Northamptonshire Police. Information Management Strategy

Northamptonshire Police Information Management Strategy If printed, copied or otherwise transferred from the Policies and Procedures Intranet/Internet Site this document must be considered to be an uncontrolled copy. Policy amendments may occur at any time and you should consult the Policies and Procedures Intranet/Internet Site if in doubt. Ratified By: Professional Standards and Security Board Ratified Date: Version: 1 Owning Department: Force Information Unit, Professional Standards Department Policy Author: Yvonne Mason, Information Unit Manager Review Date: December 2016 Page 1 of 25

Contents Information Management Strategy PART 1 1. Introduction 2. Strategic Aim Information Management 3. Strategic Objectives 4. Information Management Values The Standards Business Management People Management Information Sharing Data/Information Management 5. Scope of Strategy 6. Responsibilities 7. The Role of the Professional Standards and Security Board 8. Relationship with Existing Policies 9. Relationship with Future Policies PART 2 Information Management Standards and Working Practices 1. Introduction 2. Information in the Policing context 3. Regulatory Environment 4. Strategic and Operational Information Management 5. Functions and Responsibilities 6. Audit Appendix A Business Benefits Appendix B Regulatory Environment Appendix C Index of Information Management Sub-Policies Page 2 of 25

1. Introduction Information Management Strategy PART ONE Under the Home Office (2005) Code of Practice on the Management of Police Information and the College of Policing Authorised Professional Practice (APP) the Deputy Chief Constable will establish and maintain an Information Management Strategy (IMS) within Northamptonshire Police (hereinafter referred to as the Force), complying with guidance and standards issued within the Management of Police Information (MoPI) Statutory Code of Practice (CoP) and the APP unless that guidance is superseded by regulations made by the Secretary of State under section 53A of the Police Act 1996. The Force has a duty to obtain and use a wide variety of information, including personal information, in order to discharge its responsibilities effectively. This IMS and accompanying standards, in conjunction with all other information management related policies, procedures and processes, provides a mandate for the performance of all information management functions to ensure all staff, including agencies, contractors and partners involved with police information, competently and efficiently carry out their duties. Within the MoPI CoP a policing purpose is defined as:- Protecting life and property; Preserving order; Preventing the commission of offences; Bringing offenders to justice; Any duty or responsibility arising from common or statue law; Implementation will focus on the following: Citizen-focused Service Delivery Governance Effective and Lawful Use of Information Information as a Force Asset Information as a Shared Resource Infrastructure and Strategic Management of Information This IMS does not define systems but will incorporate Information Systems Improvement Strategy for the Police Service within which technology and systems are defined. This IMS is not a stand-alone document. It is intrinsic to how the Force manages all of its police information within the policing context and as such informs, and is informed by, all other Force policies. By its very nature, the management of all police information will form part of Northamptonshire Police s usual operational business; be integrated and consistent across all business areas within the Force and be reviewed and updated in line with other Force policies. There are numerous strategic, tactical and operational benefits to the Force which are outlined in Appendix A. Page 3 of 25

This IMS does not take a systems approach but will ensure that information is managed across all Force objectives, functions and processes in accordance with APP. It is the intention of the Force, through the application of APP to improve data quality throughout the relevant business areas aligned to the Professional Standards Information Assurance Board. It is further the intention of the Force to utilise and align itself where possible with national and local IT improvements in order that the principle of the golden nominal through system/process linkage is attained thus ensuring that data collected, recorded, evaluated, shared and retained is of the highest quality. 2. Strategic Aim Northamptonshire Police aim to:- Provide the best possible service to our communities by providing reliable information at the point of need, where individuals understand the importance of using it correctly, sharing it lawfully and protecting it from improper use. In providing reliable information we will provide the best possible service to our communities and in doing so help realise a number of our Force strategic aims. Police information is defined as all information including intelligence and personal data obtained and recorded for a policing purpose. 3. Strategic Objectives To achieve this aim the Force will:- Work to meet the required standards to comply with legislation, MoPI CoP and Guidance, APP and relevant Force policies Manage its information corporately Identify and support effective practice in the management of police information across all business areas Promote an integrated information lifecycle Force-wide Ensure that the Force infrastructure and processes can provide the right information to the right people at the right time for the right purpose. Ensure that staff understands the importance of information and how to use it correctly and how it must be protected from unlawful use. Support the requirements placed on the Police Service under the HMG Information Assurance Maturity Model and Assessment Framework, and modular Code of Connection and Risk Managed Accreditation Document Sets for police systems. This strategy is written to ensure that statutory requirements are addressed and that mechanisms are established to ensure that individuals fully understand their responsibilities. Page 4 of 25

