Census 2022 – information governance and standards

February 7, 2024 by No Comments | Category Digital Assurance Office, Digital Scotland, Technology Assurance Framework

Guest blog by Laura Johnstone, Continuous Improvement team, Digital Assurance Office.

The Digital Assurance Office have been working with the National Records of Scotland to capture and share some of their experiences from the delivery of the Census Programme. This is the second in a series of case studies. You can read the first case study, and our other insights, on our blog.

For over 200 years Scotland has relied on a ten year Census to underpin national and local decision making. The 2022 Census was the first predominantly digital Census collection. The Census is a long term programme and is undertaken by the National Records of Scotland.

One element of assurance undertaken by the Census programme was an independent information assurance review . The aim of the review was to identify any risks to Census systems, services, and information. The review made 4 low/ informational level findings which indicates only minor issues and areas for improvement, rather than problems presenting a significant risk to census security.

Key activities
• In order to prepare for the independent information assurance review a maturity assessment was undertaken which led to a security and privacy action plan being developed. The assessment and delivery of the privacy action plan was undertaken by an external supplier due to a lack of in house capacity.

• A focused programme of work was undertaken to address the recommendations in the security and privacy action plan. This was done over a short period of time with active Red/Amber/Green reporting against the progress of closing the gaps in the plan.

• The work undertaken increased organisational information governance maturity and led to a positive independent information assurance review, which was a key milestone in enabling the Census programme to ‘go live’.

Reflections and learning points

1. Consider information governance requirements from the outset. Be clear on what good information governance looks like for the programme and its projects, and embed it from the beginning. In many cases projects within the programme had the right information governance measures in place, addressing security and legislative requirements, but the approach being taken was not well documented or consistent.

2. It is important to have an environmental awareness of changing legislation/policy expectations around information governance. Information governance should be an ongoing part of any project/programme to ensure information legislation and security is considered and embedded as required.

3. NRS brought in a supplier to undertake the maturity assessment and follow up activity due to a lack of in house capacity. NRS holds information governance expertise and fulfilled the intelligent client role, developing a very productive working relationship based on mutual respect, leading to iterative collaboration and high quality outputs. The value from external suppliers is maximised when you can act as an intelligent client.

Find out more

The Technology Assurance Framework (TAF) is designed to support programmes and projects to deliver successful outcomes and ensure that the lessons learned from previous experience are reflected and embedded in future practice.

The Digital Assurance Office are working with organisations who have had assurance through the TAF to share insights which might help others deliver digital projects.  If you want to get involved – or have thoughts on what insights would be helpful to share – contact us at

For more information about this case study contact

For further information and signposting to advice and support on programme and project management contact the Programme and Project Management Centre for Expertise.

The Scottish Government programme and project management principles are available and apply to any project of any size.

For advice on designing and delivering high quality digital services visit Scottish Government Digital Support Hub (DSH)

The Social Security Programme ran a workshop on information governance in January 2024, covering how to embed Data Protection compliance into project and programme management frameworks.  Contact the Our Story team for information on how to access the recording of this workshop and an accompanying case study.

Tags: , , ,


Leave a comment

By submitting a comment, you understand it may be published on this public website. Please read our privacy policy to see how the Scottish Government handles your information.

Your email address will not be published. Required fields are marked *