 Well, good morning, and can I welcome everyone to this, the ninth meeting of the Public Audit Committee in 2022. Before we begin, can I remind members, witnesses and staff present that social distancing rules apply in the Parliament, and if you are moving around the room or entering or leaving the room, if you could wear face coverings please. The first item for the committee to consider is whether to take agenda items 4, 5 and 6 in private. Are we all agreed? We are agreed. The next item on our agenda, agenda item 2, is consideration of the 2020-21 audit of the Scottish Environment Protection Agency. I am pleased to welcome our witnesses this morning, all of whom are online, and, in so doing, they are joining our deputy convener, Sharon Dowie, who is also online this morning. Can I welcome the acting chief executive of SEPA, Joe Greene, Stuart McGregor, who is the chief finance officer, David Peary, executive director, evidence and flooding at SEPA, and from the Scottish Government we joined this morning by Roy Brannan, who is the interim DG for net zero, Helen Nisbit, who is the director of defence security and cyber resilience, and Kevin Quinlan, who is the director of environment and forestry in the Scottish Government. Can I begin by reminding people that we are quite tight for time this morning, so I would appreciate if there could be both succinct questions from the committee and succinct answers. I also suggest that the committee is taking evidence on 31 March on major ICT projects in general, at which point we will be looking at some of the wider read across from the cyber attack that SEPA sustained and the lessons that we need to learn. I will try to encourage people to be as disciplined as possible, but our line of questioning takes that into account as well, hopefully. Can I say as well to Roy and to Joe, please feel free to bring any of your colleagues in, if that is helpful to you and to those colleagues who are online, if you want to come in at any point to give us evidence in relation to a part of the conversation that we are having, then if you put R in the chatroom and we will pick that up when appropriate. Can I begin by welcoming Joe Greene, who is the acting chief executive of SEPA, who I know had hoped to be here in person this morning, but is joining us virtually. Joe, could I ask you to make a short opening statement? Thank you very much, convener, and good morning to the committee. SEPA was the victim of a determined and sophisticated cyber attack orchestrated by international, serious and organised criminals. The attack has had a significant impact on our operations and our ability to deliver our full range of services, but access to data also impacted on our ability to report for the 2021 financial year, including our annual report and accounts. Our focus throughout our response and recovery has been on protecting the environment and communities and protecting and supporting our staff, ensuring the most critical service delivery on flooding and environmental regulation and building new rather than building back in a way that sets us up better to meet future environmental challenges. A key aim was to learn from the cyber attack honours and also share that learning. In October, we published and shared widely independent reviews that we had commissioned. We have also implemented 35 of the 44 recommendations that are made in the reviews, with good progress on the remaining nine. We are now welling 12 months on from the attack. Service delivery remains very challenging, but our staff are still delivering important work for the environment and communities in difficult circumstances. We have now stabilised our most critical systems and are making good progress in the difficult and complicated job of recovering data that is still much more to do. Experiencing such a sophisticated criminal attack has been very difficult for our staff. I want to thank them all for their commitment, flexibility, hard work and resilience. We are grateful for the support that is provided by the Scottish Government, Police Scotland, the National Cyber Response Centre and Scottish Business Resilience Centre. Before I close, there is just one point that I would like to clarify from the evidence that committee on 10 February. One of the questions raised was about just 1.6 gigabytes of data being stolen, and that did not seem to be that much. I would like to clarify that, although a very small amount of our data was stolen and published illegally on the dark web, the attack left most of our data inaccessible by encrypting and deleting both our data and the systems that enable us to use those data. It is this that made the attack on us so significant. I will lead for SIPA on answering questions today, joined by colleagues, and thank you. Thank you very much indeed. For that last point in particular, I think that that is a very helpful clarification. I know that, later on in the session, Willie Coffey will have some questions around that subject in particular. I want to turn first of all to Sharon Dowey, who I mentioned earlier on, who is joining us through video link, who has a couple of questions to start us off with. Thank you. Good morning, everyone. We know that the cyber attack is subject to an on-going police investigation. However, are you able to confirm if investigations are on going to establish the exact root source of where the cyber attack reached SIPA systems? Once those investigations are complete, will that information be shared with us, or will that remain confidential? I just want to say that we had a high degree of cybersecurity maturity, but the attack on us was very sophisticated. It is, as you say, subject to a live criminal investigation. There is only a certain amount that we can say about the routes in, but I will pass to David Perry to talk a bit about that. Good morning, everyone. As you said, it was a highly sophisticated attack. We have undertaken a number of reviews of the attack. One of those reviews was a technical forensic review, which is informed by the Police Scotland investigation. We have published that technical forensic review as part of the criminal investigation. The methodologies and the headlines of how the attack happened are published in the SBRC review. The exact route into SIPA systems and the particular phishing email that originated the attack has not been identified, but the forensic investigation did identify that it was a phishing email that was the most poorly sourced into SIPA systems. In paragraph 14, it states that the SIPA staff member received a system alert at midnight in the morning of 24 December, and they were unable to reach the key senior management contact to escalate the issue at this point of time. The auditor general has told us that he has reviewed your immediate responsive protocols following the cyber attack. Are you able to give us a brief outline of the changes that have been made as a result of the review? Yes, thank you for that. SIPA has a strong culture of resilience, governance, incidents and emergency management, and all that kicked in around the incident quickly. I will pass to David Perry to talk specifically about what he has raised. As I said, we have taken on board those reviews. We have 44 recommendations. We are working our way through those recommendations. We have reviewed and renewed and updated all of our cyber response procedures and playbooks as to how we initiate and undertake response to incidents. I should say that, on the evening of the cyber attack, our response was effective and worked to plan. You are happy with the responses that you have got? Are you happy that your new procedures would not have the same issues that you had on the night of the attack? I do not think that they would have the same issues. I do not think that the escalation was material to the impact of the attack. I do not think that it made any difference to the attack. However, I am confident that our new procedures are in place and will be effective going forward. As I mentioned earlier, Willie Coffey has now got a series of questions. Thank you, convener, and good morning to everybody. Joe, you have already said that you have made progress in the recommendations that you had to undertake. You have done 35 out of 44, so I wonder if I could just explore the issue of the backup. We know from the previous paper that the backup data was first targeted, as I understand it, and that it rendered that inoperable. You could perform a backup. Could you tell us a wee bit, please, about the current backup situation and whether your recommendations or your actions since then have addressed that particular issue to make sure that the data is entirely separate from the main systems data from now on? This is obviously a key issue in terms of cyber security. I would stress that the attack on us was really sophisticated at the time. It had a number of components to it. It had implemented what was, at the time, best practice in backup policy, but it specifically targeted backup systems as our team tried to recover and restore backups. We have made a number of changes. What I will do again is to pass back to David Perrie to talk about some of the detail of that. We are having some problems with David Perrie's connection. He does not appear on my screen at the moment. We will try to put him on to audio only, but I do not think that David appears to be there. Joe, I do not know whether there is anyone else in your team that could pick that up, or whether I am going to ask Willie to move on to his next question. I do not know if it is possible to come back to it, because David Perrie would be so good at answering this question. I do not know if it is possible to come back to it if we managed to connect back to David. That is fine. One thing that we have always got the option of doing is asking you to provide us with a written response to any of those questions if you are unable at this point to answer them to the fullest extent that you would like. I will go back to Willie Perrie. David Perrie does not need to tell us the details of any of this, it is just to provide reassurance to the committee members that the backup strategy is different from what it might have been before, and it is more secure. We all know that another phishing email can come in any day, and staff can inadvertently access it, click it, link it, follow it or whatever it is that occurs. It is just to get a sense from you that we have recognised that particular issue and that the steps have been taken to provide additional protection to the systems data that we have. We had three levels of protection around backups. It was in line with best practice at the time, and we have made improvements based on the recommendations that came forward in the audit. Is there a physical separation between the systems data and the backup data that the organisation would have? To my mind, that would mean that any further attempt of a similar nature cannot succeed if the backup data is physically separated from the main systems data. As part of that 321 best practice that we had at the time, there was some physical separation in one layer of our backups, so that was already there. If David Perrie is able to join, he will come back in on some of the detail, or we will follow up with the committee in writing just to clarify that. Just on what kind of support has SEPA had from the Scottish Government to help me to get through this by way of either staff support or any financial support or otherwise to recover and move forward? In sharing those lessons, other organisations not just SEPA are vulnerable to this kind of attack. Have you been able to share your experience with other bodies to make them aware of the possibilities and actions that you have taken that they may wish to consider implementing? In terms of support—I will go on to learning on support—we are very grateful for all the support that kicked in really quickly on the back of the SEPA. Again, it was a very serious criminal attack on us, and it was so significant. The Scottish Government moved very quickly to supporters. For instance, we had 120 Scottish Government secure laptops that our most critical staff, including our emergency team, had access to, so we were really grateful for that. Again, on the finance side, colleagues were working really closely with the Scottish Government around that. We had some really strong support in the early days, especially from Police Scotland, the National Cybersecurity Centre and the Scottish Business Resilience Centre. There was enormous support around us as we went into that early stages of response around the cyber attack. In terms of the learning, it was one of the first things that we landed on. It was so serious, and we just thought that we could learn from this, but others can learn from this as well. It is one of the reasons why we commissioned those four independent reviews, and they were for us to learn from, but then we shared them very