4. Information Management Values The Standards: Recording of information to comply with the principles of the National Intelligence model (NIM); Appropriate classification, grading and recording of police information; The eradication of unnecessary duplication; The quality of information; Evaluation; Audit; Risk Management; Vetting; Business Management Duty to obtain and manage information; Compliance with NIM; Cost effectiveness in information management; Commitment to an information culture; Information as a business asset and the value of information used in decision making and program management. People Management Ownership of information; User s responsibilities towards information; Competency in handling information; Investment in appropriate resources, skills and training. Information Sharing Duty to share information lawfully; Providing the right to information for the right person at the right time; Protection of sensitive information and sources; Obligations of those receiving information. Data/Information Management Review, retention and disposal of information; Conformity/compliance with external agreements; The use of appropriate information technology; Security of information; Aggregating data; Storage of information; Data Protection Act 1998 (DPA); Freedom of Information Act 2000 (FOIA); Complying with the Information Assurance Maturity Model. The Force is committed via this strategy and other initiatives to improve information processes and operational capabilities. In doing so, we will ensure that citizens and vulnerable people in particular, are better protected by improved information sharing capabilities with local authorities and partner agencies. Page 5 of 25

5. Scope of Strategy This strategy applies to all information received, created, held, shared, disseminated, disclosed, reviewed, retained or disposed of by all staff employed by the Force in the course of carrying out their duties. This document covers all formats of information including electronic, digital and hard copy whilst in storage, processing, use or transit and the risks created by both malicious and non-malicious actions. This strategy does not redefine organisational structures, nor determine technologybased solutions, however, it will inform future technical developments. 6. Responsibilities Northamptonshire Police has a corporate responsibility to own and manage all information created, received and held for a policing purpose in accordance with the regulatory environment. The Deputy Chief Constable (DCC) has the overall responsibility and ownership of this strategy and the defined role of Senior Information Risk Owner (SIRO), although some responsibilities may be delegated to others. The person(s) responsible for information management in the Force will:- i) Ensure that this IMS is available for all staff, partners and the public to view; ii) Give guidance for good information management practice and promote compliance with this strategy so that police information will be:- a. Accessed easily, appropriately and in a timely manner; b. Processed for a policing purpose c. Shared and disclosed lawfully iii) ensure the integrity of the information All individuals within the Force will ensure that all information created, received and held for which they are responsible, is accurate, relevant and kept up to date, and that decisions about it are properly recorded, thereby ensuring accountability with an accurate audit trail. 7. The role of the Professional Standards Information Assurance Board The purpose of the Professional Standards Information Assurance Board (IAB) will be to own and manage this Information Management Strategy and ensure that the management of all police information will form part of usual operational business, be integrated and consistent across all business areas within the Force and will seek to maximise the strategic, tactical and operational benefits of the implementation of the Management of Police Information. The IAB, chaired by the DCC owns this IMS and in exercising their responsibilities has an overarching role in providing the strategic drive, direction, coordination, control and approval necessary to achieve the strategic aims and objectives of this IMS. Page 6 of 25

The IAB will monitor and direct the work of a series of project groups tasked with applying this IMS to key operational business areas thereby ensuring delivery of the MoPI Force Action Plan. The IAB will liaise with other strategic groups in the Force through the attendance of appropriate IAB members at those groups to ensure a corporate strategy for information management. The IAB will approve the Force Audit Strategy and the Annual Audit Plan, which will measure compliance with the Data Protection Act and the Code of Practice on the Management of Police Information with particular attention to data quality and actions identified by the project groups to improve the availability of relevant information. The IAB will ensure that the Force Training Strategy is aimed at the training of police officers and police staff in order to implement the National Centre for Policing Excellence (NCPE) Code of Practice and Management of Police Information. 8. Relationship with Existing Policies This strategy has been written within the context of:- MoPI (CoP) MoPI Guidance MoPI Threshold Standards Authorised Professional Practice Links with other legislation, statute and common law, regulations or national and local policies and procedures affecting the Force, Appendix B 9. Relationship with Future Policies All relevant future policies will be written with due regard to this strategy. NB: This strategy must be read and implemented in conjunction with Force information management procedures and processes. Page 7 of 25

