Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This joint procedure/SOP has been reviewed in December 2022 and the following amendments made:
2.1 This procedure/SOP describes the importance of monitoring compliance with legal, regulatory and contractual requirements, in particular, compliance with the principles of the Data Protection Act 2018/General Data Protection Regulation (GDPR), and the College of Policing’s APP on Information Management.
2.2 Compliance is achieved by monitoring how police information is being used, or abused, and ensuring users are accountable for compliance with the forces’ policy and procedures and their use of the forces’ ICT.
2.3 Information Assets include manual files and computer systems. All of these are a potential risk to the organisation if they do not comply with current legislation or are of poor data quality.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 Monitoring includes the day-to-day examination (a self-inspection/quality control check) of an information asset or information processing procedure (such as, a user recording information; accessing information; or sharing information). This is performed by, or on behalf of, an Information Asset Owner (IAO), with the objective of identifying misuse, or errors, so that corrective action may be taken.
3.2 The Assurance of an information asset (see W 1007 Procedure/SOP - Accreditation of Information Assets) will confirm what protective monitoring needs to be undertaken for that asset, by whom, when and how. These requirements will be written into security operating procedures (SyOPs) that can later be audited.
3.3 The IAO, supported by the System Manager where appropriate, will ensure that the procedure/SOP is followed in relation to their information; that any remedial action is taken, as required, and that any identified risks are reported to the Senior Information Risk Owner (SIRO(s)).
3.4 Monitoring is not an activity that is usually undertaken by auditors, but an action for the IAO or designated System Manager. Auditing of the monitoring process needs to be undertaken independently, therefore, those individuals that are undertaking a monitoring role, should not also undertake the audit for that information asset.
3.5 The Information Security Officers will have responsibility for determining the audit programme undertaken within each Force. The audit programme will be subject to available resources and will be determined on the basis of the threats and associated vulnerabilities identified.
3.6 Following each audit, a report will be submitted to the Information Security Officer and relevant IAO(s). The report will highlight where the forces are non-compliant or where information risks fall outside of the forces’, or IAO’s, risk appetite. Medium/High risks will also be highlighted to the respective SIRO(s) immediately.
3.7 Any significant results from the audits will be reported to the SIRO on a quarterly basis in the Kent Force Security and Integrity Committee or the Essex Information Management Board.
3.8 Any security breaches discovered during the audits will be reported as an information security incident in accordance with W 1004 Procedure/SOP - Incident Reporting and Management. It is the responsibility of the IAO to ensure that incidents are formally reported, although the auditor may initiate the process.
4.1 This procedure/SOP has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure/SOP would have no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity.
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security.
6.1 The following have been consulted during the formulation of this document:
7.1 The Information Security Officer will be responsible for ensuring that the procedure/SOP will remain current in line with HMG and ACPO policy.
7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every two years.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
8.1 Joint Essex Police and Kent Police
8.2 Data Security
8.2.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.3 Retention & Disposal of Records
8.3.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.3.2 We will only hold data for as long as necessary for the purposes for which we collected.
Policy reference: Protective marking SOP (W1009)
Contact point: The Senior Information Risk Owners (SIROs)
Date last reviewed: July 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.