widely. We had an event back in October, and we made that really public in terms of the lessons for us. What was good in the reviews as well, including the Police Scotland one, made recommendations for us, but most of those recommendations are also for other public bodies. It was really clear for other public bodies what they could take from what happened to us. Thank you very much for that, Joe. If David come back online, I might… He is back? Will he? David, please, come back online. Can we just pop back to him? Of course, you want to ask. Hi. Hello, David. I can't see you on screen, but I was asking about the backup strategy and whether you could give the committee some assurance that the backup procedure going forward will, as far as we can, make the same type of cyber attack on you impossible to succeed next time round by physically separating your data, your backup data from the main systems data. As I understand it, the hack reached the backup data firstly so that you couldn't reinstate your systems. So in order to prevent that, have you taken steps to make sure that that separation of backup data from the main systems data is as a physical one, as a separate one, so that it can't be attacked with any future attack that might take place? Yes, we have. We had a well-developed strategy for backups. The reviews have indicated that we broadly complied with best practice. We had three layers of backup. We had a synchronous backup, a near real-time synchronous backup. We had off-site backups and we had what's called air-gapped backups. When the attack happened, they began encrypting our data, and as they encrypted the data in real-time copied that to our synchronous backup, so that synchronous backup became encrypted in real-time. Our off-site backups, the criminals actively targeted those off-site backups and deleted those off-site backups. Our air-gapped backups covered some of our main data sets, but they didn't cover all of our data sets. Since the cyber attack, we have taken on board the recommendations and we have put in place new backup arrangements that cover all of our data offline backups. I appreciate what you have said there, but could you please confirm to me that, should something of a similar nature occur again, the backup data cannot physically or logically be accessed by any hackers that may wish to do that. There has to be a complete separation of your data in order to protect it from future hacks. Yes, I can confirm that. We have lost your image as well. Thank you very much for that, David. I will go back to you now, convener. Roy Brannan is on the panel as well and I know that the role of the Scottish Government was mentioned in that question. I don't know whether Mr Brannan wants to come in on that question before I turn to Colin Beattie for a series of questions. Roy, do you want to come in? Thank you, convener. As Jo said, for what I can see before my time is DG, but I'll bring Helen in who was there at the time. There was a lot of activity close working early doors on day on the 24th. We had on-call cyber resilience unit contacted the early door and the chief information security officer engaged. We both then established the national cyber incident co-ordination arrangement and that flowed through the day on the 24th. However, as well as providing the laptops, the secure email accounts and the IT support, we also allowed access to the cyber incident response company that provided that early help to SIPA in that space and the uplift in the budget for 21.22 of £2.5 million of which SIPA did not use entirely. The support from the sponsor team was pretty good in those early days and continued throughout the year with regular engagement with SIPA's management on 20 performance measures that we were tracking in trying to see the organisation recover. Helen, I don't know if you want to speak a little bit more about the early response from our cyber colleagues. Sure, yes. Thank you, Roy. As you have already said, really from the word go, I think that it was 11 o'clock on the 24th that both the chief information security officer of the Scottish Government and the on-call cyber resilience team were notified by David of the incident. I think that it became quickly apparent that it was of such a magnitude that we needed to stand up the incident management plan, which we did. The critical thing about the incident management response company coming in is that it is obviously in the early stages of an attack to get grips as to just what has happened, so there is always a bit of time required just to do that diagnostic work. By the time we had the first cross-working meeting in the 27th, which brought in the National Cyber Security Centre, Police Scotland, the sponsorship team and, of course, SIPA colleagues, even by that stage we had already started to push out across the broader public sector in Scotland and, indeed, beyond that, because we were feeding into the NCSC as well what we were understanding about the attack in order that other companies and organisations could look to see if there was any similar activity happening in their own area and take appropriate action. We continued that work throughout the weeks following the attack. I am going to bring Willie Coffey back in for a final question. Just to ask you, Helen, are you content that should there be another successful attempt, cyber attack attempt, the backup data this time cannot be accessed and encrypted, destroyed, stolen or otherwise? Mr Coffey, from my own point of view, I am not a technical expert on those things, but what I will say is that I think that the action has been taken in accordance with the recommendations and we are satisfied. As you will appreciate, there is a constant cat and mouse game around this kind of area of activity. It is almost in some quarters, almost as if it is a game or a challenge to those who are trying to infiltrate systems to overcome important measures on-place. That is always the challenge that we face, but I am satisfied with the reports that have taken steps to meet the vulnerability that was exposed in the attack. Just to say that, for the remainder of the session, David Perry will be with us, but he will be with us audio only. Clearly, there is still some distance to go in terms of recovering data and so on. Do we have any feel for how much data is still to be recovered? How many systems remain to be either re-established or developed as a work around? Do you have anything on that? On that, we are obviously really concerned about data in the early stages of the attack and what could be recovered. It is very difficult and complicated work, but the headline on that is that we estimate that over 80 per cent of our data now has been recovered. Access is still limited because we still need to be able to have the systems to be able to access that data, but really good progress is made on recovering that data. I will pass to David Perry to talk about some other aspects that he has raised now. Yes, we have successfully recovered just over 80 per cent of our data. The data that we have recovered includes all of our email correspondence, a large proportion of our finance and HR records. Most importantly, it includes the raw environmental data of things such as ecological, chemical, hydrological and discharge results, which represents the raw data that is our understanding of the state of Scotland's environment going back for almost 50-50 years. We have recovered all of that data, but there are systems that we still have to recover. Obviously, about 20 per cent of our data remains encrypted or deleted and inaccessible to us. It will take considerable time to rebuild the systems, to give free and easy access to the data that we have recovered. Recovering it itself is the first step, but the second step is building the systems that allow you to have access to that data. Just to make it clear in my mind, when we say that data has been recovered, does that mean that data that was encrypted has been decrypted? Or does it mean that the information has been rebuilt perhaps using manual records? None of the data has been decrypted. We do not have decryption tools. We did not pay the ransom and, as such, we do not have any decryption tools. When I say that the data has been recovered, it has been recovered from offline backups. The sort of backups that we were discussing earlier on has been recovered mainly from offline backups. Some of the data has also been recovered by restoring it from sources or locations that were unimpacted by the attack. Some of the data has been recovered from our website or from publicly available locations. Some of our data has also been recovered from manual paper-type records that we held. None of the data has been decrypted. Don't we have resources that are capable of doing that, or is it just simply too difficult? It's my understanding that it's too difficult, and we certainly haven't managed to decrypt any of the data. Occasionally, decryption keys become available when criminal groups either fall out with each other or if they get caught by law enforcement agencies. It's not impossible that a decryption key will become available for us, but the advice that I've had from law enforcement agencies is that it's highly unlikely that we will get a decryption key. Okay, just carrying on in the same line. Are there any services at the moment or projects that you're unable to provide or deliver? So I can come in on that. Yeah, no, sorry, I was making sure that I was on camera and live, so yeah, thanks for the question. In terms of service delivery, it was challenging in the immediate aftermath of the cyber attack, but our business continuity arrangements kicked in quickly. We were able to quickly move to be able to do our service flood risk warning around incident response, around our regulation, and so our most critical services could kick in within a day, so very quickly those kicked back in, and then we've really been on the kind of phased planned approach to recovery around our services, and in the early stages that was really about stabilising really basic stuff, you know, bringing our staff back online so they could actually communicate and have access to email systems, and so that took a period of time. It was about getting those very basic services back in place, and so that's been a gradual planned approach to all of that. What we did quite early on is put weekly service updates out there on our website that people could see the status of our services over time, and so over time we brought our services back online, but at the moment it's still really challenging to deliver because we still do that, that build of new systems to make it easier to operate within the organisation. So at this moment there are no services that you're not providing? And so one of the services that we're not providing normally would have a public register, but this relates back into the data recovery, so we're not currently providing a public register. But again, we've got a really planned approach to that data recovery and bringing things back online. We need to re-establish our public register. Are there any projects, for example, that have been seriously impacted, either delayed or put on the back burner as a result of this attack? Clearly, after the immediate phase of the attack, we pulled together a plan for the year on the operating plan, and we had a series of projects that we were doing to deliver and build back, and we kept largely on track with that during the year. The efforts and flexibility of our staff to deliver in very difficult circumstances has continued throughout that year. Just to give you some highlights of what we still managed to do, we've done Covid in wastewater monitoring. We've kept our lads going, we've managed to do that. That's our expertise in designing and implementing the monitoring network, coupled with our scientific capabilities, which enabled us to do that and contribute to the response around the pandemic during this time. On water scarcity, we're responsible for the forecast and monitoring of Scotland's water resources. We produce a water scarcity situation report weekly between May and September. Again, we managed to keep that going. Similarly, on bathing waters, we successfully monitored Scotland's designated bathing waters. In terms of key headline areas, areas of priority, we just continued to deliver during the year, but it was extremely difficult. You haven't actually said if there's any services at the moment that you're not able to deliver. The public register has won. We see that as a really important service, and we'll be getting it back online. Are there any other services that are impacted? I think that it's mainly different ways of delivering services, rather than being impacted. For instance, we have a really significant role on planning, responding to planning consultations, working with planning authorities. Clearly, in the early days, we'd lost access to our data, our files. It