northamptonshire police information management … of...not protectively marked northamptonshire...

NOT PROTECTIVELY MARKED

Northamptonshire Police

Information Management Strategy

If printed, copied or otherwise transferred from the Policies and ProceduresIntranet/Internet Site this document must be considered to be an uncontrolled copy.Policy amendments may occur at any time and you should consult the Policies andProcedures Intranet/Internet Site if in doubt.

Ratified By: Professional Standards and Security Board

Ratified Date:

Version: 1

Owning Department: Force Information Unit, Professional Standards Department

Policy Author: Yvonne Mason, Information Unit Manager

Review Date: December 2016

of 25


Contents


PART 1

1. Introduction

2. Strategic Aim – Information Management

3. Strategic Objectives

4. Information Management Values

The Standards

Business Management

People Management

Information Sharing

Data/Information Management

5. Scope of Strategy

6. Responsibilities

7. The Role of the Professional Standards and Security Board

8. Relationship with Existing Policies

9. Relationship with Future Policies

PART 2 – Information Management Standards and Working Practices

1. Introduction

2. Information in the Policing context

3. Regulatory Environment

4. Strategic and Operational Information Management

5. Functions and Responsibilities

6. Audit

Appendix A – Business Benefits

Appendix B – Regulatory Environment

Appendix C – Index of Information Management Sub-Policies

of 25



PART ONE

1. Introduction

Under the Home Office (2005) Code of Practice on the Management of PoliceInformation and the College of Policing Authorised Professional Practice (APP) theDeputy Chief Constable will establish and maintain an Information ManagementStrategy (IMS) within Northamptonshire Police (hereinafter referred to as the Force),complying with guidance and standards issued within the Management of PoliceInformation (MoPI) Statutory Code of Practice (CoP) and the APP unless that guidanceis superseded by regulations made by the Secretary of State under section 53A of thePolice Act 1996.

The Force has a duty to obtain and use a wide variety of information, includingpersonal information, in order to discharge its responsibilities effectively. This IMSand accompanying standards, in conjunction with all other information managementrelated policies, procedures and processes, provides a mandate for the performance ofall information management functions to ensure all staff, including agencies,contractors and partners involved with police information, competently and efficientlycarry out their duties. Within the MoPI CoP a policing purpose is defined as:-

Protecting life and property; Preserving order; Preventing the commission of offences; Bringing offenders to justice; Any duty or responsibility arising from common or statue law;

Implementation will focus on the following:

Citizen-focused Service Delivery Governance Effective and Lawful Use of Information Information as a Force Asset Information as a Shared Resource Infrastructure and Strategic Management of Information

This IMS does not define systems but will incorporate Information SystemsImprovement Strategy for the Police Service within which technology and systems aredefined.

This IMS is not a stand-alone document. It is intrinsic to how the Force manages allof its police information within the policing context and as such informs, and isinformed by, all other Force policies. By its very nature, the management of all policeinformation will form part of Northamptonshire Police’s usual operational business; beintegrated and consistent across all business areas within the Force and be reviewedand updated in line with other Force policies.

There are numerous strategic, tactical and operational benefits to the Force which areoutlined in Appendix A.

of 25


This IMS does not take a systems approach but will ensure that information ismanaged across all Force objectives, functions and processes in accordance with APP.

It is the intention of the Force, through the application of APP to improve data qualitythroughout the relevant business areas aligned to the Professional StandardsInformation Assurance Board. It is further the intention of the Force to utilise andalign itself where possible with national and local IT improvements in order that theprinciple of the ‘golden nominal’ through system/process linkage is attained thusensuring that data collected, recorded, evaluated, shared and retained is of thehighest quality.

2. Strategic Aim

Northamptonshire Police aim to:-

Provide the best possible service to our communities by providing reliable informationat the point of need, where individuals understand the importance of using itcorrectly, sharing it lawfully and protecting it from improper use.

In providing reliable information we will provide the best possible service to ourcommunities and in doing so help realise a number of our Force strategic aims.

Police information is defined as all information including intelligence and personal dataobtained and recorded for a policing purpose.

3. Strategic Objectives

To achieve this aim the Force will:-

Work to meet the required standards to comply with legislation, MoPI CoP andGuidance, APP and relevant Force policies

Manage its information corporately

Identify and support effective practice in the management of police informationacross all business areas

Promote an integrated information lifecycle Force-wide

Ensure that the Force infrastructure and processes can provide the rightinformation to the right people at the right time for the right purpose.

Ensure that staff understands the importance of information and how to use itcorrectly and how it must be protected from unlawful use.

Support the requirements placed on the Police Service under the HMGInformation Assurance Maturity Model and Assessment Framework, andmodular Code of Connection and Risk Managed Accreditation Document Sets forpolice systems.

