Visit Scotland | Alba

1. Introduction

1.1    VisitScotland is Scotland’s national tourism organisation and is a publicly funded body (a NDPB, or ‘non-departmental government body’) accountable to Scottish Government. The Scottish Tourist Board was established under the Development of Tourism Act 1969. The Tourist Boards (Scotland) Act 2006 changed the legal name of the Scottish Tourist Board to VisitScotland.

1.2    VisitScotland recognises that the effective management of its records, regardless of format, is essential in order to support its functions, to comply with legal, statutory and regulatory obligations, and to demonstrate transparency and accountability to all its stakeholders. Records are a vital information asset and a valuable resource for the organisation’s decision-making processes, policy creation and operations, and must be managed effectively from the point of their creation until their ultimate disposal.

2. Purpose and scope

2.1    The purpose of this policy is to demonstrate the importance of managing records effectively within the organisation, to outline key aims and objectives for VisitScotland in relation to its recordkeeping, and to act as a mandate for the support and delivery of records management policies, procedures and initiatives across the organisation.

2.2    This policy relates to all directorates and iCentres of VisitScotland and all records created by its employees. It relates to the management of records as an internal, facilitative function of the organisation and covers the records created by the organisation, about its activities. It does not relate to the management of historical records and archive collections that have been transferred to the National Records of Scotland for permanent preservation.

2.3    The policy relates to all staff, including those who are mobile working, working off site and working within joint partnerships, including permanent and temporary employees, seasonal staff, volunteers, contractors, Board members, and those on secondment or work experience placements.  It applies to all records regardless of format or medium, including paper, electronic, audio, visual, photographic.

2.4    The Public Records (Scotland) Act 2011 places an obligation on named authorities in Scotland to produce a Records Management Plan (“RMP”) which sets out their arrangements for the effective management of all records. VisitScotland is a named authority as defined in the Act. A Records Management Plan was submitted and approved by the Keeper in January 2016. The creation of a records management policy statement is a mandatory element of the plan, and is necessary in order to identify the procedures to be followed in managing the organisation’s public records.

3. Roles of records management

3.1    A record is written information (regardless of medium) that is created, received or maintained by an organisation in order to fulfil its legal obligations or in the transaction of its business.

3.2    Records management can be defined as the process whereby an organisation manages its records, whether created internally or externally and in any format or media type, from their creation or receipt, through to their destruction or permanent preservation.

3.3    Records management is about placing controls around each stage of a record’s lifecycle:

  • at the point of creation (through the application of metadata, version control and naming conventions),
  • during maintenance and use (through the management of security and access classifications, facilities for access and tracking of records),
  • at regular review intervals (through the application of retention and disposal criteria),
  • and ultimate disposal (whether this be recycling, confidential destruction or transfer to the archive branch for permanent preservation).

By placing such controls around the lifecycle of a record, we can ensure they demonstrate the key attributes of authenticity, reliability, integrity and accessibility, both now and in the future.

3.4    Through the effective management of the organisation’s records, VisitScotland can provide a comprehensive and accurate account of its activities and transactions. This may be achieved through the management of effective metadata as well as the maintenance of comprehensive audit trail data.

3.5    VisitScotland retains records that provide evidence of our functions, activities and transactions, for:

  • Operational Use – to serve the purpose for which they were originally created, to support VisitScotland’s decision-making processes, to allow VisitScotland to look back at decisions made previously and learn from previous successes and failure, and to protect the organisation’s assets and rights.
  • Internal & External Accountability – to demonstrate transparency and accountability for all actions, to provide evidence of legislative, regulatory and statutory compliance and to demonstrate that all business is conducted in line with best practice.
  • Historical and Cultural Value – to protect and make available the corporate memory of the organisation to all stakeholders and for future generations.

4. Benefits of records management

4.1    Information and records are a valuable corporate asset without which VisitScotland would be unable to carry out its functions, activities and transactions, meet the needs of its stakeholders, and ensure legislative compliance.

4.2    The benefits of implementing records management systems and processes include:

  • Improved information sharing and the provision of quick and easy access to the right information at the right time.
  • The support and facilitation of more efficient service delivery.
  • Improved business efficiency through reduced time spent searching for information.
  • Demonstration of transparency and accountability for all actions.
  • The maintenance of the corporate memory.
  • The creation of better working environments and potential identification of opportunities for office rationalisation, flexible and increased mobile working.
  • Risk management in terms of ensuring and demonstrating compliance with all legal, regulatory and statutory obligations.
  • The meeting of stakeholder expectations through the provision of good quality services.