1. Introduction NOT PROTECTIVELY MARKED Northamptonshire Police Part 2 Information Management Standards And Working Practices 1.1 Police information management cuts across all police business activities. It is critical that a co-ordinated and cohesive approach is taken to improve police performance in support of the Force objectives: i) information will be managed to support business processes; ii) information will be accurate, up-to-date and readily accessible to those who have authority to see it; iii) information will only be retained where necessary iv) information will based on the lifecycle of information in accordance with APP direction of Review, Retention and Disposal (RRD); v) Methods of information management will be secure, protected, legal and subject to environmental and proportional cost issues. 1.2 Northamptonshire Police is committed to the following five information management principles as defined by the International Standards Organisation (ISO) 15489: i) to recognise and understand all types of information; ii) to understand the legal issues and execute duty of care responsibilities iii) to identify and specify business processes and procedures iv) to identify enabling technologies to support business processes and procedures v) to monitor and audit business processes and procedures 1.3 These standards provide an opportunity for achieving national consistency through complying with the APP by: b b b b ensuring the Force understands the value of information and is able to exploit it as a corporate asset; providing the standards for information management in respect of definitions, data standards and the rules for disclosing/sharing; integrating all Force policies and protocols relating to, and in the context of, managing police information putting in place cost effective mechanisms to ensure the Force and its partners have access to the right information, in the right form, at the right time. 1.4 Each business area will have a named business process/system owner of information who will be responsible for its creation and accuracy and a custodian of information (responsible for its physical safekeeping). All Force Page 8 of 25

systems will be formally security accredited in line with the ACPO Community Security Policy and associated Force policies. 2. Information in the Policing Context 2.1 Information will be managed corporately and will have common standards applied to it (as defined by the APP), in order for it to be used for a policing purpose. This will enable the Force to agree solutions to information management issues locally and nationally. 2.2 Force policies and procedures for all key elements of information management will comply with the APP and other legislative regulations, (see Appendix B) policies and standards affecting the management of information functions across all Force business areas. 2.3 New systems (and where possible, legacy systems) will be integrated and information received or collected will be entered into the system once as part of the operational process at the point of service delivery, without intervening manual processes. 3. Regulatory Environment The APP and MoPI CoP exists with a regulatory environment that includes statutes, common law, codes and guidance. Please see Appendix B for a detailed list of regulations. 4. Strategic and Operational Information Management The Force will address key focus areas as follows:- 4.1 CITIZEN-FOCUSED SERVICE DELIVERY 4.1.1 Northamptonshire Police will provide a citizen-focused service that responds to the needs of its communities and individuals through building effective links with its local communities and members of the public to ensure their needs as citizens are met. 4.1.2 The Force will work towards implementing an integrated information management processes across all business areas and activities to enable it to bring about increasingly responsive services to its local communities and individuals. 4.1.3 The Force will work in partnership with local authorities and other organisations in providing a safer environment for its citizens. 4.2 GOVERNANCE 4.2.1 The Force has a duty to obtain and manage information needed for a policing purpose. 4.2.2 All information will be evaluated and processed within an acceptable time period documented in the Force RRD Policy and paying due regard to the different types of information it is legislatively bound to hold, in particular information Page 9 of 25

that has regulatory constraints upon its publication and that which is for internal use only. 4.2.3 Information will be held where and when it is considered that it is necessary for a police purpose and assessed for reliability. 4.2.4 Information originally recorded for police purposes will be reviewed in line with the APP and compliant with the principles of the DPA 1998. All such reviews will be documented and require the following to be recorded against them, date of review, reviewers name, outcome and reason for the review. 4.2.5 When it is reviewed, information originally recorded for police purposes will be considered for retention or disposal. 4.2.6 There are certain public protection matters which are of such importance that the Force will only delete the information if:- a) the information has been shown to be inaccurate, in ways which cannot be dealt with by amending the record; or b) it is no longer considered that the information is necessary for police purposes 4.2.7 The decision to retain information can be approved by a Supervisor at any level. 4.2.8 The disposal of MoPI Group 1 & 2 will only take place with approval of a supervisor. 4.2.9 Disposal of MoPI Group 3 records will be considered after 15 years and MoPI Group 4 records will be disposed of by automatic deletion, as agreed by the Deputy Chief Constable. 4.2.10 A record of all reviews and disposals will be maintained electronically by systems wherever possible. Where not possible, manual records will be maintained as defined in the Force RRD Policy. These records will include the date of the decision, the number of records and whether they were considered inaccurate or no longer necessary for a policing purpose, but will not contain any personal information. 4.2.11 The Force is committed to improving and maintaining a fit for purpose flow of information, central to its ability to function effectively and efficiently, and to ensuring that staff are aware of the Force s key aims, objectives, strategies and developments. 4.2.12 A process of regular monitoring for the accuracy, adequacy, relevancy and timeliness of Force information will be established, which will include dip sampling of records within each business area. 4.3 INFORMATION ASSURANCE Information Assurance reflects the increasing value of information to the Police Service and the increasingly communal way in which it is used and shared. Information Assurance is the practice of managing information-related risks around the confidentiality, integrity and availability of information in particular Page 10 of 25

