Information and Records Management v1. Policy & Standard Operating Procedure

Transcription

1 Metadata Reference No. Unit/ Department Summary Policy Sponsor Policy Owner Information and Records Management Policy & Standard Operating Procedure CR/021/16 Information Management This policy document, together with supporting procedures, sets out the British Transport Police s (BTPs) principles and standards to information and records management Simon Downey, Director for Capability and Resources Helen Edwards, Head of Information Management Policy Author Karen Davies, Force Records Manager, Information Management Department Effective Date June 2016 Review Date June 2017 Protective Marking Force Publication Scheme (external) Online Location Yes information_management_policy/key_information.aspx Revision History Version Date Comments/ Reason for Amendments Amended by /03/16 First drafts Karen Davies Force Records Manager /04/16 Amendments after comments from Karen Davies Glyn Naylor and Jimmy Wright /04/16 Minor amendments to layout Alec Cartledge Records Management Officer /05/16 Amendments after comments from Policy Team Karen Davies /07/16 Amendments after feedback Karen Davies Approval History Version Name and Job Title Date of Approval e-signature 1 Head of Capability & Resources 08/08/2016 Simon Downey

2 Contents Policy Page Purpose p.1 Scope p.1 Key Information p.1 Monitoring and Review p.2 Who to contact about the Policy p.3 Standard Operating Procedure 1. Policy Framework p Creation, Collection and Recording p Collection Methods p Recording p Recording Unstructured Information p Recording Police Information p Data Quality Principles p Records Appraisal What constitutes a record? p Protective Marking/ Information Classification p MoPI Categories p Evaluation p Information Asset Registers (IAR) p Storage and Protection Principles p Sharing Principles p Scanning Principles p Records Retention and Archiving Principles p Records Review and Disposal Principles p.9 2. Regulatory Framework p Legal Requirements p Data Protection Act 1998 (DPA) p Regulation of Investigatory Powers Act 2000 (RIPA) p Freedom of Information Act 2000 (FOIA) p Public Records Act 1958 (PRA) p Protection of Freedoms Act 2012 (POFA) p Environmental Information Regulations 2000 (EIR) p Re-Use of Public Sector Information Regulations 2005 p Criminal Procedure and Investigations Act p.12

3 Criminal Justice Act (2003) p Serious Crime Act (2007) p Other Regulatory Guidance p Authorised Professional Practice (APP) Information p.13 Management Guidance National Crime Recording Standard p National Policing Policies p Home Office Counting Rules p National Standards of Incident Recording (NSIR) p National Intelligence Model (NIM) p Related Corporate Policies p Governance Arrangements p Team Roles and Responsibilities p Information Management Unit p Individual Roles and Responsibilities p External Roles p Decision Making Bodies p Information Governance Board (IGB) p The Information Management in Police Service (IMPS) p Integrity and Compliance Board (ICB) p Service Excellence Board (SEB) p Service Improvement Board (SIB) p Force Executive Board (FEB) p.17 Annex Annex 1: Criteria on Record Appraisal p.18 A.1. Information Criteria that Constitutes a Record p.18 A.2. Non Record Criteria p.19 Additional Information Policy Forms/ Documents p.20 Associated Policies/ Documents p.20 Acronyms/ Abbreviations p.21 Glossary p.23 Frequently Asked Questions (FAQs) p.27

4 Policy Purpose This policy document, together with supporting procedures, sets out the British Transport Police (BTP) principles and standards for information and records management. This policy sets out an overarching framework underpinning how BTP will manage its information assets through their lifecycle involving the collection, recording, evaluating, sharing, storing, handling and disposing of records to fulfil its civil duties. Scope Content All Record Formats: This policy covers all data, information, records and documents created, collated and managed by BTP, irrespective of the category or class attributed to these various types. This excludes Evidence and Property. All record repositories: held within or outside of BTP premises and as listed in the Information Asset Register (IAR) and/or Technology Information Register (TIR). Intended Audience Compliance is mandatory by all staff: BTP Police Officers, Police Staff, Police Community Support Officers (PCSOs), Special Constables and Community Volunteers as well as personnel/contractors working on behalf of BTP across England Scotland and Wales. Key Information This policy is in place to ensure BTP 1. Makes efficient use of physical and electronic storage space. 2. Has a common approach to managing information across the force 3. Is being efficient in the way it shares knowledge and insights gained across all departments 4. Does not contravene the law when handling and processing information for a policing purpose 5. Is in keeping with its corporate strategies. 6. Has a central oversight of all its information assets, with the right controls and assurance reviews established. Page 1 of 27