5. Principles of records management

5.1    VisitScotland will adhere to the following records management principles:

  • Records must be managed in accordance with legislation, corporate policy, procedures and standards
  • Records are a valuable resource and must be managed accordingly.
  • Records must be disposed of in accordance with approved Records Retention Schedules.
  • Records that are identified as vital must be protected.
  • Records that are identified as of historical significance must be preserved.
  • Records must be stored within record keeping systems and appropriately secured.
  • Records must be shared and not duplicated.
  • Records management is a responsibility for all staff and therefore records management procedures must be understood by all staff who are  provided with appropriate training.
  • Records keeping systems must be compliant with the requirements to manage records through their lifecycle.

6. Policy statement and commitment

6.1    It is the policy of VisitScotland to maintain authentic, reliable and useable records, which are capable of supporting business functions and activities for as long as they are required. This will be achieved through the consolidation and establishment of effective records management policies and procedures, including:

  • Assisting as required with records management for 2023CWC,
  • The operation and use by all staff of Office 365, which delivers an efficient tool for digital document management, along with the audit trail mechanisms that enable the capture and management of key events in a record’s lifecycle (e.g. creating, access, editing, destruction or preservation),
  • The operation and use of digital tools by all staff of Oracle, Digital Media Library (DML), Stakeholder CRM and Consumer CRM.
  • The consolidation, review and disposal of information held in legacy systems following the recommended retention periods set out in the VisitScotland retention and disposal schedule. This includes the formal review, closure and documentation of SharePoint 2008 sites,
  • The ongoing review and audit of processes involving personal data in order to demonstrate VisitScotland’s commitment to compliance with Data Protection legislation,
  • The continuing use of the Information Asset Register as a business classification system to reflect VisitScotland’s functions, activities and transactions,
  • The update and review of the Information Asset Register every November for formal report to the Audit and Risk Committee,
  • The identification of an Information Asset Officer (IAO) for each business section,
  • Regular training and communications to Information Asset Officers (IAOs),
  • The identification of Departmental Information Asset Owners (DIAOs),
  • The development, approval and roll out of an updated VisitScotland Record Retention schedule,
  • The development of document naming and version control guidelines,
  • Update the information sharing process so it is compliant with new legislation, best practice and uses O365,
  • Roll out of mandatory Records Management training,
  • An organisation-wide procedure and audit process to ensure all records are destroyed according to time periods set in the VisitScotland retention schedule,
  • Overarching strategy and policy for VisitScotland records of institutional importance and corporate memory,
  • A review of the current Records Management Plan will be carried out by December 2020 to ensure it accurately reflects current legislation, best practice and VisitScotland policies, procedures and technologies (including implementation of O365).

7. Roles and responsibilities

7.1    All staff have a responsibility to manage records effectively through the documentation of all decisions and actions made by VisitScotland; the effective maintenance of records throughout their life cycle, including access, tracking and storage of records; the timely review of records and their ultimate disposal, whether this be for permanent preservation, or confidential destruction and recycling.

7.2    All Information Asset Officers (IAOs) are responsible for ensuring that their department’s record series in the Information Asset Register is accurate. They must provide an up to date report of their department’s IAR to the Data Governance and Security Group by 31 October every year. They are responsible for offering advice and guidance regarding records management to staff within their department, enforcing housekeeping and record retention requirements, highlighting any records management issues or concerns to the Records Management / Data Protection Officer (RM/DPO).

7.3    The lead responsible officer for records management in VisitScotland is the Director of Corporate Services. The Director of Corporate Services is also VisitScotland’s Senior Information Risk Officer (SIRO) and reports to the Chief Executive of VisitScotland. The SIRO attends the Audit and Risk Committee, is the sponsor of the Data Governance and Security Group (DGSG), and is responsible for managing departmental information risks, including maintaining and reviewing the Corporate Risk Register. The SIRO must understand the strategic business goals of the organisation and how these may be impacted by failure of information assets. The SIRO is responsible for ensuring that the management of information risks are weighed alongside the management of other risks facing the organisation such as financial, legal and operational.

The SIRO, together with the support of Legal Counsel and the RM/DPO, has the responsibility for ensuring compliance with this records management policy.