sensitive information and the confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users. This IMS supports the Force s approach to embed an Information Assurance culture enabling the effective use of police information in line with policing priorities and the key elements of Information Assurance is:- i) to implement the strategic aims of the HMG Information Assurance Maturity Model (IAMM) and Assessment Framework; ii) to adopt the Modular Code of Connection (CoCo) and Modular Risk Management Accreditation Document Sets (RMADS); iii) to develop Information Risk Management structures in consultation with the appropriate risk owners; iv) to ensure policies and procedures are clear and consistent and readily accessible 4.4 EFFECTIVE AND LAWFUL USE OF INFORMATION 4.4.1 The Deputy Chief Constable (ACPO) is responsible for ensuring recording procedures are established in accordance with the APP to enable information to be as complete and accurate as possible. 4.4.2 The Force is committed to continual development of information processes to enable effective information sharing partnerships that ensure disclosure and dissemination in a lawful manner. 4.4.3 The Force is committed to providing an environment to support staff in their role of managing the life-cycle of information. 4.4.4 Where appropriate, the source of the information, nature of the source, any assessment of the reliability of the source and any necessary restrictions on the use to be made of the information will be recorded to permit later review, reassessment and audit. 4.4.5 The format in which the information is recorded will comply with standards agreed and applied across the police service to facilitate exchange of information and processing within standard police technical systems. 4.4.6 The Force will commit to provide the training required to ensure that relevant data and record quality standards are realised and associated processes are fully understood. 4.5 INFORMATION AS A FORCE ASSET 4.5.2 Each Force business area will have a defined business process owner and system administrator for systems within that area, who will be responsible for the information life-cycle processes and consistency of those processes across the Force. 4.5.3 Each designated system will have a defined system administrator who will be responsible for its management and for making it accessible to those who need it in a secure and timely manner under central guidance/authority. Page 11 of 25

4.5.4 The Force will maintain and develop the quality of facilities and equipment relevant to information provision. 4.6 INFORMATION AS A SHARED RESOURCE 4.6.2 The Force will ensure information is accurate, reliable and up-to-date, and available to any other police force as specified in the APP requiring information for police purposes provided that the Chief Officer responsible for the record is satisfied that the police force seeking access to the information applies the principles set out in the APP. 4.6.3 The Force will have in place appropriate protocols and agreements for sharing information (Information Sharing Agreements) which will be stored in a central repository in the Information Unit. 4.6.4 Special procedures will be applied to a request for access to information recorded for police purposes, in particular, where it is necessary to protect the source of sensitive information or the procedures used to obtain it. 4.6.5 Information Sharing Agreements (ISAs) will be written where a regular exchange of personal information is required, between the police and identified partners where a power to share exists, or in responding to individual requests for information outside an ISA the Chief Officer will require those to whom information is made available to comply with the following obligations:- i) Police information made available in response to such a request will be used only for the purpose for which the request was made; ii) If other information available, at the time or later, to the person or body requesting police information tends to suggest that police information is inaccurate or incomplete, they will at the earliest possible moment inform the Force of such inaccuracy or incompleteness, either directly or by reporting the details to the relevant Business Process/System Owner. The System Owner is responsible for the police information and if necessary, will record any additions or changes to the recorded police information. 4.7 INFRASTRUCTURE AND STRATEGIC MANAGEMENT OF INFORMATION 4.7.2 Northamptonshire Police is committed to a consistent approach to the strategic management of information at all levels. 4.7.3 The Force has a corporate responsibility for ensuring an appropriate information management infrastructure is implemented and maintained, including developing robust, reliable, flexible, scalable and secure systems for both electronic and paper-based records/documents. 4.7.4 The infrastructure will host integrated systems to provide seamless access to related information across different functional systems e.g. electronic automated systems to manage time and labour intensive activities internally and externally and it will be developed to accommodate existing and emerging business processes. Page 12 of 25