This strategy is written to ensure that statutory requirements are addressed andthat mechanisms are established to ensure that individuals fully understand theirresponsibilities.

of 25


4. Information Management Values

The Standards:

Recording of information to comply with the principles of the NationalIntelligence model (NIM);

Appropriate classification, grading and recording of police information; The eradication of unnecessary duplication; The quality of information; Evaluation; Audit; Risk Management; Vetting;

Business Management

Duty to obtain and manage information; Compliance with NIM; Cost effectiveness in information management; Commitment to an information culture; Information as a business asset and the value of information used in

decision making and program management.

People Management

Ownership of information; User’s responsibilities towards information; Competency in handling information; Investment in appropriate resources, skills and training.

Information Sharing

Duty to share information lawfully; Providing the right to information for the right person at the right time; Protection of sensitive information and sources; Obligations of those receiving information.

Data/Information Management

Review, retention and disposal of information; Conformity/compliance with external agreements; The use of appropriate information technology; Security of information; Aggregating data; Storage of information; Data Protection Act 1998 (DPA); Freedom of Information Act 2000 (FOIA); Complying with the Information Assurance Maturity Model.

The Force is committed via this strategy and other initiatives to improve informationprocesses and operational capabilities. In doing so, we will ensure that citizens andvulnerable people in particular, are better protected by improved information sharingcapabilities with local authorities and partner agencies.

of 25


5. Scope of Strategy

This strategy applies to all information received, created, held, shared, disseminated,disclosed, reviewed, retained or disposed of by all staff employed by the Force in thecourse of carrying out their duties. This document covers all formats of informationincluding electronic, digital and hard copy whilst in storage, processing, use or transitand the risks created by both malicious and non-malicious actions.

This strategy does not redefine organisational structures, nor determine technology-based solutions, however, it will inform future technical developments.

6. Responsibilities

Northamptonshire Police has a corporate responsibility to own and manage allinformation created, received and held for a policing purpose in accordance with theregulatory environment. The Deputy Chief Constable (DCC) has the overallresponsibility and ownership of this strategy and the defined role of SeniorInformation Risk Owner (SIRO), although some responsibilities may be delegated toothers.

The person(s) responsible for information management in the Force will:-

i) Ensure that this IMS is available for all staff, partners and the public to view;

ii) Give guidance for good information management practice and promotecompliance with this strategy so that police information will be:-

a. Accessed easily, appropriately and in a timely manner;b. Processed for a policing purposec. Shared and disclosed lawfully

iii) ensure the integrity of the information

All individuals within the Force will ensure that all information created, received andheld for which they are responsible, is accurate, relevant and kept up to date, andthat decisions about it are properly recorded, thereby ensuring accountability with anaccurate audit trail.

7. The role of the Professional Standards Information Assurance Board

The purpose of the Professional Standards Information Assurance Board (IAB) will beto own and manage this Information Management Strategy and ensure that themanagement of all police information will form part of usual operational business, beintegrated and consistent across all business areas within the Force and will seek tomaximise the strategic, tactical and operational benefits of the implementation of theManagement of Police Information.

The IAB, chaired by the DCC owns this IMS and in exercising their responsibilities hasan overarching role in providing the strategic drive, direction, coordination, controland approval necessary to achieve the strategic aims and objectives of this IMS.

of 25


The IAB will monitor and direct the work of a series of project groups tasked withapplying this IMS to key operational business areas thereby ensuring delivery of theMoPI Force Action Plan.

The IAB will liaise with other strategic groups in the Force through the attendance ofappropriate IAB members at those groups to ensure a corporate strategy forinformation management.

The IAB will approve the Force Audit Strategy and the Annual Audit Plan, which willmeasure compliance with the Data Protection Act and the Code of Practice on theManagement of Police Information with particular attention to data quality and actionsidentified by the project groups to improve the availability of relevant information.

The IAB will ensure that the Force Training Strategy is aimed at the training of policeofficers and police staff in order to implement the National Centre for PolicingExcellence (NCPE) Code of Practice and Management of Police Information.

8. Relationship with Existing Policies

This strategy has been written within the context of:-

MoPI (CoP) MoPI Guidance MoPI Threshold Standards Authorised Professional Practice Links with other legislation, statute and common law, regulations or national

and local policies and procedures affecting the Force, Appendix B

9. Relationship with Future Policies

All relevant future policies will be written with due regard to this strategy.

NB: This strategy must be read and implemented in conjunction with Forceinformation management procedures and processes.

of 25


Northamptonshire Police

Part 2

Information Management StandardsAnd

Working Practices

1. Introduction

1.1 Police information management cuts across all police business activities. It iscritical that a co-ordinated and cohesive approach is taken to improve policeperformance in support of the Force objectives:

i) information will be managed to support business processes;ii) information will be accurate, up-to-date and readily accessible to those

who have authority to see it;iii) information will only be retained where necessaryiv) information will based on the lifecycle of information in accordance with

APP direction of Review, Retention and Disposal (RRD);v) Methods of information management will be secure, protected, legal and

subject to environmental and proportional cost issues.

