
We will look forward to that correspondence. Chris, do you have anything to add?
The position of the Scottish higher education information practitioners group is essentially the same. We could not come to a view on the issue as a group because we are not intimately involved with it.
The one thing that we noted in our submission that might be partly relevant to your question is the fact that a lot of universities have subsidiary companies and start-ups. Extending the legislation to cover those start-ups could be welcomed, but it might be prudent to proceed with a degree of caution, so that any legislative burden on the start-ups does not negate their purpose and stifle innovation.
Thank you. You got away lightly there, Emma—well done. We look forward to the Law Society’s response.
Chris, I go back to the question for clarification on the change of definition and the presumption. Would you and those you represent be confident that, if the provision was restated in the same terms, that would give you confidence that those you speak for understand what the expectation is? If the bill becomes law and even just changes it slightly, we could get into an area of uncertainty that could lead to problems of interpretation. Have I understood that correctly?
The view of the group is that the position is clearly stated in the legislation, the guidance and the precedents that have come down from the Court of Session and others.
Reliance on the existing interpretation, which is well understood, is more beneficial than risking long grass and, perhaps, misinterpretation going forward.
I think so. If I may speak personally, there is something quite nice about the general entitlement. It sets the tone of the bill exceptionally well.
Fiona Stuart spoke about how some elements of the bill need a bit more scrutiny, particularly in relation to pausing the clock rather than having a mechanism to reset it. There was considerable support in the written evidence for a pause rather than a reset mechanism. The Law Society and the Scottish higher education information practitioners group indicated that they do not support that, however. Why do you not support that move to pause the time for compliance when public authorities are seeking clarification?
The reason for not supporting it is probably based more on the experience and practice of managing requests for information, not solely but perhaps particularly when they are received by a larger public authority that might have a more complex structure. When a request comes in, the FOI team, if there is one, does not always know how best to respond to it and, as a result, the team has to contact subject matter experts across the organisation. By its very nature, that can take time, even if there is no intent not to expedite the request. If, as proposed, there were to be a pause, the consequences would be that a public authority would have less time to respond to a request once clarification had been received—it would have less than up to 20 working days to respond. In addition, the experience is that, sometimes, when you receive clarification, that extends the extent and scope of the request, so further time needs to be taken to respond to it.
My final point is on the aim to enhance transparency and openness. There might be occasions when up to 20 working days are required to deliver a fully open, transparent and comprehensive response. Therefore, a reduction of time would not necessarily mean that transparency would be enhanced.
The group that I represent came to the same view, in essence, predominantly based on practitioner experience. When clarification is asked for, it is not unusual for a request to turn into a completely new request. In many instances, that might mean that the time that the 2002 act allows for a response is genuinely needed, not only to source the information but to consider the extent to which it can be released or whether exemptions apply.
Our view is that the legislation appears to be clear that requests should be answered as timeously as possible and that the 20 days is a maximum: if a request is relatively simple, a public authority is expected to answer relatively quickly. The legislation is clear that, if an applicant felt that they were not getting a timely response from a public authority, that could be a matter for internal review; it could then become one for the commissioner to make a decision on. We feel that there are safeguards that allow public authorities to manage requests, and abuse of the system to be challenged.
So you believe that there are benefits and protections with the current system.
I believe that there are.
I agree.
The difficulty with pausing is that it runs the risk of more complaints and more internal reviews, which take time away from answering requests in a timely manner, because the resource burden shifts to dealing with internal reviews and other elements that arise from that.
On public trust, we heard earlier about the evasive techniques that those who respond to FOI requests can deploy. We heard that the bill would prevent that from happening. What are your thoughts on that? There will be organisations that are not as open and timeous as your organisations in responding and which might use such techniques.
If I may speak for the higher education sector, I note that our statistics seem to be relatively strong in that area. There are large volumes of requests, but there does not seem to be a high degree of concern that leads to appeals to the commissioner compared with other sectors. I am not aware of any higher education institution having been censured or having had a review on that particular point.
That is helpful; thank you.
I have another specific question. In evidence to the committee, there has been considerable support for the repeal of the First Minister’s veto power, but the Law Society has indicated that it does not support that proposal. This is a question for Fiona. Why do you not support the repeal of section 52 of the 2002 act?
The Law Society’s does not support it simply because there are already sufficient safeguards in place in the existing provisions. Namely, those are that the decision must be made on reasonable grounds, which would be subject to judicial review, and that the power is limited in scope to specific exemptions, which, by their nature, are likely to comprise more sensitive matters.
10:15
I go back to the whole point of this, which is to be open, transparent and honest with the public. Can you not see how that one provision in the bill would go some way towards restoring trust among the wider public? In not supporting that repeal, your position might be at odds with that of the rest of Scotland. To be blunt, that is where I am.
I understand that position. I am representing the view that was expressed through the Law Society. If further reflection is requested, I can take that back and bring a follow-up response, if that would be helpful.
