Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1. This policy has been reviewed on 18 August 2023 - reference to Code of Practice on the Management of Police Information (MoPI) amended to Police Information and Records Management Code of Practice within paragraph 2.4.
2.1 Policing is increasingly dependent upon high quality information processes which are secure. In order that our staff, partners and the public can have confidence in the integrity and availability of policing information and its secure storage, processing and disposal, robust Information Management procedures must be in place. Without such there is a significant and foreseeable risk of compromise potentially leading to the facilitation of crime, public safety issues, hindrance to investigations, financial loss, and reputational damage and consequently a loss in public and partner confidence.
2.2 Essex Police and Kent Police recognise that Information Security and Data Protection functions have become increasingly important over recent years in terms of information compliance and risk management, driven by the substantial growth around information held, system developments and multi-agency working.
2.3 This policy supports the Information Assurance Strategies of both forces and is underpinned by more detailed supporting procedures. The objective being to identify vulnerabilities and subsequent risk and ensure security arrangements remain effective with identified risks managed effectively, collectively and proportionately. It underpins all areas of policing in support of the strategic policing requirement and our other statutory responsibilities.
2.4 The policy also affirms the commitment of both forces to comply with relevant legal requirements, national guidance and standards, existing and forthcoming, relating to:
2.5 Police officers, police staff, Special Constabulary officers, PCSOs, contractors, volunteers and members of other agencies and partnerships working with Essex Police and Kent Police and having access to police information must comply with this policy and supporting procedures.
Compliance with this policy and any linked procedures is mandatory.
3.1 Both Essex Police and Kent Police utilise innovative and agile technology to access, share, retain and process data via increasingly transparent means whilst maintaining and developing trust and confidence with the public, partnerships, stakeholders and employees.
3.2 In accordance with the ‘National Decision Model’ we will use discretion, professional judgement and common sense to guide us and will be accountable for our decisions and actions. In identifying and managing risk we will seek to achieve successful outcomes and to reduce the risk of harm to individuals and communities.
3.3 Our Information Security procedures will seek to utilise:
Physical controls – creating physically limits to prevent access to IT systems, i.e. fences, guards, dogs, and CCTV system, etc.
Technical controls – effective use of hardware or software to protect systems and resources, i.e. disk encryption, fingerprint readers and Windows Active Directory.
Administrative controls - policies and procedures which ensure proper guidance is available for security and regulatory compliance, i.e. data handling procedures and security requirements.
3.4 This Information Management Policy and detailed procedures will enable Essex Police and Kent Police to:
3.5 Governance
3.5.1 The governance structure in relation to information management includes forces, national systems, national policing, government departments and delivery partners.
3.5.2 The Chief Constable in each force is the Data Controller, as defined in the Data Protection Act 2018. A specific Data Controller from each force takes primacy in relation to particular collaborative activity. Each controller will implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that information assets are secure and the processing of personal data complies with the requirements of the Data Protection Act.
3.5.3 The National Senior Information Risk Owner (NSIRO) is responsible for information risk associated with the national capability.
3.5.4 A Senior Information Risk Owner (SIRO) at Chief Officer level will be maintained in each force. Each individual SIRO has responsibility for information governance and risk ownership, including shared risks with other organisations, partnerships and third party suppliers on behalf of their Chief Constable.
3.5.5 The SIRO in each force is supported by Information Asset Owners (IAOs) at a senior level across all aspects of the policing business. IAOs are in turn supported by Information Asset Assistants (IAA) and where necessary Information Asset Co-ordinators (IACs).
3.5.6 The Force Information Asset Owners (typically Divisional Commanders and Departmental Heads) will understand what information they hold, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good.
3.5.7 Equally a Data Protection Officer (DPO) is maintained by each individual force (in Kent Police the strategic responsibilities of the role are held by the Head of Information Security and Governance). The DPO acts as the intermediary for all relevant stakeholders, identifying and mitigating risks, acting as an enabler to achieve business objectives whilst safeguarding information assets.
3.5.8 The arrangements in relation to Data Controller primacy for collaborative functions are mirrored in respect of SIRO and DPO in order to provide clear accountability. The SIRO will ensure that their force maintains an appropriately resourced, qualified and experienced Information Security Team which in turn can provide ‘expert’ advice to both the SIRO and IAOs in furtherance of their duties.
3.5.9 The Information Management (& Assurance) Boards for Essex and Kent provide the forums for the discussion and management of Information Management and Assurance issues, and ensures that the level of risk (likelihood and potential impact) is appropriately managed, and any identified concerns are escalated as necessary.
3.5.10 The Government Security Classification Scheme is used in both forces to protect information assets according to their operational or personal sensitivities.
4.1 Finance / Staffing / Training / Other
4.1.1 All staff are required to complete the College of Policing’s Managed Learning Environment training package in relation to Data Protection, supplemented by the, Information Security and protective marking training packages. Information Management practitioners will also complete the Data Protection modules (Foundation, Intermediate and Advanced) once available.
4.1.2 Strategic or managerial risks in relation to Information Security will be recorded within the relevant corporate risk register for either force. Advice and guidance relating to the assessment of risk is contained within the individual procedures.
4.2 Risk Assessment(s)
4.2.1 Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security
4.3 Equality Impact Assessment
4.3.1 This policy has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this policy would have no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity.
5.0 Consultation
6.0 Monitoring and Review
6.1 The Information Security Officer will be responsible for ensuring that the policy will remain current in line with HMG and ACPO policy.
6.2 This policy will be reviewed by or on behalf of the forces’ SIROs every 2 years.
7.0 Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
7.1 Data Security
7.1 Essex Police have measures in place to protect the security of data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
7.2 Retention & Disposal of Records
7.2.1 Essex Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
7.2.2 We will only hold data for as long as necessary for the purposes for which we collected
8.0 Other source documents, e.g., Legislation, APP, partnership agreements (if applicable)
None
Policy reference: Information management and assurance policy (W01)
Contact point: Head of Information Security
Date last reviewed: August 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.