1.2 Northamptonshire Police is committed to the following five informationmanagement principles as defined by the International Standards Organisation(ISO) 15489:

i) to recognise and understand all types of information;ii) to understand the legal issues and execute duty of care responsibilitiesiii) to identify and specify business processes and proceduresiv) to identify enabling technologies to support business processes and

proceduresv) to monitor and audit business processes and procedures

1.3 These standards provide an opportunity for achieving national consistencythrough complying with the APP by:

b ensuring the Force understands the value of information and is able toexploit it as a corporate asset;

b providing the standards for information management in respect ofdefinitions, data standards and the rules for disclosing/sharing;

b integrating all Force policies and protocols relating to, and in the context of,managing police information

b putting in place cost effective mechanisms to ensure the Force and itspartners have access to the right information, in the right form, at the righttime.

1.4 Each business area will have a named business process/system owner ofinformation who will be responsible for its creation and accuracy and acustodian of information (responsible for its physical safekeeping). All Force

of 25


systems will be formally security accredited in line with the ACPO CommunitySecurity Policy and associated Force policies.

2. Information in the Policing Context

2.1 Information will be managed corporately and will have common standardsapplied to it (as defined by the APP), in order for it to be used for a policingpurpose. This will enable the Force to agree solutions to informationmanagement issues locally and nationally.

2.2 Force policies and procedures for all key elements of information managementwill comply with the APP and other legislative regulations, (see Appendix B)policies and standards affecting the management of information functionsacross all Force business areas.

2.3 New systems (and where possible, legacy systems) will be integrated andinformation received or collected will be entered into the system once as part ofthe operational process at the point of service delivery, without interveningmanual processes.

3. Regulatory Environment

The APP and MoPI CoP exists with a regulatory environment that includes statutes,common law, codes and guidance. Please see Appendix B for a detailed list ofregulations.

4. Strategic and Operational Information Management

The Force will address key focus areas as follows:-

4.1 CITIZEN-FOCUSED SERVICE DELIVERY

4.1.1 Northamptonshire Police will provide a citizen-focused service that responds tothe needs of its communities and individuals through building effective linkswith its local communities and members of the public to ensure their needs ascitizens are met.

4.1.2 The Force will work towards implementing an integrated informationmanagement processes across all business areas and activities to enable it tobring about increasingly responsive services to its local communities andindividuals.

4.1.3 The Force will work in partnership with local authorities and other organisationsin providing a safer environment for its citizens.

4.2 GOVERNANCE

4.2.1 The Force has a duty to obtain and manage information needed for a policingpurpose.

4.2.2 All information will be evaluated and processed within an acceptable time perioddocumented in the Force RRD Policy and paying due regard to the differenttypes of information it is legislatively bound to hold, in particular information

of 25


that has regulatory constraints upon its publication and that which is forinternal use only.

4.2.3 Information will be held where and when it is considered that it is necessary fora police purpose and assessed for reliability.

4.2.4 Information originally recorded for police purposes will be reviewed in line withthe APP and compliant with the principles of the DPA 1998. All such reviewswill be documented and require the following to be recorded against them, dateof review, reviewers name, outcome and reason for the review.

4.2.5 When it is reviewed, information originally recorded for police purposes will beconsidered for retention or disposal.

4.2.6 There are certain public protection matters which are of such importance thatthe Force will only delete the information if:-

a) the information has been shown to be inaccurate, in ways whichcannot be dealt with by amending the record; or

b) it is no longer considered that the information is necessary for policepurposes

4.2.7 The decision to retain information can be approved by a Supervisor at anylevel.

4.2.8 The disposal of MoPI Group 1 & 2 will only take place with approval of asupervisor.

4.2.9 Disposal of MoPI Group 3 records will be considered after 15 years and MoPIGroup 4 records will be disposed of by automatic deletion, as agreed by theDeputy Chief Constable.

4.2.10 A record of all reviews and disposals will be maintained electronically bysystems wherever possible. Where not possible, manual records will bemaintained as defined in the Force RRD Policy. These records will include thedate of the decision, the number of records and whether they were consideredinaccurate or no longer necessary for a policing purpose, but will not containany personal information.

4.2.11 The Force is committed to improving and maintaining a fit for purpose flow of information, central to its ability to function effectively and efficiently, and toensuring that staff are aware of the Force’s key aims, objectives, strategies anddevelopments.

4.2.12 A process of regular monitoring for the accuracy, adequacy, relevancy andtimeliness of Force information will be established, which will include dipsampling of records within each business area.

4.3 INFORMATION ASSURANCE

Information Assurance reflects the increasing value of information to the Police Service and the increasingly communal way in which it is used and shared. Information Assurance is the practice of managing information-related risks around the confidentiality, integrity and availability of information in particular

of 25


sensitive information and the confidence that information systems will protect the information they carry and will function as they need to, when they need to,under the control of legitimate users.