was really difficult in terms of that initial communication, but what the planning service did was very quickly kicked in to have direct links into each of the local authorities to triage what's the most important stuff that we need to get on to, to providing advice to them. That's what kicked in around our planning service, the cleared-the-backlog. It's established a different way of operating with the planning authority that we plan to carry forward. There's been a lot of ingenuity and work around difficult situations, but some of that is stuff that we want to continue in the future. I believe that you've established a figure of £17.9 million being the potential worst-case scenario costs. Are you able to firm up on the cost to date and any projections that you might have, both in terms of the cost of the recovery and your responses to that? Yes. In terms of the cost of the cyberattack itself, we're doing work to pin that down. We intend to publish that and make that available. That should be by the end of this month. It is imminent. We're doing all that detailed work now. Clearly, it's not necessarily straightforward, because, as I say, we're not recreating all of our own systems. We're building for new, and some of that would have been investment that we would need in the coming years anyway. It's tricky to pull together the accurate cost of the cyberattack itself, but that's what we'll do. We'll try and lay it out as transparent as possible so that people can see it. Maybe we can check and see if Stuart MacGregor, our finance officer, would like to come in on that as well. Thanks very much. Joe, can you hear me okay? That's great. In terms of—I'll maybe answer the question on £17.9 million first—this was based on the report that was carried out, or a paper that was prepared in 2019. As normal practice, we would do some forward financial forecasting over a number of years. There was a number of forecasts in terms of potential reductions in grant funding and potential increases in grant funding, so there were some wide ranges in there. It was just to give the board and the management team a feel for the potential challenges that we might be facing in the future. The 17.9 million was out there in terms of the worst case scenario that we should be looking at. That's not coming to fruition. We've had flat cash settlement budgets in the main for grant aid. Although that adds some complexities in terms of having to cover wage awards and inflation, it's certainly not out towards the 17.9 million value that was quoted in the report. In terms of the one-year finances, we're looking okay. In 2021, we didn't need to utilise the £2.5 million from the Scottish Government, so we operated well in that. The current year, we're looking at what will be thereabouts in terms of the forecast outturn against the planned budget. We worked closely with the Scottish Government sponsor and finance units in terms of forward forecasting. The 17.9 million is not a figure that worries me at the moment, but we're nowhere near approaching that figure. Correctly. There obviously are costs. That's mitigated to a certain extent by SEPA accelerating delivery of its digital strategy, which presumably is within your budget in any case. So the actual impact on your budget—I'm not putting words in your mouth here—should be much less financially? Yes, that's the case. I think that you've summed it all well there, basically. We've looked at the annual allocation that we get to one-year settlement, and we're working within that. We prioritise the budget strategy in terms of delivering the priority outcomes for SEPA. We're not anticipating major gaps going forward. There will be challenges across the public sector. I believe that there will be challenges with the funding availability, but you're correct in terms of moving forward. We had the digital strategy for having to bring some of that forward, so we're prioritising our spend within the year to do so, and we're phasing over the period of time. Thanks, Mr McGregor. That's helpful. Can I go back to Jo Green on a point that she made a few minutes ago? Jo, you told us that one service that wasn't currently available as a result of the cyber attack was the public register. For the layperson, could you just explain what information is captured in the public register and therefore what is it that we can't see that we would normally be able to see, and when do you expect it to come back online? Our public register is where we make available all the information on our permits that we issue. When it comes back online, I might check with David Perry, but we've had a planned approach to data recovery. We're just going into that next phase of planning to set out what we're going to recover when. I don't know if we could say exactly this point exactly when it will come back online, but I'll check in with David Perry to see. We're bringing our services back online in a phased manner, so some of the services are back online already. Some of our licenses, things like septic tanks, some of our waste carrier notices, some of that are online already, but it's going to be some considerable time before we've got all of our services back up and online. When I say considerable time, I mean years. It's probably going to take us at least a couple of years to get all of our services back up and online. Wow, well that's quite a stark conclusion to draw, isn't it? I'm going to now bring in Craig Hoy, who's got a series of questions to put to you. Thank you, convener. Good morning at the screen. Obviously the impact of the cyberattack is significant and will be felt right throughout the organisation, so I'd just like to turn briefly with three questions in relation to staff training and future workforce planning. But just from the outset, it's supposed to just be quite interesting. You all seem to be in quite good spirits this morning, but if you might want to say a little bit about the impact of the attack on staff morale and how that has been managed since December 2020. Yeah, and I'm actually really glad you've asked that question. It's been uppermost in our minds on the exec team throughout. And again, I've just come back to being the victim, being victims of such a significant cybercrime has been very difficult for staff, especially set against the backdrop of the pandemic and what everyone was already going and dealing with personally and professionally. Cyber has a culture of resilience governance, instance and emergency management, so we used to respond to incidents, but the level of extraordinary flexibility and commitment going even beyond that culture was quite something. This happened on Christmas Eve, the people who voluntarily just gave up their leave, who just kicked in and then over many months carried an awful lot. We've talked about that loss of access to data to some of our services, but we still have the skills and experience and ingenuity of 1,300 people in the organisation, and that's what has allowed us to keep operating services without some of the systems and data that we've talked about. We did a whole range of things. What was absolutely critical was communications, so we kicked in straight away communicating with our staff weekly, sometimes more frequently than that, pulling our managers together weekly as well to support them in order to be able to support staff. The communications was a huge focus so that people knew what had happened, knew what was happening now and what was coming next. That was a major focus. It was really critical to bring our staff back online, because people had lost access to email to everything and the ability to communicate easily. That phasing of bringing people back online over a period was really important. Again, that was a crime. Understandably, there was staff concern about some of the data that had been stolen. There were also protections to staff. We made available anti-virus software for their own use at home. We had great guidance that Police Scotland pulled together to help our staff to understand how the actions that they could take to protect themselves and to have a number of supports from the organisation and from others. I also want to mention Unison's efforts throughout this time. We have a strong collaborative working relationship with Unison within SIPA, and the support that they provided to the organisation was absolutely key. We gave them a seat at the table on emergency management team meetings, all staff calls and managers calls, as they played a significant role throughout it as well. As a result of the SBRC review, there was quite a high awareness and training. I think that 95 per cent of staff had undergone cyber security training in 2020. Could you just say a little bit about how you have approached the issue since the attack to raise awareness and to develop skills over the emerging risks and the future risks in relation to cyber security among staff? Yes. We had a good level of cyber awareness within the organisation already. As Police Scotland said, we are not a poorly protected organisation in terms of cyber. Training for staff is absolutely key. I will pass to David Perry to talk a little bit about the staff training. As we brought our staff back on board as we redeveloped our new systems, we had an induction session for every staff member that went through do's and don'ts. It utilised the national cyber security centre's security training, so all staff members went through that training. This week, we have purchased new cyber security training and we are about to launch a second wave of cyber security training for our staff in the forthcoming month. As everybody was brought on board following the incident that they went through training, in this month, they are going through a second set of cyber security training. I will put the question to Mr Perry and Helen Nisbitt next, from a SEPA and Scottish Government perspective. Helen described it earlier as a game of cat and mouse, and it is getting cyber security increasingly sophisticated. What impact is that having on workforce planning to ensure that public bodies, SEPA and the wider public sector have the skills that they need to make sure that they can not only recover from the attack but make sure that they safeguard against future attacks? Maybe if I could kick off. Cyber security is an increasing threat. It is an increasing threat and, as indicated earlier, it is a game of cat and mouse. There are two elements of our cyber security training. There is the general training that we talked about earlier for all staff, because staff are the best and first line of defence of keeping them aware and keeping them aware of the broad threats. That is one area, but there is a second area, which is the more detailed advanced training for our IS specialists to keep threat of all of the new and emerging threats. I am pleased to say that, since the SEPA event, we have seen increased support in that second area from the Scottish Government. Since the SEPA cyber attack, there have been regular forums held by Scottish Government cyber professionals where they are sharing intelligence, learning and approaches for some of our cyber security staff to make them aware of upcoming threats and things that they need to be aware of. That has proved very useful in recent months. Perhaps Helen, if you want to comment on that. Sure, thanks very much. As Dave has described, the SEPA experience of that. From our point of view, we rely heavily on the SEPA framework for a cyber resilience Scotland that was launched in February 2021. That was built upon the original cybersecurity strategy that was published in 2015. There is a multifaceted approach that we are adopting here. Rather than having a strategy that needs to be reviewed every few years, what we have is a framework that can be built on with successive action plans. We have four action plans covering 21 to 23-year activity just now that run really seeks to achieve the same things across public, private and third sector. The four overarching aims are that, across all the piece, people recognise cyber risks and are well prepared to manage them. Businesses and organisations recognise the cyber risks and are well prepared to manage them. Digital public services are secure and cyber resilient and our national cyber response arrangements are effective. In that, there are action plans working across public, private and third sector for that. There is also a training and skills action plan. The key thing that we are trying to bring through there is that we are embedding cyber resilience and understanding of the need for cyber resilience really through the education system, starting with schools, obviously going through and to further education, higher education, so that that general awareness is established. We are also looking to see what we can do to establish a pipeline of skills that brings properly qualified cyber resilience and cybersecurity people into the workforce. As David has said