Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 The procedure /SOP was reviewed in August 2023.
2.1 This procedure/SOP defines the force’s information and communications technology and details the important operating procedures governing its use.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1.1 Force Business: Information and communications technology (ICT) encompasses all computing devices (including computers, telephones, tablets, printers, copiers/scanners, storage media, and radios) and information systems (including all hardware, software, networks and databases), that are used to process information for, or on behalf of, Essex Police and Kent Police (the forces).
3.1.2 Police Information: relates to all and any data collected for a law enforcement purpose.
3.1.3 User: A user is any police officer, police staff member, or other approved person working for, or on behalf of, Essex Police or Kent Police, and any other person granted access to the forces’ IT infrastructure who have access to ‘police information’.
3.2.1 Access to the forces’ ICT will be made available to users who have a requirement to access information for a legitimate purpose and are required to perform tasks as part of their role and responsibilities. This includes engagement using approved digital communications, web applications, video conferencing and approved messaging services. You must not compromise or risk compromising the security, confidentiality, availability or integrity of Essex Police or Kent Police resources in any way.
3.2.2 Processing personal data held by Essex Police or Kent Police must comply with data protection legislation. The data protection principles set out how to comply with this legal obligation. You must not process personal data held by Essex Police or Kent Police where you are unable to show accountability to the data protection principles – including what the lawful basis is for the processing.
3.2.3 The forces’ ICT must never be made available to, or used by, any persons not authorised by Essex Police or Kent Police.
3.2.4 Only authorised Essex Police and Kent Police ICT is to be used for processing ‘police information’ (definition at 3.1.2 above refers) when conducting the forces’ business (definition at 3.1.1 above refers). Any IT equipment not procured within the authorised Essex Police and Kent Police budgets, must not be used, as this presents a significant security risk to ‘police information’. Exceptions to this rule may be made in special circumstances, if it can be demonstrated that doing so is unavoidable and would reduce a significant operational risk to the force (e.g., use of personal smartphones). Such judgement will be called into question and could result in disciplinary proceedings if found unacceptable. (Kent only: Any user adopting this exception should seek permission from their relevant Information Management team prior to, or as soon as practicable afterwards).
3.2.5 It is expected that only authorised Essex Police and Kent Police ICT is to be used for conducting the forces’ business (definition at 3.1.1 above refers) where the officer or staff member is issued with ICT (mobile device or laptop etc.). Personal ICT may be used for very limited administrative purposes connected to force business; this does not, and must not, involve the sharing or processing of ‘police information’ (3.2.4 applies for exceptional cases). These limited administrative purposes do not extend to any operationally sensitive matters (including police tactics), or sensitive personnel matters.
3.2.6 Remote working will entail the use of home routers which do not hold, record or view any information transmitted as this is encrypted and contacts securely the Essex Police and Kent Police virtual private network (VPN).
3.2.7 For the purposes of ‘Microsoft Authentication’ to the O365 environment, where consent has been given, via IT Services, by a member of staff to receive an ‘authorisation code’ on their own personal mobile, this is considered acceptable use in this instance only.
3.2.8 No information is to be displayed, created, stored or transmitted which might be considered as offensive, hostile, harassing, intimidating or disruptive or which contains any form of profanity or which undermines the professional and ethical standards of Essex Police and Kent Police.
3.2.9 The email facility will not be used to forward any unsolicited email ('spam'), chain letters or junk mail. If an email is received contrary to the above then the recipient should immediately inform their supervisor or manager who should take all reasonable steps to identify the source of the material and to prevent further transmission.
3.2.10 All printing should be PIN secure in order for staff to place their restricted PIN code into the relevant printer selected prior to printing the material. This eliminates the risk of incorrect printer selection and possibility of printing sensitive material that could be left on the printer.
3.2.11 “The MS Outlook autocomplete function is no longer permitted, and all staff should disable the function. In exceptional circumstances the autocomplete function can remain on. This will need to be requested via an individual’s line manager and authorised by the relevant IAO. This request will only be considered where there is a legitimate reason to retain the functionality i.e., where the individual has neuro diverse needs or a physical condition that may be adversely affected by not having access to this functionality – such as dyslexia”.
3.2.12 Messaging applications/services must not be used for processing “police information” (definition at 3.1.2 above refers) unless authorised by force Information Security Officer and Operational Security Officer with appropriate Security Operating Procedure in place.