This IMS supports the Force’s approach to embed an Information Assurance culture enabling the effective use of police information in line with policing priorities and the key elements of Information Assurance is:-

i) to implement the strategic aims of the HMG Information Assurance Maturity Model (IAMM) and Assessment Framework;

ii) to adopt the Modular Code of Connection (CoCo) and Modular Risk Management Accreditation Document Sets (RMADS);

iii) to develop Information Risk Management structures in consultation with the appropriate risk owners;

iv) to ensure policies and procedures are clear and consistent and readily accessible

4.4 EFFECTIVE AND LAWFUL USE OF INFORMATION

4.4.1 The Deputy Chief Constable (ACPO) is responsible for ensuring recording procedures are established in accordance with the APP to enable information to be as complete and accurate as possible.

4.4.2 The Force is committed to continual development of information processes toenable effective information sharing partnerships that ensure disclosure anddissemination in a lawful manner.

4.4.3 The Force is committed to providing an environment to support staff in theirrole of managing the life-cycle of information.

4.4.4 Where appropriate, the source of the information, nature of the source, anyassessment of the reliability of the source and any necessary restrictions on theuse to be made of the information will be recorded to permit later review,reassessment and audit.

4.4.5 The format in which the information is recorded will comply with standardsagreed and applied across the police service to facilitate exchange ofinformation and processing within standard police technical systems.

4.4.6 The Force will commit to provide the training required to ensure that relevantdata and record quality standards are realised and associated processes arefully understood.

4.5 INFORMATION AS A FORCE ASSET

4.5.2 Each Force business area will have a defined business process owner andsystem administrator for systems within that area, who will be responsible forthe information life-cycle processes and consistency of those processes acrossthe Force.

4.5.3 Each designated system will have a defined system administrator who will beresponsible for its management and for making it accessible to those who needit in a secure and timely manner under central guidance/authority.

of 25


4.5.4 The Force will maintain and develop the quality of facilities and equipmentrelevant to information provision.

4.6 INFORMATION AS A SHARED RESOURCE

4.6.2 The Force will ensure information is accurate, reliable and up-to-date, andavailable to any other police force as specified in the APP requiring informationfor police purposes provided that the Chief Officer responsible for the record issatisfied that the police force seeking access to the information applies theprinciples set out in the APP.

4.6.3 The Force will have in place appropriate protocols and agreements for sharinginformation (Information Sharing Agreements) which will be stored in a centralrepository in the Information Unit.

4.6.4 Special procedures will be applied to a request for access to informationrecorded for police purposes, in particular, where it is necessary to protect thesource of sensitive information or the procedures used to obtain it.

4.6.5 Information Sharing Agreements (ISAs) will be written where a regularexchange of personal information is required, between the police and identifiedpartners where a power to share exists, or in responding to individual requestsfor information outside an ISA the Chief Officer will require those to whominformation is made available to comply with the following obligations:-

i) Police information made available in response to such a request will beused only for the purpose for which the request was made;

ii) If other information available, at the time or later, to the person or bodyrequesting police information tends to suggest that police information isinaccurate or incomplete, they will at the earliest possible moment informthe Force of such inaccuracy or incompleteness, either directly or byreporting the details to the relevant Business Process/System Owner.The System Owner is responsible for the police information and ifnecessary, will record any additions or changes to the recorded policeinformation.

4.7 INFRASTRUCTURE AND STRATEGIC MANAGEMENT OF INFORMATION

4.7.2 Northamptonshire Police is committed to a consistent approach to the strategicmanagement of information at all levels.

4.7.3 The Force has a corporate responsibility for ensuring an appropriate informationmanagement infrastructure is implemented and maintained, includingdeveloping robust, reliable, flexible, scalable and secure systems for bothelectronic and paper-based records/documents.

4.7.4 The infrastructure will host integrated systems to provide seamless access torelated information across different functional systems e.g. electronicautomated systems to manage time and labour intensive activities internallyand externally and it will be developed to accommodate existing and emergingbusiness processes.

of 25


4.7.5 Business process owners will be responsible for developing strategic liaisonbetween departments to facilitate coherent development of informationprovision.

4.7.6 As the Force becomes increasingly dependent on electronic information systemsfor its effective operation, the Force will ensure these systems do not suffermajor periods of unavailability, and business continuity plans will be developedby business area owners in partnership and consultation with the InformationTechnology Department, informed by realistic risk assessments.

5. Functions and Responsibilities

i) As a matter of policy and procedure, all Force staff must understand theirresponsibilities when using or communicating personal or other data andinformation.

ii) In practice, everyone working for, or with the Force who receives, creates,maintains, stores, reviews, discloses/shares or disposes of information, hasa common law duty of confidentiality. This responsibility is established at,and defined by, law.

iii) In addition to individuals’ responsibility for information management, thereare core levels and functions that have to be identified to ensure that policeinformation is managed effectively, efficiently and lawfully. Each of thesehas a different combination of responsibilities but some are shared.