5 7. Documents and maintains records in a manner that supports their evidential weight and integrity, and to ensure that this is not compromised over time. 8. Improves its performance 9. Improves its auditing of the decision making processes 10. Has an increased understanding of the compliance and regulatory context 11. Clarifies and makes transparent all of BTPs responsibilities in relation to information management 12. Requires less officer time and effort to access information. 13. Lessens the impact of civil action and formal complaints on officer time and wellbeing 14. Decreases the risk of lost, damaged or missed opportunities to link data or wrong use of information 15. Has effective and lawful use of information 16. Utilises effective sharing of information with partner agencies 17. Eradicates unnecessary duplication 18. Has a risk management processes to underpin evaluation, classification and storage principles 19. Ensures that all police information is held in accordance with the law 20. Corroborates other related information Monitoring and Review This policy document is an update and supersedes the Records Management policy CR October 2013 version 1.0. Furthermore this policy replaces the (Interim) Document Scanning policy CR and the Record Retention Schedule Management policy CR This policy document will be reviewed on an annual basis to ensure alignment with the Force strategic objectives and new guidance or legislation, as well as any updates in relation to BTP s IM Strategy. For example, this policy currently sets out the principles based on the current circumstances. Some principles will need to be adapted if/when the Force migrates its unstructured records onto a formal Electronic Document and Records Management System (EDRMS). Page 2 of 27

6 Who to Contact about this Policy This Policy is owned by Karen Davies, Force Records Manager, Information Management Department. Any enquires about this Policy should be directed to Records Management Team. End of policy Page 3 of 27

7 Standard Operating Procedure 1. Policy Framework This section outlines BTPs policies for managing information and records across the Force. It addresses management principles for the following aspects of the information management lifecycle: 1.1. Creation, Collection & Recording BTP s creation, collection and recording of information must be in line with a relevant policing purpose. policing purposes are defined as protecting life and property preserving order preventing the commission of offences bringing offenders to justice any duty or responsibility arising from common or statute law. Information collected for one policing purpose may add value to another policing purpose. All police information should, therefore, be treated as a corporate resource. Collection, accurate assessment, classification and timely analysis of information must adhere to the College of Policing s Authorised Professional Practice (APP) guidance for Collection and Recording Collection Methods The way in which police information is collected may lead to specific requirements for its recording and use, for example, information covered by the Regulation of Investigatory Powers Act Collection methods may include: - Routine collection: collected as part of routine operational policing activity. Much of the information will be relevant only for the specific policing purpose for which it was collected, but some may prove to be relevant to an entirely different policing purpose. Information is generated from all policing activities, for example: responding to incidents, arrests, targeted patrol, stop and account, stop and search. - Tasked information: information concerned with problems and subjects (suspect or victim) identified by intelligence requirements. It can be accessed from many sources including external databases (PNC), CCTV, covert human intelligence sources (CHIS) and automatic number plate recognition systems (ANPR). Page 4 of 27

8 - Volunteered information. Usually collected from the general public or community contacts. It refers to any information received which has not been obtained by routine or tasked collection. It will tend to come from anonymous information through hotlines, public contact through command and control or crime systems or via voluntary organisations. The information may not necessarily relate to a specific task or intelligence requirement but can be regarded as such. BTP shall collect, record and evaluate information in a consistent manner across organisational and force divisions. It shall ensure, through the central publication of its Information Asset Register (IAR) that irrespective of origin, it is understood where information is held to support policing purposes across the country Recording The Information Asset Register defines the database repositories where different categories of information are recorded Recording Unstructured Information Unstructured information is information which does not have a pre-defined system in which to be record within. The majority of BTP s unstructured information is captured on the G Drive and must follow BTP s G: and H: Drive Policy and Procedure. Further information can be obtained from the Records Management Team Recording Police Information Staff should also note the existence of specific departmental guides on how different types of information are recorded, for example when compliance with National Crime Recording Standards and the Home Office Counting Rules are required. These policies and procedures are owned and managed by the relevant department. Each department must publish on the intranet all of its relevant information management policies and principles, and show how each relates to BTPs higher level policies. A record must have been created for a business or policing purpose. A record is information that documents or is used to support business activity, transactions, changes, decisions, outcomes, negotiations, approvals, authorisations or actions. The following key principles apply to recording police information. - all records must comply with the data quality principles - a record of police information is the start of an audit trail and must identify who completed the record, when it was completed and for what purpose - before recording information, checks should be made in other business areas to see whether the information is already held, thereby avoiding unnecessary duplication Page 5 of 27

