Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Dyfed-Powys Police complies with the His Majesty’s Government’s (HMG) Government Security Classification (GSC) Policy in respect of its information and to allocate appropriate markings according to the sensitivity of the information on systems and documents. Each information security classification has a minimum set of security measures associated with it that need to be applied.
These security measures might change, depending on the information lifecycle stage.
The purpose of this Policy is to provide police personnel with guidance in exercising the requirements as set out within the College of Policing Authorised Professional Practice – Information Management Collection and Recording and within other guidance such as:
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regards to the contents of this policy.
The purpose of this Policy is to ensure that Dyfed-Powys Police comply with the requirements of the GSC and to provide instruction for the marking and handling of information. This Policy must always be adhered to and must be read in conjunction with the Chief Constables’ Council Government Security Classification (GSC) Information Asset Control Measures (V2.1) and Cabinet Office – Government Security Classifications – 30 June 2023.
This Policy provides a framework for classifying information and directs users to levels of control which are required to ensure the continuing availability, integrity and confidentiality of information. The criteria for determining the correct classification must consider both the level of threat posed to the information and the impact it would have should the information be compromised.
This Policy describes how Dyfed-Powys Police classify Information Assets to ensure they are appropriately protected and supports policing business processes by ensuring the value of information to the Force is fully exploited. The Policy applies to all the information that Dyfed-Powys Police collects, stores, processes, generates or shares to deliver services and conduct the business of policing, including information received from or exchanged with other Police Forces and third-party suppliers.
The GSC is intended to make it easier to classify information in a more meaningful way; improve sharing within government and with external partners, making sure that sensitive information receives the protection it requires.
All information that Dyfed-Powys needs to collect, store, process, generate or share to deliver services and conduct police business has intrinsic value and all staff must apply the appropriate degree of protection. All staff must apply this Policy and ensure that consistent controls are implemented throughout the police service, delivery partners and wider supply chain. Delivery partners and suppliers who have access to Dyfed-Powys Police information must apply equivalent controls, which are provided for under contractual provisions or Information Sharing Agreements.
Dyfed-Powys Police Information Assets must be classified into three types:
Remember that each classification requires a minimum set of security controls to be in place to provide the appropriate protection against a range of threats.
Everyone who works within Dyfed-Powys Police has a duty to respect the confidentiality and integrity of all information and data that they access and are personally accountable for safeguarding information assets in line with this Policy.
Access to any information must only be granted based on a genuine need to know and an appropriate personnel security control (i.e. vetting level). Disciplinary action will be considered for any member of staff (including contractors, consultants, and suppliers so far as is feasible) who do not follow the mandatory actions set out in this Policy.
Information Sharing: Staff must risk assess sharing information and only share information with those who have a legitimate need to see it.
Need to Know: The compromise, loss or misuse of sensitive information may have a significant impact on an individual, organisation or Force business more generally. Access to sensitive information must be limited to those with a business need and the appropriate personnel security control. This ‘need to know’ principle applies wherever sensitive information is collected, stored, processed or shared either internally, with other Forces, partner agencies etc.
Applying the Government Security Classifications
The GSC classification system has three levels: OFFICIAL (including OFFICIALSENSITIVE), SECRET and TOP SECRET.
Each classification requires a minimum set of security controls to be in place, to
provide the appropriate protection against a range of threats.
Security classifications indicate the sensitivity of information (in terms of the impact resulting from compromise, loss, or misuse) and the need to defend against a broad profile of applicable threats. There are three levels of classification:
OFFICIAL
Most of the information that is created or processed by the public sector. This
includes routine business operations and services, some of which could have
damaging consequences if lost, stolen, or published in the media, but are not subject to a heightened threat profile.
SECRET
Sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations, or the investigation of serious organised crime.
TOP SECRET
HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
The Classifications do not have any direct implications for access to information under either the Data Protection Act (2018) or the Freedom of Information Act (2000).
Classification markings can assist in assessing whether exemptions to the Data
Protection Act or Freedom of Information Act may apply. However, it must be noted that each request must be considered on its own merits and the classification is not a justifiable reason for exemption, the same is true should the document not have marking, it would not be assumed that the information can automatically be disclosed.