earlier, this is a growing problem and it is unlikely to diminish. We have just one last thing in terms of what support we have been offering in the time after the attack. Again, there are a number of products that are made available by the National Cyber Security Centre that allow businesses to self-assess. How are cyber resilience? There is a foundation level known as cyber essentials that allows organisations to self-assess. There is a higher level of cyber essentials plus, which is basically self-assessment. If not accredited, there are cyber technical challenges brought in that allow organisations to be tested on their understanding to see if there are any weaknesses. There is a product called exercise in a box, which is a packaged exercise that can be utilised by organisations to test their understanding, and we have supported both financially and through public awareness the use of that across Scotland in the last several months. More recently, and probably just touching upon current events around Ukraine, we have, via the Public Sector Cyber Resilience Network that is established, we have been doing sessions that just raise the awareness of the current heightened level of risks that we are in as a consequence of events in Ukraine. We have set up a daily information sharing cell to ensure that we are picking up on anything that is happening. We have also been able to engage with our own the Scottish Government chief information security officer to conduct all of our surgeries to the public sector primarily just to ask any particular technical questions around our current cyber resilience needs. Right, thanks very much indeed. Some of these broader themes, as I mentioned earlier on, will be picked up in the evidence session that we have planned for 31 March. That brings us to the end of our short evidence session on the CEPR report. I thank once again Joe Greene, acting chief executive of CEPR Stuart McGregor, David Peary, who joined us visually and audio only at points. Thank you very much for the evidence that you have given us, which has been valuable, and to Roy Brannan, Helen Nisbit and Kevin Quinlan from the Scottish Government who also joined us this morning. If there are any additional points that you feel on reflection, it would be useful for us to have, then do by all means submit those in writing to us and we would receive those gratefully. I am now going to briefly suspend the committee so that we can have a changeover of witnesses. Can I resume this morning's committee meeting with our next agenda item 3, which is a discussion about the Audit Scotland report into the NHS in Scotland 2021? I am delighted that we are joined in the room this morning by the Auditor General, Stephen Boyle, welcome. Alongside the Auditor General is Lee Johnson, who is a senior manager at Audit Scotland, and Derek Hoy, who is an audit manager at Audit Scotland. Eva Thomas-Tudo had hoped to be with us, but unfortunately is not able to attend. Auditor General, can I begin by inviting you to give us an opening statement? We have quite a wide range of questions to ask. I am pleased to bring this report to the committee on the NHS in Scotland for 2021. Last year's report focused on the response to the pandemic. This year we turn our attention to the recovery and remobilisation of NHS services, while acknowledging that the NHS remains under severe pressure from the pandemic and the backlog of patients that has built up over the past two years. We have seen the NHS start to emerge from the immediate impact of Covid-19, but it remains on an emergency footing, and the path of the pandemic remains unpredictable, as we have seen with the Omicron variant towards the end of last year. The Scottish Government and the NHS are planning the recovery from the pandemic, but the scale of the backlog will make that very challenging. The NHS must reform. Services were already delivered in an unsustainable way before the pandemic. The Scottish Government must focus on transforming health and social care services to address the growing cost of the NHS and its recovery from Covid-19. Improving the NHS will be very difficult against the competing demands of the pandemic and an increasing number of other policy initiatives, including plans for a national care service and meeting net zero targets. The Scottish Government and the NHS also need to prioritise prevention and early intervention in its recovery plans. The innovation that we have seen during the pandemic shows that positive change can happen quickly and effectively, and that momentum has to be maintained. The Scottish Government published its NHS recovery plan last year and is developing a care and wellbeing portfolio to provide strategic direction for its reform, but it needs to involve the public in deciding how future services will be delivered. We have identified workforce availability and wellbeing as the biggest risks to recovery. Staff wellbeing has been affected hugely by the pandemic. The Scottish Government and the NHS have introduced measures to support staff, but it is still too early to tell how effective those will be in the longer term. In addition, the NHS recovery plan makes ambitious commitments and places some big asks on the workforce, already at risk of fatigue and burnout. The impact of those ambitions on staff wellbeing must be monitored carefully. The recovery plan requires a significant growth in the workforce. Those are on top of existing commitments. A new health and social care workforce strategy was published last week, and we will now consider its contents and the NHS's progress against it through our future audit work. It remains the case that plans to recruit and retain staff are ambitious and will be challenging to achieve. Historically, the NHS has struggled to recruit enough people with the right skills. Our report also notes that the availability and quality of data across health and social care is a major risk to recovery and reform. That includes data on primary care, community and social care, workforce and health inequalities, all of which are crucial to planning and scrutinising how services will be delivered. As you know, I'm joined today by Lee and Derek, two of the authors of the report, and between the three of us, we'll look to answer the committee's questions. Thank you very much indeed. We'll press straight on with a couple of questions that Sharon Dowie has got, who's joining us remotely. Sharon. Good morning, and apologies for not being there in person this morning. Bill 0.3, paragraph 6. The report states that the Scottish Government has committed to supplying PPE free of charge to the NHS and social care services until at least March 2022, but it's not clear what the arrangements will be after this date. Do you have any update on that? I'll probably just quickly turn to Lee in a second depth to convener, just to see what we update on that. I think that this comment really is consistent with the point that we noted in our PPE briefing of last year about the Government's plans for future will be key, not just for NHS settings but also social care, given the role that the Government played in stepping in to support health and care providers across the country in the provision of PPE. We know that it's a real necessity for clarity for all providers as to given the significance of it. As we've seen as we touch on opening remarks, the pandemic is still in place, there are still variants and all that will have a bearing on what that means for all health and social care settings. If Lee has an update, she may be able to provide if not, we can follow up in writing. You may be aware that the Scottish Government has issued a consultation about PPE. I'm particularly interested to hear the lessons learned and put in place a clear strategy for future arrangements, and they've committed to doing that by the end of this month. Within that consultation document, it anticipates that the provision will extend beyond March 2022, but it's subject to discussion with the delivery partners. We're still waiting on an update, but I think that there is a commitment that it will extend beyond the end of this month. Okay, thank you. Measures to reduce delayed discharges during the first wave of the pandemic between December 2019 and April 2020 were effective in the short term, so could you outline what those measures were? Also, delayed discharge continues to be a huge problem, but what do you believe needs to be acted upon now to achieve a longer-term solution to the problem? It's such an important and long-standing challenge, I would say, Deputy convener, in the first instance. I'll bring colleagues in in a minute about some of the circumstances that led to the reduction in delayed discharges that we cover in the report, and how those have grown back again over the course of the pandemic to relatively similar levels. There are three factors that we touched on in the report that lead to delayed discharges, whether they are a health and social care setting, some of the circumstances that patients and their families find them in, that lead to a complex set of circumstances that can result in people being provided with care, not in an appropriate setting, effectively what a delayed discharge relates to. We note in the report that this needs a concerted plan from between the NHS, its partners in local government and the third sector, so that the delayed discharges that effectively this committee and committees across the Parliament have been considering for many years. We move on from being an on-going feature of the delivery of health and social care. I think that it is the case—I'll turn to colleagues just to say a bit more about the circumstances at the early stage of the pandemic—that there was a rapid discharge approach. Undoubtedly, there will be pros and cons to those circumstances, and I think that it is inevitable that some of that will be considered in the public inquiry that follows as a consequence of the Covid-19 pandemic. We note that and, of course, we'll be aware and track that and consider what that means for future audit work in this area. I'll turn to colleagues if there's anything more that we wish to say about some of the numbers. I think that in terms of the late discharge at the start of the pandemic, there was a rapid discharge strategy that was very successful, but that was a temporary arrangement. After that, we did see the numbers rise back to what they had previously been. That's been the case pretty much ever since we've seen them creeping back up. There was a slight decrease over the winter 2021, after some medicinal resources had been put towards further measures to reduce the late discharge, but I did check those figures the other day and they started to creep back up again after winter. There's definitely no permanent solution, and we've all seen there's definitely an issue there, but it still has to be resolved. Okay, thank you. You mentioned earlier about workforce issues. In paragraph 20, it refers to the 2021 Royal College of Nursing Employment Survey, which found that 40 per cent of staff worked beyond their contracted hours in most shifts. 