Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This procedure/SOP was updated on its review in December 2022. Changes made are as follows:
2.1 All records, media and data held and used by Essex Police and Kent Police fall within the scope of the Data Protection Act. Each Chief Constable is the relevant Data Controller and each force has appointed a Data Protection Officer as defined within the Act. A Chief Officer has also been appointed in each force to take delegated responsibility for all other elements of information management; this responsibility is defined as the Senior Information Risk Owner (SIRO).
2.2 An Information Asset Owner (IAO) is a senior individual who holds relevant responsibilities in relation to a particular business area. Their role is to understand what information their staff hold (physical and digital records), what is added, what is removed, how information is transferred and who has access to it and why. As a result they will be able to understand and mitigate risks and provide assurance to the SIRO in relation to the security and accuracy of their information assets.
2.2 This procedure/SOP is intended to provide clarification on the responsibilities of this role within Essex Police and Kent Police, in order to provide consistent management of the forces’ information assets to ensure that they are utilised effectively and are appropriately risk-managed.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 Essex Police and Kent Police will assign IAOs covering all of their key information assets.
3.2 Appointed by the Force Senior Information Risk Owner (SIRO), they are not necessarily the creator or even the primary user of the information, but IAOs will have a good understanding of how the organisation needs to use information to conduct its business.
3.3 The seniority of the IAO must match the risks associated with the information that they own. Typically, IAOs will be Heads of department or LPA/Divisional Commanders.
3.4 An IAO may appoint one or more Information Asset Assistants (IAA) to assist with this work and may delegate decision making to them. If any responsibilities are delegated the IAO must ensure they have an appropriate governance structure in place and any IAA responsibilities are reflected in the IAA’s core role requirement.
3.5 Responsibilities of the IAO include:
3.6 Where necessary, the sharing or processing of information must be supported by information sharing agreements or data processing contracts (see W 1014 Procedure/SOP – Information Sharing Agreements).
3.7 Identifying and Grouping Information Assets
3.7.1 An ‘Information Asset’ includes any personal information that we collect or process as defined within the Data Protection Act. In practical terms that means sufficient information that may help to identify a living individual, such as name, address, date of birth, NI number, IP address, biometric records, or still and video images. The type of information we collect and process is not restricted to records about suspects, victims or witnesses, it applies to officers, staff, retired officers and staff, volunteers, stakeholders, and in some instances contractors.
3.7.2 The Data Protection Act applies to all persona data recorded digitally, recorded on paper records or in books, biometric records from which an individual may be identified, and images, either still or videos clips such as those used in custody or on CCTV.
3.7.3 An IAO may also want to record the existence of some assets that sit outside of the scope of the Data Protection Act. An IAO may well have oversight of other sensitive material, which doesn’t include personal data, but which they may wish to ensure is stored, shared and disposed of appropriately. Examples might include operational orders, organisational project plans, minutes etc. Such material may also be subject to FOI, or critical to the upkeep of reference material to provide an organisational memory. An individual IAO therefore may also wish to record such assets with the relevant force Information Asset Register.
3.7.4 Information assets will be grouped in terms of their business needs and not the technology used.
4.1 This procedure/SOP has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure/SOP would have no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity.
5.1 Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security
6.1 The following have been consulted during the formulation of this document:
7.1 The Information Security Officer will be responsible for ensuring that this procedure/SOP will remain current in line with HMG and ACPO policy.
7.2 This procedure/SOP will be reviewed by, or on behalf of, the forces’ SIROs every two years.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
8.1 Data Security
8.1.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2 Retention & Disposal of Records
8.2.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.
Policy reference: Information asset owners SOP (W1005)
Contact point: Senior Information Risk Owner (SIRO)
Date last reviewed: July 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.