OFFICIAL Classification
This classification applies to most of Dyfed Powys Police information including:
• General day to day policing activity
• Most front-line service operations
• Organisation and performance management information
• Personal information (including staff data, case files, citizen data)
• Business information (finance, estates, personnel, Policy, commercial)
• Policy documents
The OFFICIAL classification reflects the fact that reasonable measures need to be taken to look after an Information Asset and to comply with relevant legislation such as the Data Protection Act 2018 and the UK General Data Protection Regulation.
All Dyfed-Powys Police information must, as a MINIMUM, be treated as OFFICIAL and must be appropriately classified.
A limited amount of OFFICIAL information could have more damaging consequences if lost, stolen, or published in the media. This subset of information must still be managed within the OFFICIAL classification, but as it has a higher impact if compromised, it attracts additional control measures (procedural or personnel), to reinforce the ‘need to know’ principle. In these cases where there is a clear and
justifiable requirement, then information can be described using the caveat of OFFICIAL- SENSITIVE.
Examples of where the OFFICIAL-SENSITIVE classification must be used include:
• Where the outcome of a risk assessment highlights a specific risk, or threat to highly vulnerable individuals
• Cases involving intimidation, corruption, or fraud
• Where there is a legal requirement for anonymity
• Where there is a high media profile and risk of damaging reputation under unauthorised disclosure
• Highly sensitive change proposals or contentious negotiations
• Highly sensitive operational procedures
• Major security or contingency planning details
This more sensitive information must be identified by being marked OFFICIAL-SENSITIVE. This marking alerts users to the enhanced level of risk and those additional controls are required, such as handling instructions.
SECRET Classification
The SECRET classification must only be used where there is a high impact of risk and a sophisticated / determined threat from such elements as serious and organised crime and foreign intelligence services.
SECRET must not become the default status for material just because of the type of case or potentially severe consequences (e.g., murder trials, or where there is a threat to life). The threat capability must also be present. There is no change to controls at this level.
Dyfed-Powys Police only handle a small amount of information at this classification.
TOP SECRET Classification
This classification remains for information of the highest sensitivity relating to national security and subject to highly capable threat sources. There is no change to controls at this level.
For more information on applying Classifications and Handling conditions, please refer to the DPP Standard 18 and NPCC Information Asset Control Measures (V2.1) which can be found on the Information Security & Assurance Intranet page.
All Dyfed-Powys Police information must, as a MINIMUM, be treated as OFFICIAL and must be appropriately classified.
A limited amount of OFFICIAL information could have more damaging consequences if lost, stolen or published in the media. This subset of information must still be managed within the OFFICIAL classification, but as it has a higher impact if compromised, it attracts additional control measures (generally procedural or personnel), to reinforce the ‘need to know’ principle. In these cases where there is a clear and justifiable requirement, then information can be described using the caveat of OFFICIAL-SENSITIVE.
Examples of where the OFFICIAL-SENSITIVE classification must be used include:
This more sensitive information must be identified by being marked OFFICIAL-SENSITIVE. This marking alerts users to the enhanced level of risk and that additional controls are required, such as handling instructions.
Dyfed-Powys Police complies with the College of Policing Authorised Professional
Practice (APP) on Information Assurance, the Information Security Officer (ISO) is
responsible for the development and implementation of Information Security Policies
and Procedures within the Force in accordance with:
The Force is required to comply with the following legislation and all other legislation as appropriate, including, but not limited to:
• Computer Misuse Act 1990
• Data Protection Act 2018
• UK General Data Protection Regulation (UK-GDPR)
• Human Rights Act 1998
• Official Secrets Act 1989
• Electronic Communications Act 2000
• Regulation of Investigatory Powers Act 2000 (RIPA)
• Freedom of Information Act 2000
Related policies, standards, procedures, practices including, but not limited to:
The policy is owned by the Information Management Business Area. The Information Security Officer is responsible for regularly monitoring the policy for its effectiveness, any changes to legislation, national guidance etc.
All approval decisions for the implementation of the policy are agreed by the
Information Assurance Board which is chaired by the force Senior Information Risk Owner (SIRO) who is the Force Deputy Chief Constable.
This policy applies to all users who access or process Dyfed-Powys Police information.
CODE OF ETHICS
The following Code of Ethics principles are relevant to this policy:
The review process is conducted by the Information Security Officer on a biennial basis to ensure the continued effectiveness of the policy, taking account of challenges to the policy and any changes to legislation, national guidance etc.
The Information Assurance Board is kept informed of any changes that may affect the Government Security Classification policy by means of regular reports and meetings.
Compliance with this policy is monitored via:
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: February 2023