67 per cent were too busy to provide the level of care that they would like, and 72 per cent were under too much pressure at work. What steps are the Scottish Government taking to address those issues? There are some very significant statistics in the paragraph that you quote, deputy convener, about the overarching impact that the pandemic has had upon health and care workers. The numbers that we quote in the paragraph that we draw from the Royal College of Nursing Survey relate specifically to nurses, but it's safe to say that the pandemic has affected all health and social care workers across the piece. I think that in our report last year, we drew in some of the work of the BMA in some of its own conclusions. In terms of the actions that the Government has taken, we note that there are steps around helplines, additional rest areas, provision of meals and so forth, as a means of mitigating some of the impact. The longer-term benefit of those and whether those will be long-term plans remains to be seen. We will expect the NHS to continue to evaluate what that means. The power has been restored. Can I bring you back in? You were telling us about the findings and the evidence that you had looked at in the whole area of staff wellbeing and the surveys that have been carried out by people such as the Royal College of Nursing into the views of their members. The Royal College of Nursing about the impact that the pandemic has had on their members and some of the steps that the NHS has taken to mitigate that impact remains to be seen convener and the extent of which that will have a long-term bearing. We look to the future in the report as well and note that the remobilisation and the recovery plan will draw heavily on existing and new staff to deliver NHS priorities and recover against the backlog. All of that will be key to ensuring that the risk of fatigue and burnout that NHS staff are already experiencing is not exacerbated by the implementation of what we say are ambitious and challenging plans. The report draws to our attention additional funding that has been made for the express purpose of attending to staff wellbeing. The figure is £8 million and £4 million. It does not sound like an awful lot of money to me compared to the overall budget of the national health service. Is it addressing the scale of the challenge that is there? I will bring colleagues in in a moment if there is anything that they wish to add about how the Government intends to evaluate the impact of the spending. There is no denying convener that the relativity of the mounts compared to the overall NHS budget are small. Some of those will be about culture and management as well as additional spending. Our assessment is that it is probably too early to tell what the impact of those will be. With all of the challenges that we have seen upon NHS workers and guarding against the risk of increasing that pressure as we look to recovery, the NHS is clear what bearing it has had that those schemes are having on their colleagues. I will turn to Derek Orlee if he wishes to say a bit more. We did look at the Government's arrangements in some place around the new measures that have been introduced to support staff wellbeing. We were quite satisfied that they were robust. There is a plan in place to evaluate and monitor the new measures that have been introduced. As the auditor general said, it is at various stages. Those are measures that will have a long term effect, so to know how effective the address is now is really not possible. What we do know is that generally over the peace engagement with the measures that have been introduced is quite good, with the exception of maybe the telephone helpline, which is understandable, given the nature of the way that people might want to seek out support. Generally speaking, there has been a good response to those. Early feedback suggests that those measures that have been introduced are having a positive effect and that people are benefiting from engaging with those services. What we have said in the report is that what we need to see is for the Scottish Government and NHS to continue to engage with a workforce to ascertain whether or not those measures are the right measures, whether they cover the breadth of support that is needed across the workforce. For now, as much as could be done, it has been done, but there is a job still to do going forward to monitor and to evaluate that. Again, as I read the report, Derek, there is a short-life working group being established. Is that sufficient to properly monitor the impact that those measures are having? That working group is part of a range of different groups that have been set up to monitor that. There are other arrangements in place that are going to be more long-term. Although there is that one short-life group, the rest of the arrangements in place are, from what way, determined, quite robust and suitable. Obviously, it remains to be seen if that remains to be the case. We will, hopefully, keep an eye on that. We shall keep an eye on the trade union and royal college surveys in the future to see whether there is a move backwards or forward. I will now bring in Craig Hoy, who has a series of questions about the element of the report that looks at diagnosis and treatment backlogs. Craig, thank you, convener. Good morning, Mr Ball. Obviously, we know that the treatment and diagnosis backlog has got significantly worse because of Covid, but Covid is not, in many respects, the principal cause. NHS boards around Scotland are now working to try and tackle that backlog, but you refer to the report that is still significant. So, are you aware of any health boards in Scotland that are making good progress in this area, and, conversely, are there any health boards where you have concerns about the pace in tackling the backlog? I will bring in Mr Hoy in a second to elaborate on the local geographic circumstances that we are seeing. If I may destroy the committee's attention to Exhibit 4 in the report that sets out across a range of indicators the impact of the pandemic. You rightly know that there were challenges in NHS capacity before the pandemic, but we are seeing an increase in demand, a reduction in activity and longer waits as a consequence of the pandemic and the circumstances that the NHS is facing to tackle the backlog. The other contributing factor is that, as we saw over the course of the pandemic, fewer people were presenting in the numbers that had historically been the case. There is a missing cohort of the population with undiagnosed illnesses that will inevitably present as years to come. Unfortunately, that is likely to be with illnesses that have been progressed than they would have been and the urgency that that brings. The NHS plan in terms of tackling the backlog relies significantly on the presence of national treatment centres and the recruitment of more staff to provide the services in those centres. Some of the national treatment centres are already in operation, so the Golden Jubilee hospital food is classified as one of those. There are other plans to increase capacity around the country to do so. The central component of the NHS recovery plan is that the centres are up and running, and the timing of that varies across the country through to—I think that Lee will come in with some of the detail in this in a moment—to 25 or 26. Long to medium-term plans to deliver those. How that translates into regional variation is probably too early to tell if we have a clear picture as to whether patients around the country can expect variation of whether there will be a national picture. Lee may wish to say a bit more. We did not look at any boards particularly. We looked overall, but one of the main points is that, as we say in our report, in November 2020, the Scottish Government published a clinical prioritisation framework. In our 2020 report, we asked for that data to be published. Again, we have made that recommendation because that data is still not available. That is really the data that will start to give us an idea of how different NHS boards are tackling their waiting lists and waiting times and how many patients are being seen and when. That data is still not available. Just a question that I asked NHS Lothian last week. Do you know how many patients may have chosen to go through the independent sector to self-fund treatment during the pandemic? Is there any way of capturing that data other than simply when their appointment comes up? Or are they elect to drop off the waiting list? I am fairly confident that we do not have that analysis. It was not a direct feature of our assessment of the waiting list and whether there was a clear, evident, comparable group of the population that were not featuring the numbers that would have been anticipated. If NHS Lothian or individual health boards are not able to provide that, Mr Roy, perhaps the other route would be through Public Health Scotland that the committee may wish to explore. As you would expect, we will look again at our own data to see if we have that information. If we do, we will share that with the committee. Obviously, the report included the recommendation, as you said, Ms Johnson, to publish data on waiting terms based on the categories in the clinical prioritisation framework, which has been progressed by Public Health Scotland and NHS boards. What role is the Scottish Government playing to implement that recommendation? If the information has not yet been published, what more should be done to ensure that we manage to get that data out there? We have spoken to the Scottish Government and Public Health Scotland about the data. They hope to publish it soon, is what they are telling us. They are just working on, as with any kind of new data set, about the robustness and reliability of that data. They need to be sure that the data is robust and reliable before they publish it and make it publicly available. They are taking steps to make sure that that is possible, and they have promised that it will be soon, but we are still waiting. Obviously, the issue of GP appointments has been in the news quite significantly both in terms of face-to-face appointments and appointments soon near me, for example. It seems to be that the report is highlighting that data on the number of GP appointments carried out is not yet available. That means that it is difficult to determine the true number of people who avoided seeing their GP during the pandemic and who, therefore, might be effectively storing up health problems for later that could present in a more extreme way. Do you know why that data is not available, and do you believe that the Scottish Government should be doing more to gather and disseminate that data? I will listen to what I can say about the point about why the data is not available. However, the committee will recognise that this is a recurring theme of our reporting about the need for more robust data around all aspects of public services. However, how important it is in the consideration of the NHS and the future of the NHS and different service models, so that it will be key to determining how best to reform the NHS to have a clear understanding of current demand and future demand patterns. We note that, yes, you rightly pointed out GP, but really across primary care aspects of acute settings as well, that the quality and connection of data is not as strong as it needs to be. It is a key recommendation from our report that the Government and the NHS make progress in doing so to give it many of the more leavers scrutiny and to track progress for its reform agenda. Again, Lee may be able to say a bit more about the point about GPs. I do not have a great deal to add other than, again, saying that this has been a recurring theme for us. We cannot get access to the activity and demand in GPs. Over the years, we have tried to implement different systems. We have been waiting on the SPIR system. Here we are and still we do not have access to that data. The only thing that I would flag is in the new health and social care workforce strategy. One of the commitments that the Scottish Government has made is to do an annual survey of GPs. That may give us more information about the workforce, because, again, it is another area that we do not have a huge amount of data. It is about staffing in GP practices, either, but that may give us more access to data going forward, but that has not been implemented yet. Of course, it is a survey and all the challenges that that can bring. One of the stock statements in the report, which is paragraph 45, says that the scale of delayed diagnosis and treatment and what that means for NHS services and patients is not yet known. To try and make progress in relation to that, you recommend that a cohesive strategy is needed to better understand the wider health impacts of Covid-19 on the NHS and to inform future service provision. Do you know if the Scottish Government has any plans to develop such a strategy? We know that, as you suggest, it will be for the Government to determine its understanding that it has accepted the recommendations in the report. Whether it is a stand-alone or featured as a dedicated strategy, the Government will be able to advise Mr Hoy. The importance of it is key. As we have already talked about, delayed diagnosis has significant health consequences for the longer term. Along with the report that broadens out into the unequal impact of the pandemic, both in terms of delayed diagnosis and across different groups in society, so it is a key feature of our recommendation from today's report. I will take you back to the GP's point. I am a bit at a loss to understand why that is so problematic. Is it because GPs are saying that we are so busy getting on with it that we do not have time to record those things? Have health boards asked them of it? Are they saying that our GPs are saying that we are independent organisations and that we make our own determination about what our priorities are? Why is there such a long-standing problem in finding that information out? It seems to me that, for GPs themselves who are defending a position when they are quite often under attack at the moment because people feel that they are not getting access to them, if they were able to demonstrate with evidence the extent to which they were meeting patient demand, it would serve their cause better than a complete absence of data, would it not? I think that there is a combination of all those factors, convener, as to why the data is not, we will want to say a bit more, but she specifically mentioned the lack of progress on some new technology, Spire, for example, being one of the anticipated system implementations. You are right, even some of the innovations that we have seen through the pandemic, but