Current timestamp: 23/06/2026 11:24:48
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information management - Information asset owners SOP (W1005)

1.0 Summary of changes 

1.1 This procedure/SOP was reviewed in March 2026 – paragraphs 3.3 and 3.4 added.

2.0 What this procedure/SOP is about

2.1 All records, media and data held and used by Essex Police and Kent Police fall within the scope of the Data Protection Act. Each chief constable is the relevant data controller and each force has appointed a data protection officer as defined within the Act. A Chief Officer has also been appointed in each force to take delegated responsibility for all other elements of information management; this responsibility is defined as the Senior Information Risk Owner (SIRO).
 
2.2 An Information Asset Owner (IAO) is a senior individual who holds relevant responsibilities in relation to a particular business area. Their role is to understand what information their staff hold (physical and digital records), what is added, what is removed, how information is transferred and who has access to it and why. As a result they will be able to understand and mitigate risks and provide assurance to the SIRO in relation to the security and accuracy of their information assets.
 
2.3 This procedure/SOP is intended to provide clarification on the responsibilities of this role within Essex Police and Kent Police, in order to provide consistent management of the forces’ information assets to ensure that they are utilised effectively and are appropriately risk-managed.
 
Compliance with this procedure/SOP and any governing policy is mandatory.

3.0 Detail the procedure/SOP

3.1 Essex Police and Kent Police will assign IAOs covering all of their key information assets.
3.2 Appointed by the force senior information risk owner (SIRO), they are not necessarily the creator or even the primary user of the information, but IAOs will have a good understanding of how the organisation needs to use information to conduct its business.
 
3.3 Newly appointed IAOs must read and familiarise themselves with the IAO Handbook produced by the College of Policing, along with any other relevant materials available on InSite. IAOs are also required to attend an introductory meeting with the heads of Information Management, during which the IAO role, associated responsibilities, and the support available will be outlined.
 
3.4 For refresher training, IAOs must attend Continuing Professional Development (CPD) events organised by Information Management, based on current organisational needs. These refresher sessions must be completed at a minimum of once every two years.
 
3.5 The seniority of the IAO must match the risks associated with the information that they own. Typically, IAOs will be heads of department or LPA/divisional commanders.
 
3.6 An IAO may appoint one or more Information Asset Assistants (IAA) to assist with this work and may delegate decision making to them. If any responsibilities are delegated the IAO must ensure they have an appropriate governance structure in place and any IAA responsibilities are reflected in the IAA’s core role requirement.
 
3.7 Responsibilities of the IAO include:
  • lead and foster a culture within their department/division that values, protects and uses information for the public good, whether for a policing purpose or our own internal management processes
  • promulgate the application of the knowledge acquired through training and lessons learned by fostering a culture of continuous improvement encouraged and exemplified by their supervisors at all levels
  • identify and document the scope and importance of all information assets (physical and digital) that they own; thus supporting the management and maintenance of the relevant Essex Police or Kent Police Information Asset Register and ensure all relevant entries are current and reviewed regularly. Entries must include the purpose for data use, records of how consent is obtained or the alternative lawful conditions relied on for its processing, how it will be used, whom it is shared with, logs of any changes, redactions or alterations, its retention period and the grounds for its disposal. Records will also have to include references to where all policies, privacy impact assessments and data protection impact assessments are kept
  • take ownership of local asset control, risk assessment and management processes for the information assets within the IAOs portfolio. This includes the identification, review and prioritisation of perceived risks and oversight of actions agreed to mitigate those risks
  • know who has access to the information and why, and ensure that their use is monitored
  • ensure any ‘business continuity plans’ and ‘disaster recovery plans’ protect their local and organisational information assets from significant negative events. Information assets need to be maintained efficiently to enable mission critical functions to be quickly resumed
  • ensure information assets are properly considered and where necessary protected under the government security classification
  • provide support by keeping their section of the Information Asset/Register up-to-date so that the SIRO can maintain their awareness of the current risks to all information assets that are owned by the force
  • ensure that their staff and relevant others are aware of and comply with expected information governance and Data Protection working practices for the effective use of information assets. Ensure that their officers and staff carry out all relevant induction, refresher and additional specialist training relative their role, in respect of data protection, information security and the government security classification
  • ensure adherence to the data breach, and security incident identification, reporting, management, and response requirements, in line with force policy W1004 incident reporting and management, and staff knowledge of those requirements
  • attend the force’s Assurance Board meetings; force Security and Integrity Board (Kent)/Information Management Board (Essex)
  • know what business partners and third parties share and/or process this information
  • understand the changing risks to information and provide relevant updates to the SIRO as part of the IAR annual review. Notifying the force DPO as soon as possible to any new high risk assets identified
  • ensure that information is being adequately protected at all times
  • ensure that users of the information are aware of force policy, procedures and guidance
  • make sure that the organisation’s information is being fully utilised and is accessible to all those that have a legitimate need
3.8 Where necessary, the sharing or processing of information must be supported by information sharing agreements or data processing contracts (see W 1014 Procedure/SOP – Information Sharing agreements).
 
3.9 Identifying and grouping information assets
 
3.9.1 An ‘information asset’ includes any personal information that we collect or process as defined within the Data Protection Act. In practical terms that means sufficient information that may help to identify a living individual, such as name, address, date of birth, NI number, IP address, biometric records, or still and video images. The type of information we collect and process is not restricted to records about suspects, victims or witnesses, it applies to officers, staff, retired officers and staff, volunteers, stakeholders, and in some instances contractors.
 
3.9.2 The Data Protection Act applies to all personal data recorded digitally, recorded on paper records or in books, biometric records from which an individual may be identified, and images, either still or videos clips such as those used in custody or on CCTV.
 
3.9.3 An IAO may also want to record the existence of some assets that sit outside of the scope of the Data Protection Act. An IAO may well have oversight of other sensitive material, which doesn’t include personal data, but which they may wish to ensure is stored, shared and disposed of appropriately.  Examples might include operational orders, organisational project plans, minutes etc. Such material may also be subject to FOI, or critical to the upkeep of reference material to provide an organisational memory. An individual IAO therefore may also wish to record such assets with the relevant force Information Asset Register.
 
3.9.4 Information assets will be grouped in terms of their business needs and not the technology used.

4.0 Equality Impact Assessment (EIA)

4.1 This procedure/SOP has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure/SOP would have no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity.

5.0 Risk assessment 

5.1 Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to information security.

6.0 Consultation

6.1 The following have been consulted during the formulation of this document:
  • Kent IT Department
  • Essex Information Management Department
  • Unison / Federation
  • H&S / Diversity
  • Risk Manager

7.0 Monitoring and review

7.1 The Information Security Officer in Kent and the force data protection officer in Essex will be responsible for ensuring that this procedure/SOP will remain current in line with HMG and ACPO policy.
 
7.2 This procedure/SOP will be reviewed by, or on behalf of, the forces’ SIROs every two years.

8.0 Governing force policy

Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
 
8.1 Essex Police and Kent Police joint policy and procedures/SOPs:
  • W 1000 Policy – Information Management
8.2 Retention and disposal of records
8.2.1 Essex Police and Kent Police will hold data in accordance with our records review, retention and disposal policy – W 1012 Procedure/SOP - Records review, retention and disposal.
 
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.

Policy reference: Information asset owners SOP (W1005)
Contact point: Information Security and Business Assurance Manager
Date last reviewed: March 2026

For general enquiries, contact us.