Explainer – The Scottish Government’s WhatsApp policy
With the Covid Inquiry and the retention of messages currently dominating the headlines, Holyrood looks into the Scottish Government’s WhatsApp policy.
How has guidance changed?
In April 2020, amid the first national lockdown, the Scottish Government posted guidance which stated that messaging apps including WhatsApp were only to be used “in a responsible and professional manner”.
In November 2021, it introduced further mobile messaging guidance, an addition to its record management policy, which states that "regardless of the source medium, information relevant to the corporate record must be saved", as it can be subject to an FOI request.
In October 2023, it published the guidance on the usage and policy of mobile messaging apps.
What is the Scottish Government position on the use of messaging apps?
The guidance outlines that these apps “are not always secure platforms” on which to have conversations regarding government business, and goes on to “strongly advise” against the use of such tools.
However, the Scottish Government did not prohibit their use.
The guidance lists five “particularly important” features that apps should have if messages “would cause reputational harm to the government”.
These are encryption, end-user verification, passcode verification, remote wipe, and message retention.
The guidance acknowledges most apps do not have all these features, and so “strongly advises” against their use for business purposes.
For instance, WhatsApp does not have password protection and does not allow for remote wipe but does allow for the account for deactivated. In other words, the messages may not be deleted if the device is lost.
What about the recording and deleting of messages?
The guidance states that, “at least monthly”, staff members must transcribe “salient points” of their messaging using the SCOTS platforms and save this to the electronic records and document management system (eRDM), for potential FOI requests.
The eRDM is where the Scottish Government stores official records and documents.
In short, the guidance does say messages should be deleted. It states that all conversations “must” be deleted “at least monthly”. This rule follows the belief prior guidance has been followed and aims to tackle the potential risk of issues like cyber threats or phones getting stolen or lost.
However, in August 2022 the Scottish Covid Inquiry sent out do not destroy notices to the Scottish Government.
What about group chats?
In this case, the group should choose a “Group Responsible Owner”, whose role is to remind members of their obligations at least monthly.
Who oversees this is being done?
The information asset owner (who usually is at the deputy or director level) oversees information governance across the Scottish Government.
They are responsible for information held at their “local level” and must report on information governance when completing their annual Certificates of Assurance exercise.
According to the guidance, all staff members “should” make the IAO aware of the use of any apps for business purposes and inform them in the event of any incidents where messages are “inadvertently shared incorrectly” or cause problems, so they can report handle the risk.
What does the FOI Scotland Act 2020 state?
The Freedom of Information (Scotland) Act 2002 (FOISA) outlines a right of access to recorded information, and that information requests from a Scottish public authority should be given within 20 working days, subject to some conditions and exemptions.
The FOISA defines information as “information recorded in any form”, thereby including that held in non-official communication channels such as WhatsApp.
However, information may not be provided if it is due to be deleted (or amended) in the time between request and response. Yet, it must be highlighted that it is a criminal offence to alter, destroy or conceal information to prevent disclosure following an information request.
The Public Records (Scotland) Act 2011 and a Code of Practice under FOISA dictate that public authorities should have good records management practices to support any information requests.
Under the 2011 Act, public authorities must submit a records management plan for agreement by the Keeper of the Records of Scotland, a post currently held by Paul Lowe.
The keeper periodically consults with the Scottish Information Commissioner (SIC), David Hamilton, on the adherence of public authorities to the Code of Practice.
Daren Fitzhenry held the SIC post during the pandemic.
Last November to clarify doubts, Hamilton said: “Where tools such as WhatsApp are used by public authority staff to carry out official business, the information generated will, in most cases, fall under the scope of Scotland’s FOI laws.
“The Commissioner therefore expects public authorities to identify and consider all appropriate recorded information when responding to FOI and EIR requests, including, where relevant, information recorded in exchanges made through WhatsApp, Microsoft Teams, or other messaging tools”.
So, what is the key issue?
Well, there is apparently no clear definition as to what is regarded as “salient points” that should’ve been transcribed. In other words, it was up to staff members to evaluate what they would consider as relevant messages.
This allows for different approaches to what is considered to be important and may be behind why individuals kept a different number of messages from the pandemic.
Earlier this month, the inquiry heard that all WhatsApp messages from former First Minister Nicola Sturgeon during the pandemic appear to have been deleted.
She is due to appear before the Covid Inquiry tomorrow.