near me, for example, it is changing the way that patients interact with their GP, and typically for almost all of us it will be the first call for health services. All the more reason that there needs to be a coordinated strategy, progress, that we have robust reliable data, not just in one sector at a time, but really across our health and social care services. I think that it is a combination of the contributing factors that you mentioned, convener, but Lee may wish to elaborate further. Again, not much to add to what the Auditor General has already said, it is a combination of factors, but for example, the Spire, one of the issues that we know with that is that it was up to the practice whether or not they implemented the software that they needed to be able to give that and fewer GP practices than they had hoped signed up to that, and that was their choice. So there are lots of problems and challenges involved in trying to get that data from GPs as well. They talk about how busy they are and entering data manually can be time consuming for them, so it is a whole host of issues that have not been resolved yet. I am sure that ourselves and other committees in the Parliament may well be returning to this point in the future. Can I move on to another area, which is of some interest in the report? That is that whole question about long Covid and long Covid rehabilitation. I think that you point to that there are nine studies to develop the clinical knowledge base for understanding long Covid, which has been funded by the Scottish Government. Can you give us a bit more information about those studies and a bit more, for example, about the timescales for that and how the results will be reported to the Scottish Government to inform its future decision making around this area? I think that we will say as much as we know, convener, and colleagues can assist me on this. We set out in the report that the Scottish Government has announced a £10 million long Covid support fund that is being built on the surveys that you note to inform their understanding and their approach to long Covid. I think that it is that understanding point that is coming through in much of the Government's commentary on it, that it feels still very early days that long Covid can refer to a multitude of different conditions and different experiences that patients have from it. Nonetheless, it matters to patients who are affected by it. It is very real and direct the impact that it has on their ability to lead a normal life. We have not done any dedicated audit work on this. We will continue to track and monitor the Government's progress on it, as ever, given the significance of it. Link to the other line of questioning about the clinical prioritisation framework, it matters that it is clear and transparent, that patients can have a clear understanding of what services they can get for long Covid and that they can manage their expectations and what treatment options that they choose to take. I think that this is something that we will come back to. You mentioned earlier on, Auditor General, that one of the central recommendations of your report is around the very unequal impact that Covid-19 has had. If I look at paragraph 58 in the report, you reflect on your report from last year, where you relied on data provided by national records of Scotland, the Scottish Learning Disabilities Observatory, who concluded fairly starkly. I thought that those from the most deprived backgrounds and from some ethnic minority backgrounds were more likely to die from Covid-19. Further data has shown that disabled people were more likely to have died from Covid-19. Adults with learning disabilities were also at a greater risk of being hospitalised or dying from Covid-19. That is quite harrowing, isn't it? Frankly, it is something of an indictment on our society that this is a feature of the pandemic. You then go on a couple of paragraphs later to say that you have reviewed it again this year and that there is still a disproportionate impact of Covid-19 on certain groups, which has led the Scottish Government to address that in some measure by focusing on tackling health inequalities. However, you then go on to say that there is still no overarching strategy. Do you want to say a little bit more about that? Thank you, conveners. It is really stark, and I think that the unequal impact that the pandemic has had across society. You rightly mentioned that we featured that prominently in our 2020 overview report of the NHS, and we do so again this year. NHS and Government's understanding of the impact of the pandemic is increasing, so we note that the Government in September of last year published its race equality priorities plan to ensure a more equal and fair recovery from Covid-19 for Scotland's minority ethnic communities. We note that there is still no overarching plan for the Government to address all of its equality requirements and the impact that the pandemic has had on people from Scotland's disabled communities and from those from our more deprived communities. We are clear on the need for the Government to develop an overarching strategy so that it better understands the impact of its interventions over the course of this pandemic as part of its preparations into the future. It is probably safe to note a couple of other developments, convener, if I may. The Government's plans for a health inequalities unit as part of its overall arrangements to tackle health inequalities and also the role that Public Health Scotland will be playing in terms of inequalities. Public Health Scotland was set up with this purpose in mind as part of the joint arrangements between the Scottish Government and COSLA for the time of its creation at the start of the pandemic. It is, perhaps, understandably focused on the Covid-19 response. As the pandemic ebbs, it will have a very clear role, too, and part of that will be the development, not just of a strategy. The important thing—I want to say more about this—is that strategies in themselves are important, but what happens after the strategy is that there are clear plans, measurable milestones and good-quality data to assess its implications. None of that detracts from the overall point in the report, convener. There are still hugely stark disparities of how the pandemic has been felt across the country. I am going to move on now and we want to speak a little bit and ask questions around the NHS recovery plan, so I am going to ask Willie Coffey to come in at this point. I wanted to talk about NHS recovery workforce and try to connect it with the skills issue as well. I know that the Government agrees that innovation and service redesign is essential, and I am taking back to Bob Black's time when I sat in the committee. I think that Colin Beattie was there, too. Bob presented a report like this saying that service redesign is essential. I know that there has been a lot of work done since then from then until now, but you say in your report today that we are looking at today that there is no enough detail in the recovery plan to give us the assurances that we need about those ambitions and the timescales that might apply. Could you talk a little bit more about that? What kind of information do we need in the recovery plan to help us to drive the redesign process forward? Thanks, Mr Coffey. I will bring the in shortly to say a bit more about the detail of the recovery plans and what is required. You rightly referred to the work of my predecessors and the fact that auditors have been reporting on the need for reform, detail and high-quality data. I am the unsustainable nature of the NHS, too, that reform is a key component of that. In today's report and in my introductory remarks, I noted that the NHS has recently published its workforce strategy, and in the report that was not available. We note that as a positive contribution that the Government is beginning to set out how it will go about recruiting the necessary staff to support the recovery of NHS services. One thing that is perhaps worth noting is that that does not accompany the necessary detail for the Parliament, for users of the NHS, to make an assessment as to when they will get the service, the operation that they are looking for. Positively, it commits to an annual progress update in terms of the workforce strategy and its contribution to the recovery. That is linked with clear transparency around the national treatment centres, the clinical prioritisation framework and the steps that we would expect to see. Ultimately, we know that there is a big backlog. We know that there will be challenges to recover and deliver, but people's expectations and managing those expectations are a key part of the transparency that we all expect. I will turn to Lee Mr Cofi. I am sure that she will want to say a bit more. Thank you, Mr General. When we talk about there not being enough detail, as the Auditor General said, at the time we did not have the health and social care workforce strategy, so it had some very big ambitions around increasing the workforce yet very little detail about how they were going to achieve that. We now have the strategy, but obviously we need a bit more time to make a more thorough assessment of the detail within that strategy. I think that one of the other areas that is key to the recovery plan is the national treatment centres, for example, yet there is very little detail about how they will operate in practice. I think that we would like to see more detail around, for example, how NHS boards will access those services. That is what we say in the report as well. Back in 2017, we talked about the layers in the NHS and the layers of planning and how it was not clear how they would all work together. I think that the national treatment centres will just add to that complexity, so we need more detail about accountability, roles and responsibilities, but also how NHS boards will access those national treatment centres. Before I ask a little bit more about the workforce planning and so on, in the whole question about service redesign as it applies to the GP practice experience, do you think that we have done a good enough job in taking the public with us in those changes? I still get a lot of issues being raised by constituents about access models and the public's expectation that the system that we had should be the system that we have going forward. Do you think that we have made enough progress in taking the public with us and changing that model for the better? We are clear in the report, Mr Coffey, that when transforming services, public bodies have to engage with the public in a meaningful way. So, whether they have done that up until now, there will be various views, I am sure of that, but the scale of transformation that the NHS requires to move to a sustainable model that prioritises preventative early intervention, some of the changes in technology and innovation that we have seen over the course of the pandemic, whether we will want to retain those with full quality impact assessment evaluations of how they are felt by different groups in society is important. It matters that people feel that the changes are relevant to them and that they have had their contribution. We are looking into the future in today's report and saying that that is a key part of reform that the public is engaged with meaningfully. Turning to the workforce issue, we know that there is more staff working in the NHS than there has ever been, certainly since 2006. It is up considerably, but you are still saying that recruitment is still an issue for us. Is retention an issue in there as well? Are we losing staff from the service and can we pin that down to Covid particularly? Is the recruitment issue connected to the Brexit issue our ability to find and attract staff to come in to the service? Is our whole recruitment strategy working or should we be doing to improve it? There are a number of components to that, and I will do my best to cover all of it. I will bring colleagues in as well. As Lee mentioned, the health and social care workforce strategy will be key. Together with some of the numbers that we have set in our own report, the NHS recovery plan identifies the ambitious plans to recruit 1,500 new clinical and non-clinical staff for the national treatment centres by 2026. It is significant on top of existing commitments and already vacancies in some NHS disciplines. Historically, the NHS has struggled to recruit and retain enough staff to meet all its ambitions. There are other relevant factors, so you mentioned a couple of them—the risk of fatigue and burnout of staff well-being in the NHS in the back of two incredibly challenging years, and the impact of the UK leaving the European Union as well. On that last point, as we know in the report, it is probably too early to tell the overall impact that Brexit has had on NHS workforce and what that means for the delivery of the future strategy. All of this