3.3.1 Limited personal use of the Internet and email is permitted from the forces’ ICT, as long as it is in the user’s own time, is not frequent or excessive, does not interfere with police operations, does not further personal financial gain and does not violate any of the forces’ policies and procedures. Emails must not be automatically forwarded from police email addresses to private email addresses.
3.3.2 Personal use of police information is not permitted.
3.3.3 The use of social networking sites (such as Facebook and Twitter), and other chat rooms, must be for work-related purposes only.
3.4.1 Access to the forces’ ICT must be on a need-to-use principle (i.e. required in the execution of the user’s particular business role) and will be supported by both logical and/or physical access controls.
3.4.2 Access to the corporate information will be granted on a need-to-know principle. This will be based on individual system requirements, and restrictions will be imposed on what information a user can access and what operations they can perform on that information. The classification of materials will be in compliance with W 1006 Procedure/SOP – Government Classification Scheme.
3.4.3 All access to the forces' ICT will be governed by a unique user ID. The procedure for new account authorisation, reviews of access rights and changes to access rights, and the removal of access rights, is contained in W 1002 Procedure/SOP – User Account Management.
3.4.4 If a user performs more than one role, that user must only access the ICT and information that is relevant for the role that they are performing at a given time.
3.5.1 In addition to complying with the password standards enforced for a network or system, users should also select a password that:
3.5.1.1 Passwords and PINs must NOT be:
3.5.2 If a password is compromised, this should be regarded as an information security breach, users must inform the IT Service Desk immediately and, within 24 hours, submit a security incident report via their supervisor to Information Security.
3.5.3 Under exceptional circumstances, an individual password can be disclosed to other users provided that it relates to an operational emergency or business need and it is duly authorised by the user’s line manager and endorsed by Senior Leadership Team (SLT).
3.5.4 SLT must then submit an information security incident report containing full details of the incident (which will be retained as an audit trail) and will ensure that the user changes their password at the earliest available opportunity.
3.6.1 A chief officer has responsibility for all other elements of Information Management including undertaking the role of Senior Information Risk Owner (SIRO). In Essex the SIRO Is the Deputy Chief Constable, whilst in Kent the role is performed by the Deputy Chief Officer. The Information Management (& Assurance) Boards for Essex and the Force Security and Integrity Committee (FSIC) in Kent provide the forums for the discussion and management of Information Management and Assurance issues and ensures that the level of risk (likelihood and potential impact) is appropriately managed, and any identified concerns are escalated as necessary.
3.7.1 The Information Technology Services (ITS) Incident Team will purchase and maintain all of the forces’ hardware and will keep a full and up-to-date inventory.
3.7.2 To help prevent infection from viruses and avoid unauthorised access to the forces computers, networks or data, users must not attach unauthorised devices to the forces’ ICT (3.3.1 refers).
3.7.3 Any IT equipment not supplied and supported by IT Services must not be connected to the network without the express permission of IT Services SLT, and then only following a thorough inspection of the equipment for up-to-date software and anti-virus signatures and tested for malware infection. Such equipment must not be connected to any other network or device, including the Internet, at the same time. If subsequently connected to a third party network, it must be retested for malware. An assessment for security must be conducted by Information Security.
3.8.1 Only IT Services may purchase, install, maintain, upgrade, remove, and register software for the forces, and it will maintain a full inventory. No user is authorised to perform any of the above tasks on the forces’ ICT systems without approval by IT Services SLT.
3.8.2 Users will respect copyright law when downloading files from the Internet.
3.8.3 Users will not download software from the Internet, install personal software on force computers, and not install force software on home computers without ITS approval and security review by Information Security, where relevant.
3.8.4 The installation of any software not expressly sanctioned or installed by ITS will be deemed to be unauthorised or unlawful software. All installations are visible to IT Services and any unauthorised installation will be investigated as a security breach.
3.9.1 Only approved video conference and collaboration platform tools should be used when initiating video conference sessions, online collaboration sessions and similar events.
3.9.2 You should avoid making links providing access to meetings and events publicly available as this may allow uninvited guests to attend.
3.9.3 It is permissible to accept an invitation from a third party. When taking part in such a meeting you must make sure you are aware of who else is in the meeting, no sensitive or operational police information is shared and whether the meeting will be recorded. Only approved platforms will be permitted to be accessed on the police network. All non-approved will require authorisation and review by Information Security.