5.1 Professional Standards Information Assurance Board

5.1.1 The Force has established a Professional Standards Information AssuranceBoard (IAB) to implement and monitor the information management strategy(IMS) and standards. This Board is chaired by the Deputy Chief Constable andmeets on a quarterly basis. If necessary any issues arising from this Board willbe reported to the Chief Officer Group for decision.

5.1.2 The Board will determine the organisation’s policy for information assets andidentify how compliance with that policy will be measured and reviewed,including:-

i) identification of information assets and the classification into those ofvalue and importance that merit special attention and those that donot;

ii) Quality and quantity of information for effective operation ensuringthat, at every level, the information provided is necessary andsufficient, timely, reliable and consistent;

iii) The proper use of information in accordance with applicable legal,regulatory, operational and ethical standards and the roles andresponsibilities for the creation, safekeeping, access, change anddisposal of information;

iv) The protection of information from theft, loss, unauthorised access,improper use, including information which is the property of others;

of 25


v) Harnessing of information assets and their proper use for themaximum benefit of the organisation including legally protecting,licensing, re-using, combining, representing, publishing anddestroying;

vi) Strategy for information systems, including those using computersand electronic communications and the implementation of thatstrategy with particular reference to the costs, benefits and risksarising;

vii) Identifying and actioning the appropriateness of a central oversightrole for all information held by the Force.

5.1.3 The IAB will develop governance structures (including review of the criteria bywhich the Force decides which MoPI Group 3 records to review and which toautomatically dispose of where the Force uses a system of time-basedautomatic disposal), policies and procedures to ensure the management ofinformation within the Force is undertaken strategically and is aligned with theForce objectives.

5.1.4 The IAB will oversee the implementation and maintenance of the IMS andstandards.

5.1.5 The IAB will provide advice to all staff involved in the management ofinformation through the specialism of its members.

5.1.6 The IAB will be responsible for ensuring information management training isprovided in line with the National Training Strategy and Force objectivesincluding:

i) ensuring a training needs analysis is conducted;ii) establishing appropriate training programmes and schedules;iii) identifying appropriate training products

5.1.7 The Force Risk Register will be utilised to ensure that risks identified in theevolving plans supporting the delivery of the strategy are addressed. Anyinformation risk identified on the Risk Register will be reviewed at each meetingof the IAB.

5.2 Executive

5.2.1 The DCC has ultimate ownership of the Force IMS.

5.2.2 As Force Data Controller, the Chief Constable, in line with the Data ProtectionAct 1998, has the duty of a data controller to comply with the data protectionprinciples in relation to all personal data with respect to which he is the datacontroller, including but not limited to the following:-

i) determines why, as well as how, personal data including sensitivepersonal data, is processed and what security measures will beappropriate;

ii) has a duty to ensure that the collection and processing of any personaldata within the Force complies with the data protection principles;

iii) retains full responsibility for the actions of the data processor;

of 25


iv) notifies all processing operations that involve personal data to theInformation Commissioner and keeps this notification up-to-date

5.2.3 The role of data controller is a primary legislative function. The controls formeeting the Force’s legal obligations for personal data management can bedelegated as appropriate, with clearly defined responsibilities and the ability toreport directly to the data controller as necessary.

5.2.4 The Chief Constable has overall executive responsibility for management anduse of information within Northamptonshire Police.

5.2.5 The DCC will ensure that the Force adopts policy, procedures and processes forthe management of information and support their application Force-wide sothat information is used effectively for police purposes and in support ofconsistent national standards.

5.3 Senior Information Risk Owner (SIRO)

5.3.1 The Force SIRO is the Deputy Chief Constable who has responsibility forunderstanding how the strategic business goals of the Force may be impactedby information management systems failure.

5.3.2 The SIRO is responsible for ensuring that information risk management andmanagement processes are established and adhered to Force-wide.

5.3.3 The SIRO will make the final decision in cases where the ISO identifiespotentially unacceptable residual risks during the systems accreditationprocess.

5.3.4 This is a strategic responsibility, which will not be confined to informationtechnology or information assurance departments.

5.4 Head of PSD

5.4.1 The Head of PSD holds responsibility for the management of police informationand as such has responsibility for overseeing all related functions for themanagement of police information such as data protection, informationassurance, freedom of information and disclosure/sharing of information whichmay be undertaken by separate internal departments, including agreeing whatinformation can be shared, how and when. The IAB will decide the strategicdirection of the Force in all information management matters.