is saying that there is a huge number of variables going on at the moment for the NHS to get the people that it needs in place. To support them so that all of us as users of the NHS can understand when we will get the treatment services that we are looking for. The strategy is welcome. What needs to happen now is that there are detailed plans accompanied by annual reporting monitoring in a clear and transparent way. Lastly, from other work that we have been doing in this committee about skills identification that we have discussed at previous meetings, how does this work? How does this tie in with that strategic approach to skills identification? I was particularly asking in an Ayrshire context at that particular meeting how, for example, do we demonstrate, do we show, do we identify the skills that we need? For example, in NHS Ayrshire and Arran to meet the demands going forward, how do we tie in with the strategic approaches that are happening elsewhere? I will bring Lee-Ann to support that. All of the NHS boards will prepare individual workforce plans, and that will be not just for the hearing now but plans into the future part of their workforce strategies, including a national strategy, particularly with some of the scale of the changes at the moment, which makes that all the more important. As you mentioned, Mr Coffey, some of the committee's ongoing discussions about skills planning are particularly relevant in the NHS context. Social care, as we have touched on already today in terms of the impact and the interconnectedness of delayed discharges, the success of that plan will be determined by the extent to which it applies across a health and social care setting, not just for the recruitment of additional nurses but for the health and social care across the piece that has all the right skills in place. A key role for the local health board and for its partners in local government and the third sector is that there is an understanding of the movements between different sectors and that, ultimately, patients do not really care. They want the service to be provided to them when they need it to be. They care less about the role and organisation that the person works for. In overall terms, we are noting progress in the strategy but that needs to be accompanied by more detail on an individual geographical basis. I will bring the NHS if there is anything more that she wishes to add. The only thing that I would add is the work that the NHS and social care workforce strategy that was published is based on what they have called five pillars. There is plan, which we welcome because it focuses on the workforce data and how they get better data and how they are going to improve their workforce planning, which we have been calling for for a number of years. Attract, employ, train and nurture. The training aspect of that is looking at the skills that we need and how we are going to get those skills, whether that is through working with colleges, universities or retraining people or reskilling people to do different things. There is a focus in the workforce strategy on the skills that are needed and how we are going to get them. The only other thing that I would add is, with the innovations that we have seen during the pandemic, a lot of digital technology, the use of near me and the digital strategy that we have. There is a big focus in there as well about having people who have the right skills to be able to use that new technology and the new digital advances that we are seeing in the healthcare sector as well. Do you think that we are doing enough to make the public aware that those opportunities are there? Every year that I have been in this part, we identify issues about the skills. I represent a constituent that says that the unemployment levels are almost higher than they are in the rest of Scotland. We need those skills for the future to help us to redesign the service. Who is closing that gap between skills that are needed within the service and making those opportunities available to local people to fill the gaps? We seem to say every year that the gap is still there. How do we close it? Is it strategies? Is it documents like this? Is it workforce planning? How does it reach out to the public to draw them in to the services that we need them to fill? It is undoubtedly complex, probably too complex. Actually, I think that that is probably one of the barriers to why it has not impacted in the way that, ultimately, we would all like to, so that there are not the historical vacancies and that there are appropriate plans, strategies and real life steps that will recruit and retain the staff that we will need for health and social care. The committee has spoken in recent weeks about some of the real and immediate challenges in social care. I think that absolutely part of it is about promoting the opportunities. Other fundamental factors, too, about fair work parity between health and social care settings for people who have the skills that are transferable between those settings, and some of the longer-term planning through the important role of Scotland's colleges, universities played through Skills Development Scotland and their skills programmes. People see that as a long-term career option that will meet their ambitions, give them a fair work environment and so forth, so I think that it is multifaceted. It is probably too early for us to form any judgment about this particular aspect of workforce strategy, but given how central it is to the recovery and reform of the NHS, it is clearly part of our own work and we will continue to report on it through this year and beyond. Thank you very much for that, convener. Just a curse to me, are there any health boards or any parts of the NHS that carry out any exit interviews to understand why people are leaving because of retirement, better pay elsewhere, or does any of that go on? I will turn to colleagues if we have any examples to support, convener, but I think that it would be my expectation that everybody would have an exit interview when they leave any job and particularly if, as we are talking about the NHS, the NHS would want to have that good practice. I think that it has been a feature of employment arrangements for decades now, so that intelligence ought to be there and used is the point that you are driving at, that it informs employers, the NHS in total, their understanding of the experience that people have, the reasons for leaving, and even more important, especially on the back of the past couple of years, that risk of fatigue and burnout, so that they understand what that means for the experience that they are giving people who work in the NHS. Again, I will ask if Lee or Derek have any other real-life examples that we can share. I do not have a real-life example because I do not think that we have not looked in detail at what the boards do, but through our conversations with the Scottish Government, one of the things that we know that they are trying to do is to track people's careers, so that they understand—for example, the 1,500 staff for the national treatment centres, obviously one of our concerns is that those staff will possibly come from NHS boards, so it is almost taking staff out of one place to staff another place. In our conversation with the Scottish Government, we are talking about the fact that they are going to try and track people's career through the system, if you like. If they leave trying to understand where they are, where do they go? What is it that they are leaving for? How can we prevent that going forward? How can we try to retain them within the system, rather than going somewhere else? I know that the Scottish Government is doing some work around that. The other thing that they have committed to do in the workforce strategy is to publish, again, annual progress reports. We welcome that, so hopefully we can keep an eye on the progress that they are making with some of those commitments that are within the strategy. I think that that is very helpful, because it is surely about retention as well as recruitment, is it not? Colin Beattie has got some questions to ask Colin Beattie. In general, I have a couple of areas that I would like to cover, neither of which will come with much of a surprise. The first one is leadership. Leadership has been discussed and debated in this committee now for many years. Leadership in the public sector and the quality of our leadership is absolutely vital that we have the right people in the right place. One initiative that was put in place is the project lift leadership development programme. What is the impact of that being on development and retention of leadership in the NHS? I will ask colleagues to say as much as we are able to about the impact of the project. The intended impact will have been interrupted by the pandemic. We would recognise the vital role that leaders play in the NHS as they allude to the committee's on-going interest in it. It is not that long that you held a round table as your predecessor committee about some of the leadership challenges and opportunities in the NHS. It is equally not that long that we have commented about the extent of turnover of leaders in the NHS and the extent of vacancies that existed. The vital role that they play in the delivery of services. We would also note the real pressure that leaders in the NHS have been under over the course of the past couple of years, in particular, in delivering services in unprecedented context over the course of the pandemic. As we look to the future, particularly the health and social care workforce strategy, yes, it matters that the NHS is able to recruit to support the delivery of the recovery plan, but equally that their plans for leadership, for succession planning, for accountability and effective governance are also there and consistent and well managed. Project lift is part of that. Whether we are able to say at the moment how successful that has been, I will turn to colleagues to express a view, but it matters for us that we continue to report and track that as well. If long-term effective leadership will be vital to the success of their form of the NHS, I wish to come in. We did not look in detail at leadership this year, mainly because it was more stable since our last report. There have only been four new chief executives, three of which were in national boards and one in a territorial board. That churn has not been the same. As the Auditor General says, we would probably be more concerned about the resilience of the leadership going forward, having had to deal with everything that they have dealt with through the pandemic, obviously with new policy initiatives coming online, like the national care service, putting further pressure on already exhausted leaders. We did not look in any detail at the lift programme, but I do not know if Derek might want to… To be honest, we struggled to ascertain what impact project lift has had. Again, as I said, we did not look at it in a great amount of detail. What we do knows that things are moving on now in terms of leadership support and development. There is a new national leadership development programme that is just kicking off. We are not entirely sure yet of the relationship between project lift and that new programme. We are still trying to get to grips on that. We will need to do more audit work in that area to fully understand that. What we do know is that there is a succession planning programme within the NLDP. There has been previous work on succession planning, and we are not entirely sure how those two pieces of work relate or come together. There is more work that we need to do to get to the bottom of that, but, as Leane Auditor General said, there was not a particularly strong focus of the report this year. It is probably too early for us to really comment too much in this stage, but there are developments there that we need to monitor. That was part of my next question exactly about this brand new work stream that has been put in place, the national leadership development programme and how that fits in with project lift, how it complements it and whether there is a risk of duplication in connection with particularly succession planning in the NHS. From what you are saying, you have not really got any answer at this point. No, Mr Meath, I think that the more work is needed to understand that. My understanding is that the NLDP will build on project lift, so it should benefit and then be complementary, but we definitely need to find out a bit more. We need some more information on that, I think. It is important to know how they are handling leadership succession and so on, because good leadership is absolutely essential for the NHS. Just coming back to what the Auditor General was saying in relation to Covid, Covid of course is still not gone and it is still overwhelming some of the hospitals and taking up a huge amount of NHS time. How practical is it bringing in these programmes