3.10.1 Users must always logout of their computers or devices, or lock the password-protected screen saver, before leaving the equipment unattended.
3.10.2 If a user has not locked or logged out of their computer but leaves it unattended for any period of time, the user logged-on will be held responsible for any subsequent misuse. Where there is a failure to do this which is then exploited, it will be regarded as a serious disciplinary offence. Those accused of misuse of police information may say that someone else must have used their session when they left the computer unlocked – this would therefore be considered as serious misconduct of inappropriate access or use of police data and will be referred to Professional Standards. Any person identifying an unsecured device should report it as a security incident.
3.11.1 Users are responsible for ensuring they take reasonable steps to prevent viruses and malicious software from being introduced into the forces’ systems, such as: not downloading or opening files received from unknown or untrusted sources, this includes but not limited to: FTP services, Emails, URLs, etc.
3.11.2 Anti-virus software installed on force computers must be kept running and update-to-date at all times and must not be disabled.
3.11.3 Users should only access media and files that have been received from a known and trusted source.
3.11.4 If a user suspects that their computer has acquired a virus, they must stop using the computer and contact the IT Service Desk immediately by telephone (852). The IT Service desk will take the appropriate action and may advise the user to switch off or disconnect their computer.
3.11.5 Users must never forward messages warning about viruses to other users, as these are often nuisance hoaxes. They must always contact IT Services for advice.
3.12.1 Remote working (i.e. accessing Police information using a portable device) must be formally authorised by SLT or subject to an individual's contractual conditions and must only use corporately owned equipment.
3.12.2 Such equipment will be provided by the forces’ IT Department only and use approved and security accredited methods of remote access to the corporate networks.
3.12.3 Users must make their own assessments of their working environments to ensure that they are appropriately secure. This includes ensuring that the information they are processing cannot be overlooked, overheard or compromised and that physical security measures are correct for the classification level of the information concerned.
3.12.4 Only secure remote access must be used, internet cafes and open public connections pose a security threat (information, e.g., passwords, might be retained and therefore useable by others).
3.12.5 Mobile devices i.e., any device which can be used remotely to access police information, should be physically protected against theft, especially when left or operated in high-risk areas, such as vehicles, conference centres and hotel rooms. The use of security cables and lockable containers can help reduce the risks. Access tokens, such as smartcards, must never be stored with the computer.
3.12.6 Users must have received a formal briefing on the additional risks and security measures, and signed written security operating procedures, from the person issuing/authorising the access before being issued with mobile devices.
3.12.7 Mobile devices must be connected to the network regularly (preferably, at least once a week) to ensure that they receive the latest software updates, and that valuable information is backed up.
3.12.8 Mobile devices must not be taken or operated outside of the United Kingdom (including Northern Ireland) without written permission of the Head of Command or the Head of IT Services. Information Security to be advised of any exceptions authorised and evidence to be given that there is a specific policing purpose.
3.12.8.1 Users and Line Managers must check prior to any approval, that any safety or welfare concerns are considered. The physical security of the device is appropriate for the location in which it is to be used. The technical security e.g., the wi-fi connection will be secured appropriately when in use and accessing the network will be via VPN. Consideration should also be given to the potential cost of using a mobile device for ‘roaming’ purposes outside of the EU.
3.12.8.2 In instances where Information Security advise against the decision made by Head of Command or Head of IT Services, the approver must inform the SIRO, outlining the circumstances and rationale for authorisation as well as including any Information Security recommendations. A copy of this correspondence must be provided to information Security.
3.13.1 Users must ensure that they have the permission of the relevant Information Asset Owner before transferring information to removable media. Where this is for a business function that cannot be facilitated on a network data transfer as Security Operating Procedure must be in place authorised by the IAO and reviewed by Information Security.
3.13.2 Removable media, by its very nature, is particularly vulnerable to unauthorised access. Users must ensure that the information is protected by encryption and/or kept physically secure at all times.
3.13.3 Media containing classified material must be marked and protected in accordance with the current Protective Marking criteria. This must be to the highest marking of all information stored on it, and the files, or the entire media, should be encrypted (see published guidance).
3.13.4 If any USB Storage Media containing police information is not encrypted using the forces’ standard encryption solution, then the storage media itself must be supplied by IT Services and will be recorded as a personal issue. The device must be used solely for legitimate police purposes and supported by written operating procedures.