4.7.5 Business process owners will be responsible for developing strategic liaison between departments to facilitate coherent development of information provision. 4.7.6 As the Force becomes increasingly dependent on electronic information systems for its effective operation, the Force will ensure these systems do not suffer major periods of unavailability, and business continuity plans will be developed by business area owners in partnership and consultation with the Information Technology Department, informed by realistic risk assessments. 5. Functions and Responsibilities i) As a matter of policy and procedure, all Force staff must understand their responsibilities when using or communicating personal or other data and information. ii) iii) In practice, everyone working for, or with the Force who receives, creates, maintains, stores, reviews, discloses/shares or disposes of information, has a common law duty of confidentiality. This responsibility is established at, and defined by, law. In addition to individuals responsibility for information management, there are core levels and functions that have to be identified to ensure that police information is managed effectively, efficiently and lawfully. Each of these has a different combination of responsibilities but some are shared. 5.1 Professional Standards Information Assurance Board 5.1.1 The Force has established a Professional Standards Information Assurance Board (IAB) to implement and monitor the information management strategy (IMS) and standards. This Board is chaired by the Deputy Chief Constable and meets on a quarterly basis. If necessary any issues arising from this Board will be reported to the Chief Officer Group for decision. 5.1.2 The Board will determine the organisation s policy for information assets and identify how compliance with that policy will be measured and reviewed, including:- i) identification of information assets and the classification into those of value and importance that merit special attention and those that do not; ii) iii) iv) Quality and quantity of information for effective operation ensuring that, at every level, the information provided is necessary and sufficient, timely, reliable and consistent; The proper use of information in accordance with applicable legal, regulatory, operational and ethical standards and the roles and responsibilities for the creation, safekeeping, access, change and disposal of information; The protection of information from theft, loss, unauthorised access, improper use, including information which is the property of others; Page 13 of 25

v) Harnessing of information assets and their proper use for the maximum benefit of the organisation including legally protecting, licensing, re-using, combining, representing, publishing and destroying; vi) vii) Strategy for information systems, including those using computers and electronic communications and the implementation of that strategy with particular reference to the costs, benefits and risks arising; Identifying and actioning the appropriateness of a central oversight role for all information held by the Force. 5.1.3 The IAB will develop governance structures (including review of the criteria by which the Force decides which MoPI Group 3 records to review and which to automatically dispose of where the Force uses a system of time-based automatic disposal), policies and procedures to ensure the management of information within the Force is undertaken strategically and is aligned with the Force objectives. 5.1.4 The IAB will oversee the implementation and maintenance of the IMS and standards. 5.1.5 The IAB will provide advice to all staff involved in the management of information through the specialism of its members. 5.1.6 The IAB will be responsible for ensuring information management training is provided in line with the National Training Strategy and Force objectives including: i) ensuring a training needs analysis is conducted; ii) establishing appropriate training programmes and schedules; iii) identifying appropriate training products 5.1.7 The Force Risk Register will be utilised to ensure that risks identified in the evolving plans supporting the delivery of the strategy are addressed. Any information risk identified on the Risk Register will be reviewed at each meeting of the IAB. 5.2 Executive 5.2.1 The DCC has ultimate ownership of the Force IMS. 5.2.2 As Force Data Controller, the Chief Constable, in line with the Data Protection Act 1998, has the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller, including but not limited to the following:- i) determines why, as well as how, personal data including sensitive personal data, is processed and what security measures will be appropriate; ii) has a duty to ensure that the collection and processing of any personal data within the Force complies with the data protection principles; iii) retains full responsibility for the actions of the data processor; Page 14 of 25

iv) notifies all processing operations that involve personal data to the Information Commissioner and keeps this notification up-to-date 5.2.3 The role of data controller is a primary legislative function. The controls for meeting the Force s legal obligations for personal data management can be delegated as appropriate, with clearly defined responsibilities and the ability to report directly to the data controller as necessary. 5.2.4 The Chief Constable has overall executive responsibility for management and use of information within Northamptonshire Police. 5.2.5 The DCC will ensure that the Force adopts policy, procedures and processes for the management of information and support their application Force-wide so that information is used effectively for police purposes and in support of consistent national standards. 5.3 Senior Information Risk Owner (SIRO) 5.3.1 The Force SIRO is the Deputy Chief Constable who has responsibility for understanding how the strategic business goals of the Force may be impacted by information management systems failure. 5.3.2 The SIRO is responsible for ensuring that information risk management and management processes are established and adhered to Force-wide. 5.3.3 The SIRO will make the final decision in cases where the ISO identifies potentially unacceptable residual risks during the systems accreditation process. 5.3.4 This is a strategic responsibility, which will not be confined to information technology or information assurance departments. 5.4 Head of PSD 5.4.1 The Head of PSD holds responsibility for the management of police information and as such has responsibility for overseeing all related functions for the management of police information such as data protection, information assurance, freedom of information and disclosure/sharing of information which may be undertaken by separate internal departments, including agreeing what information can be shared, how and when. The IAB will decide the strategic direction of the Force in all information management matters. 5.4.2 The responsibilities of the Head of PSD or delegated individuals will include, but are not limited to: a) Ensuring: i) Force processes and systems adhere to the MoPI CoP, Guidance and Threshold Standards and APP; ii) A Force Information Management Strategy is established and maintained; iii) Force policies are appropriate to make certain that information is easily accessible and searchable; Page 15 of 25

