Information Management Policy CCMT Sponsor Director of Information Department/Area Joint Information Management Unit

Transcription

1 Policy Title Information Management Policy CCMT Sponsor Director of Information Department/Area Joint Information Management Unit CONTENTS: (All Force policies should incorporate the following) 1.0 Rationale 2.0 Intention 3.0 General Principles 4.0 Guidance, Procedures & Tactics 5.0 Challenges & Representations 6.0 Communication 6.1 Links to Police National Legal Database/Other 6.2 Implementation Strategy (Policy Impact Assessment) 7.0 Compliance and Certification 7.1 Human Rights Audit 7.2 Equality Impact Assessment 7.3 Management of Police Information (MoPI) 7.4 Data Protection 7.5 Freedom of Information Act 7.6 Protective Markings 7.7 Health & Safety at Work 8.0 Monitoring and Review 1

2 1.0 Rationale 1.1 The collection, exploitation and sharing of information is an essential function of policing. Managing information effectively is crucial for: keeping people safe providing evidence to investigate, prosecute and prevent crime managing the business mitigating risks around the poor use of information such as noncompliance with legislation, harm to the public and loss of reputation working effectively with partners. 1.2 The Information Management policy, and any supporting SOPs and guidance, are required to reflect legal obligations and national policy. These include: the Code of Practice on the Management of Police Information (MoPI) and the Authorised Professional Practice (APP) for Information Management Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Official Secrets Acts 1989 Computer Misuse Act 1990 HMG Security Policy Framework National Policing Community Security Policy. 2.0 Intention 2.1 The Information Management policy, and supporting SOPs and guidance, set out how the two Forces will ensure that information is managed effectively and lawfully throughout its lifecycle. 2.2 The policy is intended to provide officers, staff, contractors, volunteers and other relevant parties with clear and concise guidance that enables them to create, use, retain and dispose of information appropriately, lawfully and with confidence. 2.3 The policy is intended to enable consistent and transferable procedures and information sharing across other police, government and partnership organisations. 2.4 MoPI requires each Force to have a current Information Management Strategy (IMS). This policy covers the key points of an IMS as defined by the APP on Information management and is therefore intended to fulfil that requirement. 2

3 3.0 General Principles 3.1 Scope This policy applies to Hampshire Constabulary and Thames Valley Police, in accordance with the collaboration arrangements for Information Management The policy applies to everyone with access to the Forces information, whether employees, contractors, volunteers, professional partners and employees of other organisations, and whether on police or partner premises, or working remotely The policy applies to all information, whether held digitally or in paper or other physical format. This includes (but is not limited to) text, data, images, and voice and video recordings, and covers both structured material (e.g. Force IT systems and databases) and unstructured material (e.g. documents, s) Records are documents or data that provide evidence of the two Forces actions and decisions and are required for legislative and audit purposes, as well as providing an organisational memory. Generally the same principles contained within this policy should be taken as applying to both information and records. Specific management processes for records will be defined by the Joint Information Management Unit where appropriate The policy applies to both personal 1 and non-personal information The policy covers all information gathered for the effective running of the two organisations. This includes information required for a policing purpose, which is defined by MoPI as necessary for: Protecting life and property Preserving order Preventing the commission of offences Bringing offenders to justice Any duty or responsibility arising from common law or statute law Information held for a policing purpose specifically includes (but is not limited to) the following business areas: Crime data collection and recording Control room and enquiries Crime management Intelligence 1 As defined by the Data Protection Act