9 - if information is recorded on an individual who is the subject of an existing record, the record should reflect this - if it becomes apparent that the information being recorded is connected to other information, it must be appropriately linked - police information must be recorded as soon as is practicable in accordance with the standards relating to the business area in which the information is held - consideration should be given to applying the appropriate government protective marking - where appropriate, the source of the information should be recorded to ensure accuracy and to assist in requesting further information Data Quality Principles All police information must conform to data quality principles. It must be: Accurate care must be taken when recording information and, where appropriate, the source of the information must also be recorded. If there is any doubt over the authenticity of the information, clarification must be sought from the source. Inaccurate information must be corrected as soon as possible. In ensuring accuracy, it is important not to delete historic information that may be significant (such as details of previous addresses). Adequate recorded information must be sufficient for the policing purpose for which it is processed. The nature of the event determines the information that is relevant. All recorded information must be easily understood by others. Relevant information recorded must be relevant to the policing purpose. Opinions need to be clearly distinguished from fact. Timely information must be promptly recorded into the relevant business area in accordance with agreed timescales Records Appraisal What constitutes a record? As a general rule a record is any artefact, data, document or information in any media that demonstrates or provides evidence of BTPs business duties or data relating to its policing activities. - To determine whether generated information falls within this category, evaluate the information against the criteria set out in Annex 1. - Records to be retained must be appraised against the Records Retention Schedule and managed in accordance with that schedule. - It is the responsibility of the creator of the record to determine whether information needs to be retained and managed in accordance with this Policy, the Physical Records Management Policy Page 6 of 27

10 and supporting guidance. When unsure, the creator must contact the Force Records Manager for guidance Protective Marking / Information Classification All information management procedures must comply with BTP s Information Classification Policy and as such all documents and record repositories must be appropriately classified. Contact the Information Security Team for further advice if required MoPI Categories MoPI Group 1 certain public protection matters: retain until the subject reaches 100 years of age but reviewed every 10 years MoPI Group 2 other serious offences: retain for 10 years then review MoPI Group 3 all other offences: retain for 6 years Evaluation All police information should be evaluated to determine Provenance Accuracy Continuing relevance to a policing purpose What action, if any should be taken. Evaluation procedures must following the principles set out by Authorised Professional Practice (APP) on Evaluation Information Asset Registers (IAR) The creation of an IAR is a requirement of the Government Information Security Framework, and BTP is required to keep an IAR which lists our information assets. In accordance with this obligation BTP will :- Publish a list of applications that hold both personal and non-personal data Ensure IAOs are responsible for reviewing their information assets on an annual basis. The IAR is intended to capture the key record repositories and the framework for how they are managed. Page 7 of 27

11 1.2. Storage and Protection Principles The following principles apply to the management of both electronic databases or shared drive repositories and for filling and storage cabinets. - Unstructured records must be organised and filed in accordance with the standards documented in the guidance available under the Records Management guidance document section of the intranet and the G: and H: Drive Policy. - Physical records must be managed in accordance with the Physical Records Management Policy. - Must respect the security classification. The database / storage cabinet will be classified in accordance with highest level of its content. Access controls must respect their classification and managed in accordance with the access control policies. Please refer to the Must respect the security classification. The database / storage cabinet will be classified in accordance with highest level of its content. Access controls must respect their classification and managed in accordance with the access control policies. Please see the Physical security Measures Policy and Handling, Protecting and Disposing of Police Information Assets Policy for further information Sharing Principles Please refer to the Information Sharing Policy and Procedure or contact the Information Sharing Team for further details. 1.4 Scanning Principles Before attempting to scan large volumes of paper records in order to convert them into electronic records, please contact the Records Management Team who will be able to provide further advice. You must not convert records and dispose of originals without approval from the Force Records Manager Records Retention & Archiving Principles All record series and records repositories will be assigned a retention period in accordance with legal requirements and statutory obligations. BTP has published an overarching BTP Records Retention Schedule which is based upon the guidelines stated within the ACPO Records Retention Schedule. - The records retention schedule (RRS) held centrally by the IMU is a complete listing of all information categories and their retention periods. - This is managed centrally by the Records Management Team, but updates must be given on a yearly basis by all IAOs - Records are only retained for as long as is necessary for business, legal, historical and regulatory purposes Page 8 of 27