iv) The Force meets national requirements for the management of police information; v) Operating Rules for all Force designated systems are available to all staff; vi) Reporting lines exist to allow Department Heads to raise issues to Force information managers if necessary; vii) Reporting lines exist to allow Force information managers to discuss matters at ACPO level; viii) Systems and processes are sufficient to effectively co-ordinate all staff roles involved with the management of police information; ix) Appropriate role/function is available to represent the Force at named forums. b) Overseeing: i) The management of all the Forces information assets and demonstrate effective linkages between the different functions eg, IT, data protection etc ii) Compliance with the latest HMG Information Assurance Maturity Model and Assessment Framework 5.5 Information Unit Manager The Information Unit Manager is responsible for the below some of which may, if necessary, be delegated to the Force Data Protection/Freedom of Information Officer or the Information Assurance Team Leader and are as follows:- 5.5.1 Information Sharing i) Quality assuring and authorising Information Sharing Agreements ii) Monitoring compliance with relevant legislation iii) Liaising with information owners and other stakeholders in the process iv) Liaising with Department Heads when necessary to provide guidance and support on information management v) Providing advice and training on good practice vi) Ensuring that Information Sharing Agreements are published on the Force intranet and maintaining a central repository of existing Force ISA s vii) Supporting staff to share information appropriately viii) Ensuring that the APP, MoPI Guidance and other relevant ACPO policy and guidance are disseminated and adhered to Force-wide ix) The process of sharing information is adhered to by both those in a supervisory and user capacity; x) Supporting staff to share information appropriately; xi) Reporting on a regular basis to the Head of PSD; xii) Supervising audits on an ad-hoc basis the decision to share made by users, including the necessity, accuracy and adequacy of information shared; xiii) Ensuring that information being shared does not compromise any police operation or the safety of others; xiv) Ensuring ISAs are reviewed in accordance with Force policy; xv) Providing feedback to staff on their performance; Page 16 of 25

5.5.2 Data Protection i) managing the Chief Constables statutory obligations in respect of the DPA including; notification of processing to the Information Commissioner; compliance with the Data Protection Principles and securing individuals rights under the Act including subject access requests; ii) maintaining an up-to-date knowledge of, and advising on relevant legislation and general developments in data protection and related matters; iii) promoting awareness of data protection matters through training, policy iv) development, advice and guidance; undertaking systematic auditing and monitoring of information and systems in accordance with the APP on Data Protection v) ensuring that appropriate security arrangements exist to protect information, including where necessary that suitable contracts are drawn up relating to the processing of police information by third parties; vi) vii) viii) investigating and resolving complaints made in relation to the handling of personal information (in relation to data protection); assisting where appropriate in the investigation of disciplinary and criminal matters relating to data protection; liaising on all data protection matters between the Force and relevant regional or nation bodies (including ACPO Data Protection and Freedom of Information Portfolio Group and the Information Commissioner s Office); ix) Liaising with Department Heads when necessary to provide guidance and support on data protection matters; x) Ensuring that the APP Data Protection Standards are disseminated and xi) xii) adhered to Force-wide; Liaise directly with the Chief Officer; Liaising regularly with the Force Information Security Officer 5.5.3 Freedom of Information i) Managing the Force obligations in respect of the Freedom of Information Act 2000 (FOIA) including the Force publication scheme and requests for information under the Act; ii) Maintaining an up-to-date knowledge of, and advising on relevant legislation and general developments in Freedom of Information and related matters; iii) Ensuring that the ACPO Freedom of Information Manual is disseminated and adhered to Force-wide; iv) Promoting awareness of Freedom of Information matters through training, policy development, advice and guidance; v) Liaising with Department Heads when necessary to provide guidance and support on Freedom of Information matters; vi) Liaising on all Freedom of Information matters between the Force and relevant regional or national bodies (including the ACPO Data Protection and Freedom of Information Portfolio Group and the Information Commissioner s Office). Page 17 of 25