4 Public protection Firearms licensing Custody In regard to information held for a policing purpose, the policy applies to all information collected or recorded from April 2006 onwards 2. Older material will be brought into scope wherever it is feasible and cost effective to do so, 3.2 Principles The key information management principles are as follows: 1. Responsibility Information management is everyone s responsibility and they must ensure that information is used appropriately and in accordance with the Code of Ethics. 2. Accessibility and reuse All information obtained or created for organisational or policing purposes belongs to the relevant Force. It must be treated as an organisational asset, and managed and stored in an authorised system and/or location. Wherever feasible, information should be recorded only once and all policing information concerning an individual (also referred to as a nominal ) should be linked so that it is easily retrievable. All information should be in a form which facilitates reuse and interoperability across each Force, and with other Forces where appropriate. Wherever feasible, information should be migrated to newer formats and / or systems when the current ones become obsolete. 3. Quality All information should be accurate, adequate, relevant and timely, and recorded in a manner appropriate for potential future disclosure, and in accordance with national and legal requirements. In regard to information held for a policing purpose, the information should comply with the principles of the National Intelligence Model (NIM), and should be evaluated, graded and recorded accordingly. Where appropriate, the source of the information, the nature of the source, any assessment of the reliability of the source, and any necessary restrictions on the 2 The date the Code of Practice on the Management of Police Information came into effect 4

5 use to be made of the information will be recorded to facilitate later review, reassessment and audit. Data quality audits and data improvement initiatives will be carried out where appropriate. 4. Quantity The quantity of any information, especially personal information, which is captured and retained should be proportionate to the policing purpose or business requirement. 5. Security All information should be managed in accordance with the local Information Security Policy and Business Continuity processes, and in accordance with any relevant national requirements, e.g. the Public Services Network Code of Connection. Appropriate safeguards must be put in place to protect personal, sensitive and/or information classified under the Government Protective Marking Scheme (GPMS) or Government Classification Scheme (GCS). The extent of the safeguards should be in proportion to the degree of risk posed. 6. Disclosure The ethos of MoPI is that information should be reused in order to fulfil a policing purpose and/or to protect the public from harm. However, the two Forces are also required to comply with the law and therefore information may only be accessed, shared or disclosed internally or externally when it is considered appropriate to do so. Particular care should be taken with personal, sensitive and/or information classified under the GPMS / GCS to ensure sharing is lawful and proportionate. Information Sharing Agreements (ISAs) should be put in place where personal data is being regularly disclosed to or received from partners, and Data Processing Agreements (DPAs) drawn up where one party is processing information on another party s behalf. Any ISAs or DPAs should be written in accordance with APP abd the good practice advice and guidance provided by the Joint Information Management Unit. A library of current ISAs will be made available on the Forces intranets and websites. 7. Transparency It is the Forces policy to fully comply with the Freedom of Information Act Information which is not exempt from disclosure will be made available on request, and information of public interest will be proactively published on the Force websites. 5

6 8. Retention All information, particularly personal data, should not be retained longer than necessary. Information obtained for a policing purpose will be reviewed, retained and disposed of on a risk assessment basis, and in accordance with the APP on Information Management, wherever practical. In all other cases, time-based disposals will be applied, in accordance with the National Police Chiefs Council Retention Schedules where applicable. 9. Risk management Information management risks will be considered, and appropriate mitigations implemented, whenever significant changes are made to Force processes or systems. Where personal data is being processed, this will require the completion of a Privacy Impact Assessment. 4.0 Guidance, Procedures & Tactics 4.1 Roles and Responsibilities Overall responsibility for Information Management rests with each Chief Constable as Data Controller for the Force The Senior Information Risk Owner (SIRO) holds responsibility for overseeing all central functions for Information Management and for making strategic decisions in regard to information risks across Hampshire Constabulary and Thames Valley Police, particularly when there is a potential conflict between operational and security requirements Where appropriate, senior business leaders will be appointed as Information Asset Owners (IAOs) to provide governance and oversight for significant information assets. They are responsible for ensuring this information is managed in accordance with this policy and for identifying and mitigating any associated risks. Information Asset Owners will ensure processes exist to control access, so that only those with appropriate training, knowledge and skills can access and use the information. A list of IAOs will be published on each Forces intranet The Information Governance Board (IGB) consists of a number of representative stakeholders across Hampshire Constabulary and Thames Valley Police. The IGB is responsible for monitoring the effectiveness of policy, procedure, training and guidance in regard to Information Management, and identifying strategic information issues. 6