7.4    The RM/DPO reports to the Legal Counsel, (who in turn reports to the Director of Corporate Services) and is responsible for ensuring that records management practices and procedures are established in line with all legal obligations and professional standards. This includes issuing advice and guidance to all staff throughout VisitScotland, providing training and liaising with DIAOs and IAOs throughout VisitScotland.

7.5    All Heads of Departments are responsible for approving a corporate approach to the management of records as defined within this policy, promoting a culture of excellent recordkeeping principles and practices in order to improve business efficiency, supporting records management through commitment and the provision of resources and recognising the importance of preserving VisitScotland’s corporate memory.

7.6    Departmental Information Management Officers (DIAOs) are Heads of Departments for each identified information asset. Each DIAO must understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information and ensure that information they are responsible for is fully used within the law for the public good and provide written input to the SIRO annually (via the RM/DPO) on the security and use of their asset. Each DIAO must ensure that information is managed according to VisitScotland retention schedules which are set by either required legislation or best practice. Each DIAO must assign an Information Asset Officer (IAO) to maintain an up to date list of record series within the Information Asset Register.

7.7    The Data Governance and Security Group (“DGSG”) consists of representatives from the key areas responsible for managing data flows and providing a coordinated organisational response to ensure legal and regulatory compliance. The DGSG, which is chaired by the Head of Procurement, is also responsible for ensuring that appropriate data handling and information related policies, procedures and guidelines are in place to minimise data misuse and loss across VisitScotland.

8. Legislative framework

8.1    The management of VisitScotland’s records is carried out in compliance with the following legislative, statutory and regulatory framework. Compliance with this policy will facilitate compliance with these acts, regulations and standards.

  • Audit Commission Act 1998
  • Bribery Act 2010
  • Data Protection Act 2018
  • Development of Tourism Act 1969
  • Environmental Information (Scotland) Regulations 2004
  • Equality Act 2010
  • Ethical Standards in Public Life etc. (Scotland) Act 2000
  • Freedom of Information (Scotland) Act 2002
  • Health and Safety at Work etc. Act 1974
  • Human Rights Act 1998
  • Management of Health and Safety at Work Regulations 1999
  • Prescription and Limitation Act 1973
  • Public Finance and Accountability (Scotland) Act 2000
  • Public Records (Scotland) Act 2011
  • Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995
  • Regulatory Reform (Scotland) Act 2014
  • Taxes Management Act 1970
  • Tourist Boards (Scotland) Act 2006
  • Tourism (Overseas Promotion) (Scotland) Act 1981
  • Value Added Tax Act 1994

9. Relationship to other VisitScotland policies

9.1    This policy forms part of VisitScotland’s overall governance framework but specifically relates to the following policies and procedures:

  • Business Continuity Management Policy & Plan
  • Data Incidents and Breaches Guidelines
  • Data Protection Policy
  • Information Systems Acceptable Use Policy
  • Mobile Home Lone Working Policy
  • Privacy Policies
  • Gifts, Hospitality and Hosting Policy
  • Smartphone Usage Policy
  • Social Media Policy

10. Training

10.1    Training is provided to all staff in order to highlight and increase awareness of their responsibilities in line with data protection and records management.

Furthermore, core competencies and key knowledge and skills required by staff with operational responsibility for records management will be clearly defined to ensure that they understand their roles and responsibilities, can offer expert advice and guidance, and can remain proactive in their management of recordkeeping issues and procedures within VisitScotland.

11. Monitoring & review

11.1    Compliance with this Policy and related standards and guidance will be monitored by the RM/DPO in consultation with DIAOs, IAOs, the DGSG, and the Director of Corporate Services (as SIRO).

11.2    Regular reports will be submitted to the Audit and Risk Committee and updates will be disseminated to all colleagues via the corporate intranet.

11.3    This policy will be next reviewed in May 2023. Further reviews of the policy will then take place at least every three years or at such time that a significant change is made to legislation, regulations or business practices.

Related links

Our data protection policy

This policy ensures that all personal data is processed fairly, lawfully, in a transparent manner, and in compliance with data protection and privacy…

Our open source code policy

Find out more about the purpose and scope of working with open source code in conjunction with our principles and legislative framework.

Our procurement policy

Read about how we promote fair, responsible competition whilst getting the best value for money.