12 - The RRS shall outline: the required period of time [retention period] to keep records. Identify the responsible IAO for that record type who will also authorise the disposal schedule, and any disposals. Clearly outline any sentencing / disposal decisions. State a clear retention trigger date; i.e. the date from which retention period starts. This could be creation date, file closure date or other specific triggers such as contract completion dates. State where the location of the original record is held. Identify the format in which the record is required. Specify the formats in which records must be kept. The format of retained records should be determined by considering: - Physical records principles and whether they are better retained as physical or electronic formats - The Re-use of Public Sector Information Regulations 2005 as well as on-going uses for subsequent phases or work or on-going investigations - Whether records in raw format, datasets/databases or specialist native formats (such as CAD, GIS, spread sheets, databases) have been used to derive related information and records; it may be important and necessary to go back to determine how output records (such as reports) were derived. If records must be fixed and never to be altered, a flat-file PDF will be acceptable; Otherwise PDF formats, especially those deemed to be of historical value with on-going uses, may need to be a full-text searchable. Please be mindful of this when scanning documents to PDF. Any queries can be directed to the Records Management Team. The Physical Records Management Policy describes the process for managing physical records and archiving Records Review and Disposal Principles Disposal can be defined as: - Destruction after the required period of retention - Transfer to The National Archives (or other places of deposit) if the records are selected for permanent preservation Page 9 of 27

13 - Or Presented. This involves transfer of ownership of the records to the receiving body (may be successor or legacy agencies) as outlined by section 3(6) of the Public Records Act 1958 and is undertaken by The National Archives in consultation with the authority When executing disposal actions, the disposal management procedures below must be followed - On at least an annual basis records for disposal must be identified. Please see the record retention schedules for further details on retention dates. - Records identified must then be reviewed before disposal to ensure there is no longer a purpose for their retention. - All disposals undertaken must be accurately and appropriately documented / registered into the Records Disposal Schedule. A template can be found on the Records Management intranet site. The register must as a minimum record: The Retention Schedule reference and / or details of the record type Reason for disposal Method of disposal Detail that the CycMOPA system, or file tracking spread sheet, have been updated Date of action Transfer and migration details [if any] Approval authority - Where official records are earmarked for destruction, disposal must be carried out by a force approved disposal contractor in accordance with Handling, Protecting and Disposing of Police Assets Policy. If the classification is higher than CONFIDENTIAL or SENSITIVE please contact the Information Security Team for further information as special arrangements have to be made. - If destruction is contracted-out to a specialist company their use must be authorised by Information Security Unit. A certificate of destruction will be required; this must be logged to the Record Disposal Schedule register entry. All records related to disposal authorisations must be kept permanently, meaning they must be kept in a format that cannot be changed e.g. PDF. - Destruction methods must be irreversible and secure as per government policy. - Disposal must be authorised by a member of the senior management team in which the team / department / station report into. - The Information Management Unit Audit Team will conduct audits to ensure that records are not retained longer than they should be and will request to see the Record Disposal Schedule. Page 10 of 27

14 2. Regulatory Framework 2.1 Legal Requirements Data Protection Act 1998 (DPA) Having established the policing purpose for the collected data, the data must be further evaluated for compliance against the Data Protection Act 1998 (DPA) and must be managed in accordance with the 8 enforceable data protection principles as follows: 1. Being fairly and lawfully processed; 2. Being processed for specified and lawful purposes and not in any manner incompatible with those purposes 3. Adequate, relevant and not excessive; 4. Accurate and where necessary, up to date; 5. Not being kept for longer than is necessary; 6. Being processed in accordance with individual rights; 7. Secure; 8. Not being transferred to countries outside the EU without adequate protection The Data Protection Act works in two ways, by giving individuals certain rights and by requiring those who record and use personal information to be open about the information they hold on an individual. The Data Protection Act regulates how personal information is used and protects individuals from misuse of personal details. It provides a common-sense set of rules which prohibit the misuse of personal information without stopping it being used for legitimate or beneficial purposes. In discharging responsibilities under the DPA there must be regard to the principle of proportionality; in short the more sensitive the information, the higher the threshold for processing. For further guidance, please contact the Information Governance Unit Regulation of Investigatory Powers Act 2000 (RIPA) Information collated pursuant to the Regulation of Investigatory Powers Act 2000 (RIPA) must be carefully evaluated. There is a distinction between information that is volunteered (such as a crime report) and that which is gathered covertly, e.g, a Covert Human Intelligence Source (CHIS) or surveillance product. In some circumstances, the way in which police information is collected may lead to specific requirements as to its recording and use Freedom of Information Act 2000 (FOIA) Freedom of Information Act 2000 gives a general right of access to all types of recorded information held by public authorities, sets out exemptions from that right and places a number of obligations on public authorities. Any person who makes a request to a public authority for information must be informed Page 11 of 27