5.4.2 The responsibilities of the Head of PSD or delegated individuals will include, butare not limited to:

a) Ensuring:

i) Force processes and systems adhere to the MoPI CoP, Guidanceand Threshold Standards and APP;

ii) A Force Information Management Strategy is established andmaintained;

iii) Force policies are appropriate to make certain that information iseasily accessible and searchable;

of 25


iv) The Force meets national requirements for the management ofpolice information;

v) Operating Rules for all Force designated systems are available toall staff;

vi) Reporting lines exist to allow Department Heads to raise issues toForce information managers if necessary;

vii) Reporting lines exist to allow Force information managers todiscuss matters at ACPO level;

viii) Systems and processes are sufficient to effectively co-ordinate allstaff roles involved with the management of police information;

ix) Appropriate role/function is available to represent the Force atnamed forums.

b) Overseeing:

i) The management of all the Forces information assets anddemonstrate effective linkages between the different functions eg,IT, data protection etc

ii) Compliance with the latest HMG Information Assurance MaturityModel and Assessment Framework

5.5 Information Unit Manager

The Information Unit Manager is responsible for the below some of which may,if necessary, be delegated to the Force Data Protection/Freedom of InformationOfficer or the Information Assurance Team Leader and are as follows:-

5.5.1 Information Sharing

i) Quality assuring and authorising Information Sharing Agreementsii) Monitoring compliance with relevant legislationiii) Liaising with information owners and other stakeholders in the processiv) Liaising with Department Heads when necessary to provide guidance and

support on information managementv) Providing advice and training on good practicevi) Ensuring that Information Sharing Agreements are published on the

Force intranet and maintaining a central repository of existing Force ISA’svii) Supporting staff to share information appropriatelyviii) Ensuring that the APP, MoPI Guidance and other relevant ACPO policy

and guidance are disseminated and adhered to Force-wideix) The process of sharing information is adhered to by both those in a

supervisory and user capacity;x) Supporting staff to share information appropriately;xi) Reporting on a regular basis to the Head of PSD;xii) Supervising audits on an ad-hoc basis the decision to share made by

users, including the necessity, accuracy and adequacy of informationshared;

xiii) Ensuring that information being shared does not compromise any policeoperation or the safety of others;

xiv) Ensuring ISAs are reviewed in accordance with Force policy;xv) Providing feedback to staff on their performance;

of 25


5.5.2 Data Protection

i) managing the Chief Constables statutory obligations in respect of theDPA including; notification of processing to the InformationCommissioner; compliance with the Data Protection Principles andsecuring individuals rights under the Act including subject accessrequests;

ii) maintaining an up-to-date knowledge of, and advising on relevantlegislation and general developments in data protection and relatedmatters;

iii) promoting awareness of data protection matters through training, policydevelopment, advice and guidance;

iv) undertaking systematic auditing and monitoring of information andsystems in accordance with the APP on Data Protection

v) ensuring that appropriate security arrangements exist to protectinformation, including where necessary that suitable contracts are drawnup relating to the processing of police information by third parties;

vi) investigating and resolving complaints made in relation to the handling ofpersonal information (in relation to data protection);

vii) assisting where appropriate in the investigation of disciplinary andcriminal matters relating to data protection;

viii) liaising on all data protection matters between the Force and relevantregional or nation bodies (including ACPO Data Protection and Freedomof Information Portfolio Group and the Information Commissioner’sOffice);

ix) Liaising with Department Heads when necessary to provide guidance andsupport on data protection matters;

x) Ensuring that the APP Data Protection Standards are disseminated andadhered to Force-wide;

xi) Liaise directly with the Chief Officer;xii) Liaising regularly with the Force Information Security Officer

5.5.3 Freedom of Information

i) Managing the Force obligations in respect of the Freedom of InformationAct 2000 (FOIA) including the Force publication scheme and requests forinformation under the Act;

ii) Maintaining an up-to-date knowledge of, and advising on relevantlegislation and general developments in Freedom of Information andrelated matters;

iii) Ensuring that the ACPO Freedom of Information Manual is disseminatedand adhered to Force-wide;

iv) Promoting awareness of Freedom of Information matters throughtraining, policy development, advice and guidance;

v) Liaising with Department Heads when necessary to provide guidance andsupport on Freedom of Information matters;

vi) Liaising on all Freedom of Information matters between the Force andrelevant regional or national bodies (including the ACPO Data Protectionand Freedom of Information Portfolio Group and the InformationCommissioner’s Office).

of 25


5.6 Information Security Officer

The Information Security Officer’s responsibilities include:-

i) acting as the point of contact for all information security issues;ii) implementing organisational structures, policies, procedures and risk

management programmes with respect to security matters;iii) providing advice on the correct and secure operation of information

processing systems and applications;iv) ensuring appropriate security measures are in place for procedures and

technical measures to prevent unauthorised or accidental access to,amendment of, or loss of police information;

v) quality assuring local information security policy documentation;vi) demonstrating an approach to implementing security that is consistent

with national and local requirements;vii) marketing the need for information security;viii) providing advice on security education and training;ix) co-ordinating all investigative and reporting action that may be

undertaken into actual and suspected incidents of security significance;x) co-ordinating and advising on the implementation of specific security

requirements for new and legacy systems and services, and leading onthe local systems accreditation process;

xi) establishing and ensuring that third party agencies sharing, accessing,storing or processing information and information assets owned by theForce, comply with the defined threshold standards;

xii) maintaining appropriate contacts with other community members,Government departments and regulatory bodies;

xiii) liaising with Department Heads when necessary to provide guidance andsupport on information security matters;

xiv) reporting on a regular basis to the Head of PSD; representing memberinterests at a Regional and National level on information security issues;

xv) ensuring appropriate security measures are afforded to informationincluding personal data, thereby assisting Forces’ compliance with theDPA in order to discharge security responsibilities;

xvi) liaising on all Information Security matters between the Force andrelevant regional or national bodies (including the ACPO InformationSecurity Portfolio Group).