3.13.5 When not in use, the removable media must be stored in an appropriately secure location, such as a locked cabinet or cupboard, and/or a locked room.
3.13.6 Information must be securely erased from removable media or the media must be securely destroyed, at the earliest opportunity. If the media has been used to store unencrypted police information, it must be handed back into IT Services for secure disposal.
3.13.7 Removable media is not to be used as a means of long-term or permanent storage.
3.13.8 The mobile computing devices section contains further advice on taking devices outside of the United Kingdom.
3.13.9 Removable media must be managed in line with the forthcoming Digital Asset Management System and the criteria specified within the operating procedure. Any deviation needs to be approved by the IAO and ISO.
3.13.10 Removable media must be sent to court using encryption and recorded delivery.
3.14.1 The use of Essex Police and Kent Police ICT is subject to an acceptance by users that their use can be monitored and recorded, they can have no expectation of absolute privacy in that use, or any information held on their Essex Police or Kent Police computer, network or server. Information Security will audit Computer Use and Access for compliance.
3.14.2 All use of IT may be monitored for any of the following purposes:
3.14.3 In addition, the Senior Information Risk Owner is empowered to test compliance generally with this procedure and its supporting standards.
3.15.1 Users are reminded that all IT equipment remains the asset of the IT Service Department and any removal, moving or disposal should be carried out in accordance with the disposal guidelines within IT. Disposal of any IT equipment will not be undertaken upon an individual’s own initiative. Any change in location of equipment including storage or disposal must be undertaken by a suitably qualified member of IT. Failure to adhere to this procedure will be considered as a security incident.
3.16.1 All users are advised that information recorded on computers may be disclosed in the course of disciplinary, civil and criminal investigations and proceedings, or in response to statutory rights of access to information under the Data Protection Legislation (UK General Data Protection Regulation and Data Protection Act 2018) and the Freedom of Information Act 2000.
3.17.1 Any actual or suspected security breaches, or even perceived weaknesses in information security, should be reported to the IT Service Desk immediately and to the relevant force Information Security Officer (ISO) within 24 hours (see W 1004 Procedure/SOP – Incident Reporting and Handling).
3.17.2 Any loss or theft of a computer or device must be reported immediately to the IT Service Desk and FCR to enable work to begin on minimising the impact and mitigating the harm caused by that theft or loss.
4.1 EIA - requested.
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures/SOPs. The Corporate Risk Register will contain any risks in relation to Information Security.
6.1 The following have been consulted during the formulation of this document:
7.1 The Information Security Officer will be responsible for ensuring that the procedure/SOP will remain current in line with HMG and ACPO policy.
7.2 This procedure/SOP will be reviewed by, or on behalf of, the forces’ SIROs every year.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
8.1 Joint Essex Police and Kent Police
• W 1000 Policy – Information Management
• W 1002 Procedure/SOP – User Account Management
• W 1004 Procedure/SOP – Incident Reporting and Management
• W 1005 Procedure/SOP – Information Asset Owners
• W 1006 Procedure/SOP – Government Security Classification Scheme (GSC)
• W 1007 Procedure/SOP – Assurance of Information Assets
• W 1008 Procedure/SOP – Physical Security
• W 1009 Procedure/SOP – Protective Monitoring
• W 1010 Procedure/SOP – Records Management (Physical and Digital)
• W 1011 Procedure/SOP – Data Protection
• W 1012 Procedure/SOP – Records Review, Retention and Disposal
• W 1014 Procedure/SOP – Information Sharing Agreements
• W 1015 Procedure/SOP – Redaction
• W 1016 Procedure/SOP – Encryption of Files and Removable Digital Media
• W 1017 Procedure/SOP – Sanitisation, Re-Use and Disposal
• W 1019 Procedure/SOP – Freedom of Information
• W 1020 Procedure/SOP – Use of Bluetooth
• W 1021 Procedure/SOP – Shared and Standalone Devices
• W 1022 Procedure/SOP – Data Protection Impact Assessments
8.2.1 Essex Police and Kent Police have measures in place to protect the security of data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.3.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.3.2 We will only hold data for as long as necessary for the purposes for which we collected.
9.1 There are no other source documents.
Policy reference: ICT acceptable SOP (W1001)
Contact point: Head of Information Management
Date last reviewed: August 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.