15 whether the public authority holds that information and, subject to exemptions, supplied with that information. Individuals already have the right of access to information about themselves under the Data Protection Act. As far as public authorities are concerned, the Freedom of Information Act extends this right to allow public access to all other types of information held. Public authorities are required to adopt and maintain a publication scheme setting out the classes of information it holds, the manner in which it intends to publish the information, and whether a charge will be made for the information. The purpose of a publication scheme is to ensure a significant amount of information is available without the need for a specific request. Schemes are intended to encourage organisations to publish more information pro-actively and to develop a greater culture of openness. BTP s publication scheme can be found on the BTP Internet Site Public Records Act 1958 (PRA) The PRA is an act to make provision with respect to public records and the Public Record Office. Records that fall under the remit of a public record are deposited with the National Archives who are the custodians who store and retain the records. BTP does not currently fall within the remit of the PRA however, in some cases it shall refer to the act and guidance on retention when making decisions about the management of its wider records. Particularly, the Lord Chancellor (2002) Code of Practice on the Management of Records issued under section 46 of the Freedom of Information Act 2000 is noted as a guide for compliance Protection of Freedoms Act 2012 (POFA) An Act to provide for the destruction, retention, use and other regulation of certain evidential material; to impose consent and other requirements in relation to certain processing of biometric information, provides a code of practice about surveillance records as well as sets out the provision for the release and publication of datasets held by public authorities via the establishment of Disclosure and Barring Service in England, and the equivalent agencies of Disclosure Scotland in Scotland and Access Northern Ireland in Northern Ireland. In some cases provision supersedes those made by the Police and Criminal Evidence Act 1984, the Crime and Security Act 2010 and the Regulation of Investigatory Powers Act The Disclosure Unit within the Information Management Team address the relevant disclosure requirements of the Act, in accordance with the Disclosure and Barring Service Environmental Information Regulations 2000 (EIR) The Environmental Information Regulations (EIR) give the general public certain rights of access to environmental information. The definition of environmental information in the EIRs is very wide and includes information that might not be considered environmental at first glance Re-use of Public Sector Information Regulations 2005 The Public Sector Information Regulations (2005) encourage the reuse of Government body information by putting in place the appropriate end-user licensing arrangements. BTPs Information Sharing Policy shall address the mechanisms for sharing. Page 12 of 27

16 2.1.9 Criminal Procedure and Investigations Act 1996 The Criminal Procedure and Investigations Act (1996) CPIA) in some cases conflicts with the MoPI guidance on retention and must be consulted when making sentencing decisions for crime and intelligence products Criminal Justice Act (2003) The Criminal Justice Act (CJA) defines all the offences that are subject to MoPI Review Groups Serious Crime Act (2007) The Serious Crime Act (2007) covers the disclosure and use of information by the National Crime Agency (NCA) Other Regulatory Guidance Authorised Professional Practice (APP) Information Management Guidance Police forces need to comply with the statutory Code of Practice on the Management of Police Information, published in July 2005 by the Home Secretary under the Police Act National Crime Recording Standard The National Crime Recording Standards (NCRS) promotes consistency between police forces in how to record crime and in providing a victim-orientated approach to crime recording. An incident report must be registered irrespective of whether it is from victims, witnesses or third parties, and whether crime related or not. An incident is recorded as a crime (notifiable offence) if, on the balance of probability, the circumstances reported amount to a crime defined by law, and there is no credible evidence to the contrary. Once recorded, a crime remains so unless there is additional verifiable information to disprove it National Policing Policies The Community Security Policy (CSP) and the National Policing Accreditation Policy are two policies that provide a national framework for how national policing systems (such as PNC) are managed and assured. BTPs access to these systems must adhere to these policies. The External Database Access Register lists all the external national and regional databases accessible to BTP to fulfil its policing duties. The CSP requires a Senior Information Risk Owner (SIRO) and Force Information Security Officer (FISO) to provide the National Police Information Risk Management Team (NPIRMT) with quarterly statistical information on slow time security incidents, and to report fast-time incidents where they affect other members of the policing community Home Office Counting Rules A number of documents exist which define the Home Office Counting Rules. These must be adhered to by functions that deal with these types of records. Page 13 of 27

17 2.2.5 National Standards of Incident Recording (NSIR) The National Standards for Incident Recording (2011) (NSIR) outline a number of minimum data standards to be complied with when recording information on an incident record. They include: Time and date the report was received Method of reporting Time and date the report was recorded An incident unique reference number (URN) Details of the person making the report (name, address and telephone number) Sufficient information to describe the location and nature of the report Opening and closing category Time and date of initial and closing classification National Intelligence Model (NIM) The National Intelligence Model (NIM) Code of Practice sets out to Chief Officers of police the basic principles and minimum standards for the National Intelligence Model. It relates to intelligence and information used and outputted to direct police activity through planned and systematic business processes that result in Intelligence Products (Strategic Assessments, Tactical Assessments, Subject Profile, Problem Profile) Related Corporate Policies This policy should be seen as part of a suite of documents which outline BTPs approach to robust information management. Please refer to the Information Management section of the Policy Portal located on the BTP One intranet site. 3. Governance Arrangements This section details the roles and responsibilities in relation to the management of all records, irrespective of type. This section covers key Team Roles, Individual Roles, External Roles and the role of key governing decision making bodies Team Roles and Responsibilities This section outlines the teams responsible for managing significant repositories of data. Whilst it is everyone s responsibility to manage data and records, these teams have a particular role with regard to coordination, standards setting and advocacy. For fuller details on their responsibilities, please refer to the individual team manager Information Management Unit The Information Management Unit is a corporate-wide support and advisory team within Corporate Resources who lead on strategic information management across the Force. In summary, their role incorporates: Page 14 of 27

