Seòmar agus comataidhean

Has the review completely reshaped the entire skills alignment programme? Has it completely changed how we think about it and what we intend to do? Is it fair to say that it has had a major impact on rethinking the direction of travel for the programme?

Will you say a wee bit more about that? There has been a skills alignment assurance group, and now there is a shared outcomes assurance group. What is the fundamental difference between the two? Do you have confidence that the new group will be an effective way to monitor progress as we move forward?

The backup data seemed to be targeted at an early stage. I am a wee bit surprised about how easy it was to access the backup systems. From my long experience of working in computing, I would have expected it to be logical for the backup data to be physically separate so that it could not be subjected to that sort of cyberattack. It should be completely protected and separate from the main data, but that does not seem to have been the case here. Should you recommend that SEPA and other organisations look more closely at that, and that they should separate and protect any data that is essential to keeping their business running?

Does that give assurance, though? There is bound to be another attempt at a similar attack on an organisation. In my opinion, it is still dangerous to have a direct link to the backup data and servers from the main data and servers. There should be some physical and logical separation of the two so that, if the attack is successful in one part of the operation’s data, it does not succeed in the other. Does SEPA plan to consider that?

Auditor General, one of the lessons from the attack is that the cybercriminal fraternity is a step ahead of the game, despite organisations’ best efforts to have the best systems, including security systems, in place. I imagine that a number of the recommendations try to address that.

The cyberattack is still the subject of an on-going police investigation, but are you able to tell us exactly where the attack managed to penetrate SEPA’s systems—the route source—or will that remain confidential?

That is good to hear. Convener, you will be delighted to hear that, in my day, when I worked in computing, our guys used to put the backup in a case and take it to the bank. We would actually take a hard drive away and make sure that it was physically protected so that, if something like that happened, the information could be immediately restored. There is a lesson from the past in that regard.

My final query is about staff training. It is recognised that SEPA staff were well trained in all those aspects and were aware of them. Are there further plans to improve training in relation to cyberattacks and to make staff more aware of the possibilities and the risks?

Good morning. I want to develop a discussion about how and whether NPF4 deals with not just the vacant and derelict land that Sarah Shaw mentioned a moment ago, but the derelict and abandoned dirty, filthy shops that blight our high streets. A lot of good work is being done in a lot of town centres across Scotland, with communities and councils doing a lot to improve areas and towns, where they can. However, many of my constituents often ask me, “What can we possibly do about the 18 abandoned shops that are blighting our high street?” The properties in question are mainly privately owned.

My question, therefore, for Sarah Shaw and perhaps my Ayrshire colleague Craig Iles is: what can we do about this? Should NPF4 strengthen powers in that respect, or do we already have sufficient powers under planning legislation to deal with the issue through, say, amenity notices?

We know that 54 per cent of Scottish taxpayers pay less income tax than they would if they lived in other parts of the UK. Nevertheless, identifying Scottish taxpayers is an issue for us.

We note that, in 2020, HMRC identified more than 30,000 records of taxpayers who were not registered as Scottish with S codes. In March 2021, that figure rose to 39,000. Why is that happening? A simple calculation might show that that represents £1 billion in earnings being incorrectly taxed. Give us a little flavour of why you think that those numbers are going up so significantly, and what is being done to reduce them?

Is there any estimate of the loss of revenue as a result of the issue? We read in our briefing notes that some employers might repeatedly be failing to apply the S code correctly, but we do not have any information on that. Do you have any? Are there employers who are repeatedly not applying the code correctly? Fundamentally, it is against the law not to apply the code correctly. What are we doing to encourage, let us say, employers to apply the code correctly and legally?

You will probably recall that, in the early days of the system, even some members of the Scottish Parliament were not coded as Scottish taxpayers—I think that that applied to 45 out of 129 MSPs, which is a huge number to get wrong. Can you give us an assurance that that problem has now been corrected completely and that the 129 of us and our 59 Scottish MP colleagues are being correctly coded as Scottish taxpayers?