and trying to make them work in the middle of what is still a crisis? I mean, are we just asking too much or should they be putting this on some of these initiatives and leadership and so on and on hold until things are more stable? We note in the report that the NHS is still on an emergency footing as a result of the pandemic. Whatever expectations we may have had in November of last year, we are quickly reset as a result of Omicron. None of us have a crystal ball as to what may come next. It is that balance, I suppose, of dealing with the here and now of the pandemic, the emergency footing, which we anticipate will be at the end of this month. It is reasonable to look to the future to think about reform as well as recovery. We are keen to make that distinction in our reporting that it is not a recovery to an unsustainable model but a reform of the NHS to move to a system of health and social care that is preventative, closer to people's homes, less focus on an acute setting and fewer emergency unplanned interventions. All of that is building on high-quality data and so forth, but there are risks involved. We have touched a number of times in the committee in recent weeks about other initiatives, the national care service in particular, the demands that that will place upon the NHS's capacity and its leadership to develop its work towards that at the same time as reforming the NHS. The two undoubtedly go hand in hand, but the risk is that there are capacity constraints, whether it is timelines that drift or that there is a lack of high-quality data that inhibits planning, milestones, project management and scrutiny. We are touching on all of those points in the report that, as ambitious plans are taking forward, there is a reality about what is actually manageable and achievable, given that, as you started off, Mr Beattie, we are still in the midst of an emergency footing in a Covid-19 pandemic. Clearly, leadership is going to be key to managing our way through all this. Let me move on to one of our other favourite areas, which is data, which seems to come up at every other meeting. We are talking about collecting data here on social care, health and social care. It is acknowledged that there is poor data sharing, and I think that difficulty is in accessing health records and so forth. There are a lot of issues around that. What timescale does the Scottish Government and COSLA have in developing a data strategy for health and social care? I will quickly turn to colleagues. We note reasonably that, before I do that, the Scottish Government and COSLA has published a revised digital health and social care strategy in October. However, as you mentioned, there remain gaps in place for the provision of a collective, robust, reliable dataset across primary care, social care, inequalities and workforce. All of that needs to be captured in a robust, not just strategy but detailed, plans in place that go alongside that, Mr Beattie. I will check in, if we have any more detail about when we can expect that. We are expecting the data strategy later this year. That will focus on the availability of data to understand the demand and activity that we have talked about. There are some gaps, but it will also talk about how we can share data as well between different systems, which we have talked about lots of times, particularly in our integration report about the lack of sharing of data. We are expecting that later this year. To what extent will the data strategy improve the collection and sharing of health and social care data? That is a little bit of speculation at this point. As the other general mentioned, there are clear gaps. Are we satisfied that the strategy is going to cover all that? I think that it reasonably remains to be seen. As you suggested, Mr Beattie, we would be speculating. Having said that, I think that it is right, and after so many years, so many audit reports and strategies that we are still talking about data gaps, barriers to sharing data effectively between different public bodies feels unacceptable. It feels like we have to move on from this. If we are genuinely talking about the reform of public services, the reform of health and social care, that is one of the pillars of allowing that to happen effectively. It is welcome that the Scottish Government and COSLA are doing that collectively. We look forward to seeing it, as Lee mentioned, to forming a view on that. I remain optimistic, Mr Beattie, that the strategy will be the foundation for which to address some of those long-standing data issues. An optimistic auditor. Does Oral Scotland have any input into that in terms of the reports that you have produced in the past, and that you have given historic recommendations and so on? Are those being taken into account on that? Implementation of recommendations and so forth has come up before this committee many times. We have regular engagement with both COSLA, local authorities and the Scottish Government in terms of their progress in implementing recommendations, and we report that publicly through our work. As ever, we strike the right balance in terms of the independent audit function that we provide as opposed to providing advice or consultancy, which is our responsibility for the management of those organisations. Having said that, it is important for us through the development of our work and our audit reporting that we understand public bodies' progress and thinking, and we look to do that through regular engagement with public bodies just to track where they are progressing. As you would expect through our public reporting, given how important that is and how regularly we have been commenting on the data gaps and the importance of quality data to support progress and scrutiny, it is very clearly part of our forward work programme. Thank you very much indeed. The final series of questions that we have got are around NHS finances. I was struck by paragraph 115 in the report where you use the well-chosen words that we are used to from you, Auditor General, where you say that the Scottish Government is providing additional support to six NHS boards facing a particularly challenging financial position, and you then go on to say that those boards have got to submit monthly plans. Every month, presumably, they have to submit plans that outline savings that they are making, and that is during a period in which we are still in an emergency, effectively. I know that one of the six boards that have been affected is NHS Highland, which has been the subject of a section 22 report, which we considered earlier this year. I wonder whether you could perhaps reflect on that position and tell us whether your understanding is that the financial positions of those six boards will be improved by the 2022-23 year. Thank you, convener. I would hesitate to be definitive or give you a prediction in terms of the overall financial position that those boards will settle on. The distorting effect of the pandemic has been clear. In previous years, we regularly spoke about brokerage arrangements that NHS boards would receive in financial difficulties, and that then evolved into more medium-term arrangements, financial planning framework and so forth. To an extent, but not entirely, some of those arrangements have been put aside as the Government stepped in over the course of the pandemic to fund health boards' financial requirements, so that all boards broke even. I think that what we are seeing is an evolution of that, that there is a more targeted focus by the Scottish Government on particular health boards through the evaluation of savings plans' longer-term financial position to make a judgment about how they are progressing towards financial balance. I think that a couple of things to note perhaps is that the Government is planning to review the overall cost allocation model, which will be a feature of the financial position of individual health boards in the future. It is rightly still having oversight of individual health boards' progress. You mentioned NHS Highland. The committee has explored the specifics of NHS Highland, its cost model and so forth, some of the arrangements in terms of delivery of acute services at Rhaigmoor in particular have featured on that. As you would expect, we are continuing to audit the individual health boards. As part of our annual audit, we assess financial sustainability and financial position. We will draw on some of the judgments and the interaction that the health board is having with the Scottish Government in arriving at that longer-term judgment as we report towards the end of this year. I will come back to the funding formula, which is the subject of some review at the moment. However, one of the other aspects of the report, which set out pretty clearly the financial challenges that the NHS in Scotland faces, is the Exhibit 8, which contains a breakdown of funding by key items. You break down in there spending on, for example, drug and medical supplies, and the amount that was spent on prescribed drugs in secondary care was £818 million. In primary care, it was over £1 billion that was spent on prescribed drugs. There is the spending that we know about on PPE, testing kits and further medical supplies and so on. To what extent is the Scottish Government taking into consideration how we expect there to be potentially further inflationary rises or increases in demand, which will lead to a requirement for an increased budget to meet those items? The NHS is planning its overall financial position on a long-term basis. As you touched on, convener, there are some existing financial pressures. The pandemic has played a part in that, and then there are now some of the emerging inflationary pressures that we are all seeing in terms of cost of living. That will feed through to the procurement costs that the NHS will face. In overall terms, that will be for the Parliament and through its consideration of the Scottish budget and any budget revisions that it looks to make in light of the pandemic and as we emerge from it. I think that one of the points that I would make about the sustainability of the NHS is that Audra Scotland has commented in many reports and we do again this year about the unsustainable financial position of the NHS. As you mentioned, we are seeing a number of boards experiencing financial pressures. However, for us, that makes the case again for the need for reform to move to a more sustainable delivery model and accompanying financial model that the current challenges in terms of cost of living inflationary pressures will exacerbate further. As I mentioned, convener, in overall terms, that will be for the Parliament to determine its priorities and for the NHS to manage its resources within whichever allocation it receives. The roll call of NHS boards that are in that tricky financial position include small boards such as NHS Orkney but also include NHS Fife, NHS Esher and Arran, NHS Borders, NHS Dumfries and Galloway and NHS Highland. That is quite a substantial issue, is it not? You mentioned that the funding formula was reviewed, presumably, to appreciate whether or not funds are being distributed as effectively, efficiently and equally in their application as they ought to be. However, our understanding is that a date has not been set for the completion of that review or an implementation date for that. Are you any wiser about when we are likely to see any changes, what those changes might be, what are the criteria that are driving that review of the funding formula and, presumably, therefore, the allocation of funding between different territorial boards, potentially, as well as different tiers of the NHS? I think that all those factors are relevant, convener. As we know in paragraph 118, the Scottish Government has not set a date for this review to be completed. However, it is very significant for individual boards. Perhaps it speaks to some of the earlier conversations about staffing. What to guard against is to, in reviewing the funding formula, that issues of parity are moved from one board to another. Through the current NRAC formula, the national resource allocation model, the basis for funding to individual boards is currently allocated. In evolving from that, as I suggest, we do not move from transferring concerns about overall funding from one place to another. However, it is elevated to what the overall financial requirements for health and social care will be in the future. That is just one component of it, but, in overall terms, it requires us a co-ordinated workforce planning estate strategy that evaluates how health and social care services will be delivered in the future. On that note, I will draw the session to a close, but I thank the Auditor General for the evidence that he has led to Lee Johnson and Derek Hoye, who have contributed this morning. It is greatly appreciated. I will now close the public part of this morning's committee, and we shall go into private session.