18 Develop, own, manage and update all information management policies and procedures Answer and respond to IM queries both internal and external Provide an advisory and training service to all departments within BTP on all matters related to information management, information security/assurance, information requests, information sharing, CycMOPA and records management Give advice and assistance on any records management retention and disposal matters Responses to requests for information and disclosure Gauge compliance with IMU policy across the business. The key individual roles within this team are outlined in the Information Management Policy Individual Roles and Responsibilities Details of the following individual roles and responsibilities can be found in the Information Management Policy. - Senior Information Risk Owner (SIRO) - Data Controller Chief Constable / Chief Officer - Head of Information Management - Force Information Security Manager (FISM) - Force Records Manager (FRM) - Physical Archiving Applications Administrator (PAAA) - Disclosure Unit Supervisor - Information Governance Manager DP and FOI - Information Sharing Manager - System Administrators / Database Administrators - Information Asset Owner - IM Programme Manager - Information Management Champions - Force Crime Registrar - All Staff - Line Managers Page 15 of 27

19 3.3. External Roles Details of the following external roles and responsibilities can be found in the Information Management Policy. - Information Commissioner - HM Inspectorate of Constabulary (HMIC) - National Police Information Risk Management Team (NPIRMT) - National Senior Information Risk Owner (NSIRO) - British Transport Police Authority (BTPA) - National Police Chief s Council (NPCC) - College of Policing (COP) 3.4. Decision Making Bodies The following named boards make up the main bodies that steer and guide IM decisions Information Governance Board (IGB) The IGB is responsible for: Overseeing the governance of information and will meet regularly to ensure that compliance with the policies and procedures that apply to Information Management are adhered to Approving the records management policy, information security policy, IM strategy and any related procedures and action plans and the records retention schedule updates resulting from implementing these strategic documents Providing clear direction on IM strategy and support of IM across the force Promoting integrated IM across all work streams Driving and overseeing any change management processes and IM projects necessary to address any gaps and risks Overseeing progress on projects, assurance processes and management information metrics Acting as the Governing Board for the Information Assurance Maturity Model Acting as the Governing Board for Public Service Network (PSN) compliance Page 16 of 27

20 The Information Management in the Police Service (IMPS) The Information Management in the Police Service is a national group of information and records professionals from the police services who meet quarterly to discuss a wide range of topics. The IMPS has also been responsible for creating the Police National Retention Schedule Integrity and Compliance Board (ICB) The Integrity and Compliance Board is a meeting established to oversee HMIC inspections, internal and external audit, integrity and compliance issues such as hospitality. ICB exists to advise the Deputy Chief Constable who is ultimately accountable for the Professional Standards Department and the Audit and Compliance Unit in the Strategic Development Department Service Excellence Board (SEB) The Service Excellence Board has oversight of the performance of all areas of BTP's business, whether policing or operational. Area Commanders and Department Heads are held to account over the performance of their functions and exist to advise the Deputy Chief Constable, who is responsible for the performance of the Force Service Improvement Board (SIB) The Service Improvement Board has oversight of all business change being carried out and all major areas of Revenue and Capital spend, and will also meet quarterly as the Capital Review Board. SIB exists to advise the Deputy Chief Constable who is responsible for business change Force Executive Board (FEB) Force Executive Board sets the strategic direction for the Force and oversees implementation of the Strategic Plan. FEB has a clear line of sight into all areas of the business and receives exception reports from each Board below it, summarising progress and raising issues by exception. Page 17 of 27