That would be helpful. The approach just seems a bit out of kilter with the rest of the evidence that we have taken.
I also have questions on proactive publication. The bill proposes to replace the publication schemes with a statutory duty of proactive publication and a code of practice. What opportunities and challenges do you see in implementing that new duty?
That would be a considerable opportunity to allow public authorities to proactively publish in a meaningful way that would reduce the FOI burden in managing requests, however it is caveated. We get lots of inquiries that could potentially be answered through a publication scheme and then exempted under section 25(1) of the Freedom of Information (Scotland) Act 2002, but they cannot be, because the request is often looking for more up-to-date information than is present in the scheme.
For argument’s sake, say that there was a code of practice for proactive publication of expenses. If the code of practice said that those had to be published three times a year, and there was an absolute exemption when information was available through that framework, that would reduce requests considerably. It is not just about the burden on FOI teams; it is about the burden on other areas of organisations in furnishing and providing the information. However, if someone wanted up-to-date information on expenses as of yesterday, that whole proactive publication process would fail.
That is a helpful example. Is the public sector ready to implement that proactive duty to publish? What support might it need?
The higher education sector is probably increasingly ready to respond, given how information is created and published on the internet, intranets and the like. Quite a lot of data management is involved, but the duty would also encourage good records management and good metadata management, which could streamline publication. It would also be useful to get people to think, at the time of a record’s creation, about how that record ought to be managed throughout its life cycle. If there were other public sector requirements in relation to records on things such as archiving, that might be a more efficient way of managing records, along with training and culture change.
That is helpful.
Fiona, do you want to respond to those questions?
The benefits of the proposal would be the removal of the requirement for a publication scheme, which is no longer deemed fit for purpose, and having a measure that is supported by a clear code of practice. Setting out requirements would be very beneficial for public authorities.
The challenges that can be foreseen include the resource challenges in supporting the proactive publication duty. Also, having a code of practice might result in less autonomy in relation to the tools or systems that each public authority can utilise to deliver that duty. That might also bring challenges, as many public authorities have different ways and means of publication and meeting the duty.
Is the public sector ready—in terms of resourcing, technical expertise, finance and culture—to implement such a duty?
That is a challenging question. I have worked in various types of organisations, but, speaking as a representative of the Law Society, I would say that it might depend on the type of organisation, its structure and the resources that are available to it. The key for a code of practice is to provide a degree of autonomy for key requirements to be delivered in line with the tools available to the public authority in question.
I will turn to the proposal to designate a freedom of information officer in every Scottish public authority, which we have heard draws on a model from records management and data protection law. Chris Milne, in one of your responses, you mentioned small start-ups in the university sector. Bearing in mind such examples, how feasible is it for public authorities of different sizes and with different models of freedom of information delivery to designate that role?
I think that the provision could work if it mirrored, in part, the provisions of the UK general data protection regulation, which codifies when a data protection officer is and is not required. It would be useful for the Parliament, the commissioner and others to think about which organisations would benefit from having such an officer. In some instances, it would be useful for larger organisations to have that, and it could be particularly useful if the commissioner had found that a public authority had difficulty in meeting its obligations. That might be one way of generating improvement and getting expertise, so that the transparency that the public and the Parliament require have more chance of being successful.
Is there scope for some organisations to be exempt from the requirement to have an information officer?
Yes, I think so. One of the submissions mentioned general practitioner practices, which I felt was a particularly good example.
We are supportive of the requirement in principle, and we note that, to some extent, it mirrors the provisions of the statutory data protection officer. I support the view that we should consider whether there are areas that should be exempt. We should also reflect on some of the provisions of the statutory data protection officer that have not been included in the bill, such as in relation to certain types of public authorities sharing the resource, on the basis of their size and the types of information that they hold, for example.
That is helpful, thank you.
Chris Milne, you mentioned university spin-offs. What happens with the GDPR officer in relation to them? Do they use the university officer? Obviously, there is a trigger point when the spin-off becomes its own company, but what happens in the transitional period?
It depends on who the controller is. I can give the example of what happens at the University of St Andrews. As the data protection officer for the university, I give support to spin-offs that are entirely separate in their own right. That is part of the support that the university provides to help companies get up and running.
In essence, there is an exchange of data, which makes it sensible to do it that way. That is not dissimilar to the proposal in the bill. That is helpful.
Fiona Stuart, you have provided us with an excellent contents page for what we will cover today. I will move to the aspect of offences. There is a proposal to create an offence of altering records with the specific intent of preventing disclosure. What are the challenges in that regard?
The Law Society highlighted operational concerns, and the criminal law committee highlighted concerns about how the provision might operate in practice and the fact that it might result in legal uncertainty with regard to enforcement. In particular, that relates to the necessity to demonstrate intent and the fact that there is no detail in the bill on how that would be proved. Currently, the courts interpret that through inference. The nature of the offence makes it difficult to see how that might be proven, where, for example, somebody is following their records management schedule. Also, because the criminal burden is beyond reasonable doubt, it is not clear how likely a prosecution would be; it might be rare due to the enforceability of that aspect of the law.