7 4.1.5 The Head of Information Management has responsibility for maintaining the Information Management policy for Hampshire Constabulary and Thames Valley Police, and ensuring the effective operation of the Joint Information Management Unit (JIMU). The Head of Information Management reports to the SIRO The Information Security Manager has responsibility for maintaining the Information Security policy and ensuring that risks to the Forces information are appropriately managed JIMU is jointly funded by Hampshire Constabulary and Thames Valley Police and provides information services and advice in relation to records management, information sharing, information risk management and compliance auditing. It is also responsible for enabling the Forces to comply with the Data Protection and the Freedom of Information Acts Managers and supervisors have responsibility to ensure their staff are aware of, and adhere to, policies and procedures relating to information management and the appropriate use of information systems. They are also responsible for identifying any local risks relating to information and escalating them if appropriate, in accordance with the Risk Management Policy Everyone who accesses and uses Force information is required to complete any training mandated by the IGB, and to familiarise themselves with the requirements of this policy, and relevant procedures and standards. The appropriate level of training, by role. will be determined through agreement with Learning and Development, and the Information Asset Owners and approved by IGB Everyone is responsible for ensuring compliance with this policy, seeking guidance from JIMU when appropriate, and for reporting inappropriate access, use or disclosure of information, in accordance with the Code of Ethics. 4.2 Supporting SOPs and guidance While the intention of this Information Management policy is to provide clear and concise direction, considerably more detail is necessary to provide clear procedural requirements and guidance. Such detail is contained in a set of SOPs and guidance which are regarded as policy in so far as compliance with their instruction is required. 7

8 4.2.2 Further advice and guidance can be obtained from the Joint Information Management Unit: Hampshire Constabulary or telephone: (internal ). Thames Valley Police or telephone: / internal Challenges & Representations Head of Information Management Thames Valley Police HQ Kidlington, Oxon OX5 2NX 6.0 Communication 6.1 Links to Police National Legal Database Other This Policy is underpinned by: Human Rights Act 1998 Data Protection Act 1998 Freedom of Information Act 2000 Code of Practice on the Management of Police Information (MoPI). 6.2 Implementation Strategy This policy, will be available via the intranet and on the public website. It will also be circulated for the attention of staff. 7.0 Compliance and Certification 7.1 Human Rights Certification The Human Rights Audit will be carried out by a trained Human Rights Auditor. (i) Legal Basis List here the relevant Acts of Parliament (including European Parliament and Stated Cases) or Statutory Instruments which make this policy necessary or affect this policy) 8

9 (ii) Human Rights Articles Engaged List here the Articles of the convention this policy has the potential to engage. Audited by: (name) Audited on: (date) (iii) Prohibition of Discrimination Does this policy have the potential to discriminate? If so, how and what are the mitigating factors? 7.2 Equality Impact Assessment This policy has been examined by Thames Valley Police s Single Equality Scheme Coordinator. The conclusion is that an Equality Impact Assessment is not required as the policy s subject matter is administration. 7.3 Management of Police Information (MoPI) Implementation of this policy will enable the Force to meet the requirements of the Code of Practice on the Management of Police Information. 7.4 Data Protection Implementation of this policy will enable the Force to comply with the requirements of the Data Protection Act. 7.5 Freedom of Information Act This policy can be made available under the Freedom of Information Act. 7.6 Protective Markings GPMS: GSC: OFFICIAL 7.7 Health & Safety at Work Health and Safety (Display Screen Equipment)(DSE) Regulations 1992 as amended by the Health and Safety (Miscellaneous Amendments) Regulations 2002 shall be considered in regard to enactment of this policy where information is held on Display Screen Equipment (DSE). 9

10 8.0 Monitoring and Review This policy will be reviewed on a regular basis or in response to significant changes in Force strategy, national policy or legislation. Policy signed off by: For use by the Policy Management Unit Only Chief Officer Policy Authorisation Name of relevant ACC Date 10