21 Annex 1: Criteria on Record Appraisal A.1. Information criteria that constitute a record - executed business activities - business/corporate operations (such as governance, accountabilities, requirements, policy and planning) - transactions (communications, dealings) - approved changes - decisions and outcomes - negotiations - approvals and authorisations - past actions - evidence to substantiate the outputs claimed - functions and business activities (as captured by the BCS) - communicated advice or instructions - evidence of what has occurred in the event of further development or discussion or precedents for future action - issued drafts - drafts that document significant information that is not contained in the final form of the record and where the change is not captured or minuted elsewhere in formal change procedures or reports - working datasets that constitute the original data from which reports and other fixed records are derived from that may be needed to explain, and if necessary justify, past actions or communicated information in the event of an audit, public inquiry or other investigation - original artefacts and hardcopy documents of legal contracts and agreements or documents where significant annotations have been made - signed originals (Please note: a Microsoft Word document - unsigned is not the record and is only kept to support any future edits or revisions) - Care must be taken to ensure that related transactions are also kept. Files (for paper) or folders must contain a complete and accurate record of all internal and external documentation that relate to the subject matter so that the stages and the reasoning of the transactions are apparent. Page 18 of 27

22 A.2. Non Record Criteria BTP does not consider information with the following characteristics as formal records that must be preserved in accordance with this Policy. These can be routinely weeded/cleaned and disposed of in accordance with Normal Administrative Procedures: - Data, documents and information that are created but never executed, used or communicated, that is, drafts that never come into fruition or draft/working documents/materials which do not demonstrate significant steps in the development of a final version. - Ephemeral or transitory information such as messages, post-it notes that are only needed for short period of time to support local tasks and have no continuing value to the organisation. - Personal records that do not relate to the business of BTP If in doubt, the creator must contact the Force Records Manager for guidance before destroying the files. The deliberate destruction of records for malicious or otherwise intent will be treated as a disciplinary offence. Page 19 of 27

23 Additional Information Policy Forms / Documents Record Retention Schedules Record Disposal Schedule template Associated Policies / Documents Information Management intranet pages Information Management Policy Handling, protecting and disposing of police information assets Policy Information Sharing Policy Information Classification Policy Physical Records Management Policy Page 20 of 27

24 Acronyms / Abbreviations ACC Assistant Chief Constable ACPO Association of Chief Police Officers. Now superseded by NPCC APP Authorised Professional Practice BCS Business Classification Scheme BS British Standard BTP British Transport Police BTPA British Transport Police Authority CCTV Close Circuit Television CHIS Covert Human Intelligence Sources CJA Criminal Justice Act COG Chief Officer Group COP College of Policing CPIA Criminal Procedure and Investigations Act CSP (National Policing) Community Security Policy DBA Database Administrator DCC Deputy Chief Constable DIMC Divisional Information Management Champion DPA Data Protection Act DVD Digital Video Disks ECHR European Convention on Human Rights EIR Environmental Regulations Act FCR Force Crime Registrar FCR Force Crime Registrar FIMC Functional Information Management Champion FISM Force Information Security Manager FOI Freedom of Information Act FRM Force Records Manager GIS Geographical Information Systems HMIC Her Majesty's Inspectorate of Constabulary for England and Wales HOCR Home Office Counting Rules HRA Human Rights Act 1998 IAO Information Asset Owner IAR Information Asset Register ICB The Integrity and Compliance Board IGB Information Governance Board IM Information Management IMC Information Management Champion IMPB Information Management Programme Board IMPS Information Management in the Police Service IMS Information Management Strategy IMU Information Management Unit InfoSec Information Security IPB Information Portfolio Board Page 21 of 27

25 ISO Information Security Officer IT Information Technology ITPB Information Technology Programme Board MoPI Management of Police Information MOU Memorandum of Understanding NAP Normal Administrative Procedures NAS National Archives of Scotland NCA National Crime Agency NCRS National Crime Recording Standard NDA Non-Disclosure Agreement NPCC National Police Chiefs Council NPIRMT National Police Information Risk Management Team NSIR National Standards for Incident Recording NSIRO National Senior Information Risk Owner PNC Police National Computer PRA Public Records Act 1958 PRM Physical Records Management RIPA Regulation of Investigatory Powers Act 2000 RMADs Risk Management and Accreditation Document Set RRS Records Retention Schedule SEB Services Excellence Board SIB Service Improvement Board SIRO Senior Information Risk Owner SPF Security Policy Framework TAR Technology Asset Register TIR Technology Information register TNA The National Archives for England and Wales TOR Terms of Reference URN Unique Reference Number Page 22 of 27