There is an operational concern that the law might genuinely discourage people from recording business-critical decisions out of fear of unintentionally committing an offence, which would work against the concepts of openness and transparency. There is also a potential tension between two pieces of legislation, this one and the UK GDPR, in which one of the key principles is storage limitation, which means that you must not keep personal data for longer than is necessary, as is set out in retention schedules. If someone was to apply the retention schedule, how would that fit with the potential offence in this bill?
We must also understand that many systems that are introduced as we increase our technological capabilities will come with automated retention, which poses some challenges the bill.
I have a couple of other points. There is also the potential for additional storage costs if information must be kept for longer. Also, as all public authorities are aware, as well as the risk of data breach there is the threat of cyberattack, so it is not good to be seen to be keeping data for longer than is necessary because that can create a risk.
That is a summary of the Law Society’s position.
Before I turn to Chris Milne, I have a question about the period in which a prosecution must take place. There is a proposal for that to be three years, with that period running from start of the criminal investigation rather than from the date of the offence. What is the Law Society’s view on that?
Our view is that we must ensure that we are clear about what is meant by the commencement of a criminal investigation. I do not sit on the criminal law committee, so I am more than happy to go back and to ensure that we get a definitive response from the criminal law experts.
We should always ask the experts.
Chris, what is your view of that potential criminal offence?
That is one of the areas that gave the group the greatest cause for concern. We feel that the current legislation is sufficiently strong and that the bill would probably result in some of the unintended consequences that Fiona Stuart outlined, such as people not destroying information and increases in the costs and risks.
I am going to deviate from the group’s response, because something has just come to mind. Ironically, the more information an organisation has, the more unstructured that information might be, even with technology, so there is a risk that you would see an increase in section 12 notices saying that it is going to cost too much to provide the requested information, which means that more requests might be refused if organisations begin to deviate from good practice in respect of records management and there is not the efficient and timely destruction of information.
Do you think that the current public messaging about the importance of FOI—which ties into the importance of proper records management—is sufficiently strong to say that any hint of a deliberate attempt to alter or to prevent someone accessing information would be frowned on? Is that enough without the need for explicit primary legislation saying that that is a criminal offence?
That is a difficult question to answer. As a practitioner and a records manager, I am au fait with the legislation and with the practicalities of records retention and destruction in a way that members of the public may not be. I can see how the mechanics work in the background and can understand why the current law provides sufficient controls. However, as we saw with the Covid inquiry, the public look at media reports and form their own perceptions about what may or may not have happened with the automated destruction of messages from social media platforms. I can see from that example why public trust and confidence are being eroded, but I am not sure that this proposal would specifically address that or be a meaningful step forward. There are more downsides than upsides to the proposal.
That is helpful.
We move to questions from Katy Clark.
For reasons of time I will ask about just one aspect of the bill. The new offence that we have just been discussing is crafted to address an identified problem and is designed to have a deterrent effect. We knew that there were going to be FOI requests about how the Scottish Government had dealt with Covid, and that is the particular scenario that has led to the proposed provision.
Do you have experience of working with the criminal offences in the 2002 act? The provision in the bill has been crafted in the same way. Do you have any practical experience of dealing with scenarios that have led to prosecutions under the act? That existing provision is rarely used.
10:30
No—not from an institutional perspective or from the perspective of the practitioners we network with.
One thing came to mind as you asked the question, however. Universities are not subject to the public records legislation that applies to other public authorities but, if there are public emergencies such as Covid, or foreseen scenarios, one way of managing them might be to use provision in that legislation to codify retention periods for specific records that ought to be created when such scenarios arise.
Essentially, a record is created or received where there is a business process. If it was foreseen that something was going to happen, there might be provision in another act to say what Parliament requires in terms of the retention and management of a record, or that power could be devolved to the keeper of the records of Scotland for its office to issue guidance, under any codes of practice or powers that it has, expressing how something ought to be managed. I do not want to prejudge the Covid inquiry or any other inquiry but, if it was found that there had been proactive destruction of information to prevent public scrutiny of important matters, there should be a mechanism to deal with that.
I have not had experience of that offence either. I can go back for wider views, if that is helpful to the committee. The Law Society shares the views on the focus being on good records management practice and greater clarity on what is required to be kept. That is combined with a view that, within public authorities, people should continue to record information in line with retention. The legislation is clear and is supported by commissioner decisions: if an exemption applies, then it applies—and that may assist.
I thank both witnesses. If there is anything that comes to mind afterwards, you know how to get in touch with us. I hope that you do not mind—particularly Fiona—if we come back to you with other questions in the near future. Thank you for your evidence today.
At this stage I release Ruth Maguire from the committee as we move the meeting into private.
10:33 Meeting continued in private until 10:58.