5.7 Disclosure and Barring Service Manager (DBS)

a) The DBS manager or deputies to act as a central point of contact with responsibility for ensuring:-

i) all requests for, and disclosure/sharing of information are carriedout in accordance with or pay due regard to relevant legislationand guidance including the ACPO/DBS QAF;

ii) all information received is conveyed, handled and kept in aconfidential and secure way and, disposed of when no longerrequired;

iii) Under the DBS service level agreement (SLA) with ACPO andindividual police Forces, each Force will provide a Force DeliveryManager (FDM) who will be the single point of contact for DBSmatters.

of 25


5.8 Systems Owners

i) Each business area will have a designated system owner withwhom the ownership of the business systems and processes andthe collection and disposal of information lies.

ii) The system owner is responsible for ensuring the information riskmanagement processes within their business area are in line withthe SIRO’s directives.

iii) The system owner is responsible for the creation and accuracy ofthe information within their business area.

The system owners will:-

i) define the service levels needed from any information and recordsmanagement process;

ii) ensure that the information management processes meet the bestpractice requirements for their business area and the Force as a whole;

iii) ensure there is the ability to link and cross-reference information acrossthe different business areas including strategic liaison betweendepartments to facilitate coherent development of information provision;

iv) ensure documentation is produced to define its purpose, functionality,access rights and user operating procedures;

v) provide a process for recording decisions to share or not to shareinformation;

vi) set information and individuals access status;vii) take responsibility for information management and for ensuring that all

staff are involved in the practice and implementation of the informationmanagement strategy.

This will encompass:-

i) internal communications, profile raising and publicity;ii) appropriate resources including training;iii) resilience of continuity and consistency of function and responsibility;vii) review of procedures and implementation plan for specific actions arising.

In relation to Review, Retention and Disposal (RRD) of information withindesignated systems, this will be dealt with in accordance with the RRD Policyunder the control of the Information Unit Manager.

5.9 Core Operational Functions and Responsibilities

The core functions and responsibilities detailed below will ensure that the APPand MoPI CoP and Guidance are complied with. To assist this process theInformation Unit comprises of the following areas of information management:-

Audit DBS Disclosures DBS Non-Disclosures Data Protection Freedom of Information

of 25


Information Sharing Notifiable Occupation Scheme Review, Retention and Disposal Staff Vetting Subject Access

5.9.1 ALL STAFF

a) All staff involved in the management of police information or who have accessto personal data have individual responsibilities as detailed below:-

i) to apply the basic principles of effective information management (ascontained in the APP and MoPI CoP, Guidance and associated Forcepolicies) including the application of consistent processes and decisions,‘owning’ decisions and working as part of a team in a system with manyinterdependent links;

ii) to recognise the value of trust, confidentiality and information securityand the dangers of inappropriate sharing of police information;

iii) to recognise the value of sharing and disclosing information and thedangers of failure to share when the circumstances require it;

iv) to be familiar with, and adhere to, Force policy, procedures andprocesses when managing information;

v) to be aware of the current intelligence requirements and to ensure thatinformation is collected for a policing purpose;

vi) to record information in the appropriate format

vii) to record information in compliance with the recording and data qualityprinciples;

viii) to disseminate information where appropriate

ix) to continuously apply standards for data quality, consistent and accuraterecording;

x) to apply operating rules relevant to business areas to which they haveaccess;

xi) to apply rules relating to information security including applyingprotective marking to the information being shared under the GPMSwhere applicable or a risk assessment where the sharing is carried outwith partners in the voluntary or private sectors who do not have astatutory purpose to share information

xii) will only share in accordance with agreed procedures;

xiii) to ensure compliance with all relevant legislation including the HumanRights Act 1998, Data Protection Act 1998 and the Freedom ofInformation Act 2000

of 25


b) All staff responsible for creating records will:-

i) ensure the persons records are complete;

ii) quality assure the recording of the 5x5x5 and ensure the linkingtogether of information where relevant and to identifyopportunities for analysis of series or linked events;

iii) establish and enter the review date for a record at the point ofcreation;

iv) apply provenance to the information recorded and apply relevantpriority assessment if applicable.

c) All staff responsible for reviewing records will:-

i) follow Force policy in relation to the implementation of NationalRetention Assessment Criteria (see Appendix C) when reviewingrecords to determine their continued necessity for a policingpurpose;

ii) document the review process as described in Force policy,wherever there is no automated mechanism in place; and

iii) ensure that information to be disposed of is not duplicated andtherefore retained elsewhere.