5.6 Information Security Officer NOT PROTECTIVELY MARKED The Information Security Officer s responsibilities include:- i) acting as the point of contact for all information security issues; ii) implementing organisational structures, policies, procedures and risk management programmes with respect to security matters; iii) providing advice on the correct and secure operation of information processing systems and applications; iv) ensuring appropriate security measures are in place for procedures and technical measures to prevent unauthorised or accidental access to, amendment of, or loss of police information; v) quality assuring local information security policy documentation; vi) demonstrating an approach to implementing security that is consistent with national and local requirements; vii) marketing the need for information security; viii) providing advice on security education and training; ix) co-ordinating all investigative and reporting action that may be undertaken into actual and suspected incidents of security significance; x) co-ordinating and advising on the implementation of specific security requirements for new and legacy systems and services, and leading on the local systems accreditation process; xi) establishing and ensuring that third party agencies sharing, accessing, storing or processing information and information assets owned by the Force, comply with the defined threshold standards; xii) maintaining appropriate contacts with other community members, Government departments and regulatory bodies; xiii) liaising with Department Heads when necessary to provide guidance and support on information security matters; xiv) reporting on a regular basis to the Head of PSD; representing member interests at a Regional and National level on information security issues; xv) ensuring appropriate security measures are afforded to information including personal data, thereby assisting Forces compliance with the DPA in order to discharge security responsibilities; xvi) liaising on all Information Security matters between the Force and relevant regional or national bodies (including the ACPO Information Security Portfolio Group). 5.7 Disclosure and Barring Service Manager (DBS) a) The DBS manager or deputies to act as a central point of contact with responsibility for ensuring:- i) all requests for, and disclosure/sharing of information are carried out in accordance with or pay due regard to relevant legislation and guidance including the ACPO/DBS QAF; ii) all information received is conveyed, handled and kept in a confidential and secure way and, disposed of when no longer required; iii) Under the DBS service level agreement (SLA) with ACPO and individual police Forces, each Force will provide a Force Delivery Manager (FDM) who will be the single point of contact for DBS matters. Page 18 of 25

5.8 Systems Owners i) Each business area will have a designated system owner with whom the ownership of the business systems and processes and the collection and disposal of information lies. ii) iii) The system owner is responsible for ensuring the information risk management processes within their business area are in line with the SIRO s directives. The system owner is responsible for the creation and accuracy of the information within their business area. The system owners will:- i) define the service levels needed from any information and records management process; ii) ensure that the information management processes meet the best practice requirements for their business area and the Force as a whole; iii) ensure there is the ability to link and cross-reference information across the different business areas including strategic liaison between departments to facilitate coherent development of information provision; iv) ensure documentation is produced to define its purpose, functionality, access rights and user operating procedures; v) provide a process for recording decisions to share or not to share information; vi) set information and individuals access status; vii) take responsibility for information management and for ensuring that all staff are involved in the practice and implementation of the information management strategy. This will encompass:- i) internal communications, profile raising and publicity; ii) appropriate resources including training; iii) resilience of continuity and consistency of function and responsibility; vii) review of procedures and implementation plan for specific actions arising. In relation to Review, Retention and Disposal (RRD) of information within designated systems, this will be dealt with in accordance with the RRD Policy under the control of the Information Unit Manager. 5.9 Core Operational Functions and Responsibilities The core functions and responsibilities detailed below will ensure that the APP and MoPI CoP and Guidance are complied with. To assist this process the Information Unit comprises of the following areas of information management:- Audit DBS Disclosures DBS Non-Disclosures Data Protection Freedom of Information Page 19 of 25

Information Sharing Notifiable Occupation Scheme Review, Retention and Disposal Staff Vetting Subject Access 5.9.1 ALL STAFF a) All staff involved in the management of police information or who have access to personal data have individual responsibilities as detailed below:- i) to apply the basic principles of effective information management (as contained in the APP and MoPI CoP, Guidance and associated Force policies) including the application of consistent processes and decisions, owning decisions and working as part of a team in a system with many interdependent links; ii) iii) iv) to recognise the value of trust, confidentiality and information security and the dangers of inappropriate sharing of police information; to recognise the value of sharing and disclosing information and the dangers of failure to share when the circumstances require it; to be familiar with, and adhere to, Force policy, procedures and processes when managing information; v) to be aware of the current intelligence requirements and to ensure that information is collected for a policing purpose; vi) vii) viii) ix) to record information in the appropriate format to record information in compliance with the recording and data quality principles; to disseminate information where appropriate to continuously apply standards for data quality, consistent and accurate recording; x) to apply operating rules relevant to business areas to which they have access; xi) xii) xiii) to apply rules relating to information security including applying protective marking to the information being shared under the GPMS where applicable or a risk assessment where the sharing is carried out with partners in the voluntary or private sectors who do not have a statutory purpose to share information will only share in accordance with agreed procedures; to ensure compliance with all relevant legislation including the Human Rights Act 1998, Data Protection Act 1998 and the Freedom of Information Act 2000 Page 20 of 25