26 Glossary Term Appraisal Artefacts Authentic Records Authoritative Records Business Classification Scheme Data Declare (or Register) Destruction Disposal Disposal Schedule Document Electronic Document and Records Management System -EDRMS File Explanation Appraisal is the process of evaluating business activities to determine which records need to be captured and how long the records need to be kept, to meet business needs, the requirements of organisational accountability and community expectations. Archaeological relics, samples or awards. Records that can be proven to be what they purport to be. They are also records that are considered by the creators to be the official record of their work and activities. Records that are authentic, reliable, trustworthy and useable and are complete and unaltered. BCS. A tool designed to formally organise or group an organisation s information assets (information, data, documents etc.) to facilitate their retrieval and management. A collection of individual pieces of information which are collated then evaluated / analysed in order for conclusions to be drawn. The deliberate action that results in the registration of a record into a recordkeeping system. For certain business activities, this action may be designed into electronic systems so that the capture of records is concurrent with the creation of records. Process of eliminating or deleting records beyond possible recognition. The action of either destroying, deleting, migrating (that is, the movement of records from one system to another (for example paper to electronic)) or the transfer of custody or ownership of the record into archival custody. Must follow the processes associated with BS ISO Part 1: 4.9. A register that documents which records are destroyed within BTP s lifetime. Describes recorded information or objects that can be treated as a unit. (BS ISO 15489, Part 1, 3.10). A formal core record keeping system. It is used to manage the creation, use, maintenance and disposal of electronically created records in a secure and reliable manner. An accumulation of paper records maintained in a predetermined physical arrangement. Used primarily in reference to current records. Or an electronic document/object. Page 23 of 27

27 File Plan Government Security Classifications (GSC) Information Information Register - IAR. Information Classification Information Management Information Management Unit Asset A pre-determined classification plan by which records are filed and/or electronically indexed to facilitate efficient retrieval and disposal of records. This replaces the Government Protective Marking System. It allows for (including SENSITIVE), SECRET and TOP SECRET information asset classifications. Typically involves collections of data and qualitative or quantitative conclusions/or derived reports on a particular topic that leads to an increase in understanding of that topic. A register of unpublished information,i.e. information or collections of information, held electronically or in hard copy, which have (usually) not been published or made publicly available. The creation of an Information Asset Register is one of a series of initiatives designed to facilitate greater openness documented in the White Paper, The Future Management of Crown Copyright (Cm 4300), which proposed a number of initiatives aimed at "improving and encouraging access to the broad range of public sector information". These are the allowed classifications for information, previously governed by the Government Protective Marking System. It allows for (including SENSITIVE), SECRET and TOP SECRET information asset classifications. This new systems is referred to as the Government Security Classifications (GSC). Is a process of creating authentic and authoritative information through practices that ensure version control, access rights, reuse and eventual archiving. The department who support and advise on strategic Information Management across the force. Metadata Data elements that are recorded to describe other data. Data that describes the content, context and structure around information. The metadata recorded about a record could include its title, reference number, its current location, history of its use, when it is to be or was disposed of, its security classification, etc. Migration Normal Administrative Procedures - NAP. Paper Records and hardcopy Physical Records The act of moving records from one system to another, while maintaining the records authenticity, integrity, reliability and usability. Day to day deletion or desk tidying of documents no longer required, or which are not records. A subset of physical records in the form of files, volumes, folders, bundles, maps, plans, charts, etc. Can include, but not limited to: paper/hard copy documents, official publications, maps, media, models, artefacts such as archaeological relics, samples or awards. Page 24 of 27

28 Police Information Protective marking Public Record Record Recordkeeping Records Management Register Retention Period Retention Schedule Information for a policing purpose that should be managed lawfully in accordance with statutory guidance and the law. The Code of Practice defines policing purposes as: (a) protecting life and property; (b) preserving order; (c) preventing the commission of offences; (d) bringing offenders to justice; (e) any duty or responsibility arising from common or statute law The process of determining security restrictions on records. Also referred to as the records Security Classification in accordance with the Government Security Classification System which is the national standard for classifying a document, file or other information according to its value and the impact if it is wrongly disclosed. It allows government organisations and agencies share information - paper or electronic - with confidence. A record (as defined in paragraph 2 of the First Schedule to the Public Records Act 1958) that is created or received by a governmental body in pursuance of its activities, regardless of form or medium. Unpublished records. A record is information that documents or is used to support business activity, transactions, changes, decisions, outcomes, negotiations, approvals, authorisations or actions. A record can be in any format or stored on any medium. ISO definition: information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of Business Making and maintaining complete, accurate and reliable evidence of official business in the form of recorded information. A sub function of information management. Records management activities focus on the classification of information with the purpose of deciding retention and disposal, in accordance with legal obligations. For effective records management to be possible, Information management processes must ensure the proper creation, maintenance, use and disposal of records throughout their whole life cycle to achieve efficient, transparent and accountable governance. A list of records, usually in simple sequence such as date and reference number, serving as a finding aid to the records. The length of time that records should be retained (or continuously stored and maintained), either by the creator or holding organisation until their disposal, according to their administrative, legal, financial and historical evaluation. A list or register of BTP s records with an assigned and approved retention period and recommended disposal date. This will ultimately form the basis of BTP s register of information assets (it s IAR). Page 25 of 27