6. Audit and Compliance

6.1 The Information Unit Manager will be responsible for ensuring day-to-dayoperation of internal compliance initiatives to ensure that informationmanagement policies, procedures and processes are followed, data qualitystandards are met and the benefits realised. This will be undertaken by aplanned audit programme across computer applications and other informationsystems to determine compliance with the APP, MoPI CoP, the Data ProtectionAct 1998 and national and Force audit requirements. The Force InformationAuditor will create templates for each new audit programme, ensuring that acorporate approach is adhered to.

6.2 It is important that coordination takes place that includes:-

i) ensuring information management policies and procedures are beingcommunicated to appropriate Force personnel and are being adhered to;

ii) monitoring use of shared/personal storage space;iii) ensuring that appropriate paper filing takes placeiv) ensuring that the accuracy of data is regularly assessedv) defining and prioritising a continuous audit programme based on high

risk areas.

6.3 The Force Information Auditor will have responsibility for ensuring regularinformation quality assurance audits across business areas. This will include:-

i) establishing a structured and organised audit mechanism, includingprocesses, methodology, timescales, reporting and follow-up;

of 25


ii) setting compliance criteria in accordance with accredited standards andin consultation with the Information Unit Manager

iii) overseeing the audit process.

6.4 Audit and compliance will be based on the information governance concernedwith the standards that apply when information is process ie, how informationis held, obtained, recorded, used and shared.

of 25


Appendix A

BUSINESS BENEFITS

Strategic Benefits Tactical Benefits Operational Benefits

Improved PolicePerformance

Nationally consistent and effective management of information

Improved auditing of decision-making process

Increased understanding of and compliance with relevant legislation

Reduced civil actions and complaints against Forces as a result of poor information management

Improved data quality Responsibilities in

relation to information management are clear

Less officer/staff time and effort is needed to access information

Less impact of civil action and formal complaints on officer/staff time and wellbeing

Safer Communities

More informed decision making

Improved targeting Improved processes for

joint agency working Effective management

of high risk offenders Enhanced disclosure

processes Improved protection of

children and vulnerable adults

Related information is linked and associations between crime and offenders are more easily made

Better deployment of operational resources

Increased willingness ofpartner agencies to share information

Less bureaucratic processes for sharing information

Increased PublicConfidence

Improved victim/witness satisfaction

Improved community relations

Improved public confidence in the information we hold

Increased reporting of crime

Increased provision of community intelligence

Increased corporate knowledge provides better service to all areas of the community

of 25


Appendix BRegulatory Environment

Police Act 1997 (Act V)

Freedom of Information Act 2000 and the Code of Practice on records management as raised under s46 of the FOIA

Criminal Justice Act 2003

Crime and Disorder Act 1998

Serious & Organised Crime & Police Act 2005

Sexual Offences Act 2004

Limitation Act 1980

Criminal Procedures & Investigations Act 1996

Data Protection Act 1998

Children Act 1989

Children Act 2004

Human Rights Act 1998

Regulation of Investigatory Powers Act 2000

Domestic Violence, Crime and Victims Act 2004

Statutory Code of Practice on the Management of Police Information (2005)

Guidance on the Management of Police Information (2006 & 2010)

Code of Practice on the NIM (2005)

ACPO Community Security Policy

ACPO Data Protection Manual of Guidance Parts 1 & 2: Standards and Audit

ACPO (2005) Investigating Child Abuse and Safeguarding Children

ACPO (2004) Investigating Domestic Violence

ACPO (2004) Recording, Management and Investigation of Missing Persons

MAPPA Guidance (2003)

Manual of Guidance on the NIM (2005)

ACPO Freedom of Information Manual Public Facing v.1

ACPO NIM Briefing Model (2003)

CPS Disclosure Manual

HMG Manual of Protective Security

ACPO Guidance for the investigation of corruption in the police service (2003)

ACPO Cabinet Retention Guidelines (2005)

Home Office Circular 25/2003



of 25


Computer Misuse Act 1990

Appendix CIndex of Information Management Sub-Policies

The following Force policies with relevant standards, protocols and agreements are notstand-alone or adhered to in isolation, but sit beneath an over-arching ForceInformation Management Strategy and Standards as statements of intent andprocedures for not only achieving and maintaining good management of policeinformation but also for reaping the business benefits that are the outcome of thisgood practice. The policies listed below are not exhaustive and can and should beadded to as the need arises.

1. Information Sharing Policy

2. Data Protection Policy

3. Freedom of Information Policy

4. Information Security Policy

5. Security Vetting Policy

6. Strategic Audit and Inspection Plan

7. Review, Retention and Disposal (RRD) Policy

8. Common Law Police Disclosure Policy

9. Government Protective Marking Scheme Policy

of 25

northamptonshire police information management … of...not protectively marked northamptonshire...

Documents