b) All staff responsible for creating records will:- i) ensure the persons records are complete; ii) iii) iv) quality assure the recording of the 5x5x5 and ensure the linking together of information where relevant and to identify opportunities for analysis of series or linked events; establish and enter the review date for a record at the point of creation; apply provenance to the information recorded and apply relevant priority assessment if applicable. c) All staff responsible for reviewing records will:- i) follow Force policy in relation to the implementation of National Retention Assessment Criteria (see Appendix C) when reviewing records to determine their continued necessity for a policing purpose; ii) iii) document the review process as described in Force policy, wherever there is no automated mechanism in place; and ensure that information to be disposed of is not duplicated and therefore retained elsewhere. 6. Audit and Compliance 6.1 The Information Unit Manager will be responsible for ensuring day-to-day operation of internal compliance initiatives to ensure that information management policies, procedures and processes are followed, data quality standards are met and the benefits realised. This will be undertaken by a planned audit programme across computer applications and other information systems to determine compliance with the APP, MoPI CoP, the Data Protection Act 1998 and national and Force audit requirements. The Force Information Auditor will create templates for each new audit programme, ensuring that a corporate approach is adhered to. 6.2 It is important that coordination takes place that includes:- i) ensuring information management policies and procedures are being communicated to appropriate Force personnel and are being adhered to; ii) monitoring use of shared/personal storage space; iii) ensuring that appropriate paper filing takes place iv) ensuring that the accuracy of data is regularly assessed v) defining and prioritising a continuous audit programme based on high risk areas. 6.3 The Force Information Auditor will have responsibility for ensuring regular information quality assurance audits across business areas. This will include:- i) establishing a structured and organised audit mechanism, including processes, methodology, timescales, reporting and follow-up; Page 21 of 25

ii) iii) setting compliance criteria in accordance with accredited standards and in consultation with the Information Unit Manager overseeing the audit process. 6.4 Audit and compliance will be based on the information governance concerned with the standards that apply when information is process ie, how information is held, obtained, recorded, used and shared. Page 22 of 25

Appendix A BUSINESS BENEFITS Strategic Benefits Tactical Benefits Operational Benefits Improved Police Performance Nationally consistent and effective management of information Improved auditing of decision-making process Increased understanding of and compliance with relevant legislation Reduced civil actions and complaints against Forces as a result of poor information management Improved data quality Responsibilities in relation to information management are clear Less officer/staff time and effort is needed to access information Less impact of civil action and formal complaints on officer/staff time and wellbeing Safer Communities More informed decision making Improved targeting Improved processes for joint agency working Effective management of high risk offenders Enhanced disclosure processes Improved protection of children and vulnerable adults Related information is linked and associations between crime and offenders are more easily made Better deployment of operational resources Increased willingness of partner agencies to share information Less bureaucratic processes for sharing information Increased Public Confidence Improved victim/witness satisfaction Improved community relations Improved public confidence in the information we hold Increased reporting of crime Increased provision of community intelligence Increased corporate knowledge provides better service to all areas of the community Page 23 of 25

Regulatory Environment Appendix B Police Act 1997 (Act V) Freedom of Information Act 2000 and the Code of Practice on records management as raised under s46 of the FOIA Criminal Justice Act 2003 Crime and Disorder Act 1998 Serious & Organised Crime & Police Act 2005 Sexual Offences Act 2004 Limitation Act 1980 Criminal Procedures & Investigations Act 1996 Data Protection Act 1998 Children Act 1989 Children Act 2004 Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 Domestic Violence, Crime and Victims Act 2004 Statutory Code of Practice on the Management of Police Information (2005) Guidance on the Management of Police Information (2006 & 2010) Code of Practice on the NIM (2005) ACPO Community Security Policy ACPO Data Protection Manual of Guidance Parts 1 & 2: Standards and Audit ACPO (2005) Investigating Child Abuse and Safeguarding Children ACPO (2004) Investigating Domestic Violence ACPO (2004) Recording, Management and Investigation of Missing Persons MAPPA Guidance (2003) Manual of Guidance on the NIM (2005) ACPO Freedom of Information Manual Public Facing v.1 ACPO NIM Briefing Model (2003) CPS Disclosure Manual HMG Manual of Protective Security ACPO Guidance for the investigation of corruption in the police service (2003) ACPO Cabinet Retention Guidelines (2005) Home Office Circular 25/2003 Home Office Circular 05/2005 Home Office Circular 06/2006 Page 24 of 25

Computer Misuse Act 1990 NOT PROTECTIVELY MARKED Index of Information Management Sub-Policies Appendix C The following Force policies with relevant standards, protocols and agreements are not stand-alone or adhered to in isolation, but sit beneath an over-arching Force Information Management Strategy and Standards as statements of intent and procedures for not only achieving and maintaining good management of police information but also for reaping the business benefits that are the outcome of this good practice. The policies listed below are not exhaustive and can and should be added to as the need arises. 1. Information Sharing Policy 2. Data Protection Policy 3. Freedom of Information Policy 4. Information Security Policy 5. Security Vetting Policy 6. Strategic Audit and Inspection Plan 7. Review, Retention and Disposal (RRD) Policy 8. Common Law Police Disclosure Policy 9. Government Protective Marking Scheme Policy Page 25 of 25