Current timestamp: 12/06/2026 20:49:26
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information Asset Management Policy

1. Statement of Policy

Information is an extremely valuable asset and is the lifeblood of policing, it needs to be managed as such. Managing information assets requires support from ICT, Information Asset Owners and the Information Management and Compliance Department. The information that the Force is entrusted with is vital to the work undertaken by the Force, no one can undertake their work without information. 

There is a requirement that everyone protects the information they are entrusted with and handles and processes information in line with legislation, a failure to do this could cause serious harm or distress to people and could result in a breach of legislation which could result in monetary penalties for the Force, compensation claims and reputational damage.     

Information Asset:An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and life cycles”.

Information Asset Management: Is a structured approach to identifying, protecting and managing an organisations information assets. It involves creating an inventory of information assets, assigning ownership, assessing risks, and implementing controls to ensure the confidentiality, integrity, and availability of that information. This process helps organizations make informed decisions, comply with regulations [and legislation], and mitigate potential risks associated with their information.

Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

 

2. Policy Scope

This policy applies to all information assets held and used by Dyfed-Powys Police, including that used for policing duties, e.g. crime and incident reports (operational) and for administrative purposes, e.g. employment records, payroll (corporate).

The policy applies to all Dyfed-Powys Police personnel, including police officers, police staff, police cadets, special constabulary, and volunteers, who use the Force’s information to carry out their duties related to the delivery of policing services. Similarly, it applies to contractors, partner agencies and other individuals who may access or share the Force’s information for the purpose of carrying out partnership-policing duties or general processing.

This policy, in particular, applies to Information Asset Owners, Information Asset Administrators, Project Managers and ICT staff that are most likely to make changes to the manner in which information assets are managed and which could present risks internally within the Force and externally with wider public sector partners. The policy also applies to all key roles identified within section 4.

Compliance with this Policy provides assurance to partner agencies, third parties and the wider community that information and risks to Force information assets are being managed to a level acceptable to the wider policing and security community.

 

3. Powers and Policy/Legal Requirements

The Force is committed to complying with information related legislation and standards, with particular emphasis on maximising the benefits effective information asset management brings to operational policing.

Accountability is one of the data protection principles and as a consequence the Force has a legal obligation to comply with the UK- General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 and subsequent legislation such as the Data (Use and Access) act 2025.

Dyfed-Powys Police will also refer to the College of Policing, APP - Information Management and related Information Commissioner’s Office (ICO) guidance.

Relevant legislation includes:

  • Data Protection Act 2018
  • UK General Data Protection Regulation (UK-GDPR)
  • Human Rights Act 1998
  • Electronic Communications Act 2000
  • Regulation of Investigatory Powers Act 2000 (RIPA)
  • Freedom of Information Act 2000
  • Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Related policies, standards, procedures, practices, including, but not limited to:

  • NPCC National Guidance on the minimum standards for the Retention and Disposal of Police Records
  • Information Security Policy and Associated Standards
  • Information Sharing Policy
  • Data Protection Policy
  • Records Management Policy
  • Data Protection Compliance Audit Policy
  • Data Protection Impact Assessment Policy
  • Police Information and Records Management Code of Practice
  • NPCC Information Asset Owner Handbook
  • NPCC Senior Information Owner (SIRO) Handbook
  • College of Policing Authorised Professional Practice (APP) Information Management
  • The Information Commissioner’s Office Code of Practice and Guidance.
  • The Cabinet Office Community Security Policy Framework
  • National Policing Community Security Policy, Framework and Principles
  • Information Asset Management and Information Risk Management Guidance currently under development by the Data Protection Officer (as at July 2025)

 

4. Options and Contingencies

The aim of this policy is to set out the arrangements that are in place to manage information assets, to facilitate effective, clear direction and to support achievement of compliance with legislation, statutory obligations, and good practice standards. It will achieve this by;

  • Ensuring information assets are processed in compliance with legislation, codes of practice and relevant guidance.
  • Encouraging a proactive approach to information asset management.
  • Ensuring the Force’s information assets are safeguarded.
  • Ensuring that information assets are recorded within the Force Information Asset Register.

Roles and Responsibilities within Dyfed-Powys Police

Chief Constable (Data Controller)

The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. Similarly, they have responsibility for all information held and processed by the Force whether it be operational or corporate information.

The Data Controller determines the purposes and means of processing personal data. The Data Controller decides what data is collected, why it is collected, and how it is used. They bear the primary legal responsibility for ensuring compliance with data protection legislation.  They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy across the entire Force.

This policy serves to ensure compliance by the Data Controller of their personal responsibility under Article 24 (2) of the UK GDPR and s4.7 of the Police Information and Records Management Code of Practice.

Senior Information Risk Owner (SIRO)

The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO).  They are the strategic lead for information assets. Their responsibilities include, but are not limited to:

  • The provision of executive- level accountability and greater assurance that information risks are addressed and that information assets are protected in line with legislation.
  • The SIRO plays a vital role in getting the Force to recognise the value of information held, enabling the Force to use it effectively for the public good and in line with legislation.
  • Identifying business-critical information assets and setting objectives, priorities and plans to maximise the use of information as a business asset.
  • Establishing an effective information governance framework.

Information Asset Owner(s) (IAO)

Information Asset Owners (IAO) are senior staff who are the nominated owners of one or more identified information assets including cloud hosted solutions.  In Force they will be at Chief Supt or Head of Department equivalent level, in some instances the ACC will be an IAO. They are required to understand what information is held and being processed, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information and ensure that information is fully used within the law for public good and provide assurance to the SIRO that the appropriate security measures are in place to protect Force information assets.

They are a key role in the Information Asset Management process:

Their responsibilities, in respect to the information assets under their control include, but are not limited to:

  • The IAO is accountable for the confidentiality, integrity, and availability of the information assets under their control and are responsible for identifying and managing information risk.
  • The IAO will ensure compliance with the NPCC IAO handbook and will ensure that they have undertaken the recommended training. The Information Management and Compliance Department will arrange external IAO training for all IAO’s and Information Asset Administrators (IAA).
  • The IAO is responsible for ensuring that the information systems assigned to them have up to date accreditation.
  • Monitoring and understanding what information – paper and electronic – is being held and how it is maintained; knowing and approving who has access to it and why.
  • Seeking to use information fully within the law.
  • Encouraging a culture that values, protects, and uses information for the public good.
  • The IAO will have governance processes and a framework in place to help them understand all important information assets, their value, and their importance to the business and what the impact of their loss would be.
  • The IAO will ensure that all information assets under their control comply with the requirements set out in the NPCC Review, Retention and Disposal Schedule and the Police information and records management Code of Practice. Taking into account the requirements in respect to heritage data and the requirement for archiving some records in ‘the public interest’ in line with Force guidance (as at July 2025 to be developed by the Data Protection Officer).
  • The IAO will ensure that all information assets under their control are recorded within the Force Information Asset Register (IAR) and that processing activity is recorded within the Force Record of Processing Activity (ROPA). Both the IAR and ROPA being managed by the Force Information Management and Compliance Department.
  • The IAO will ensure that the Information Management and Compliance Department are provided with relevant information to ensure that the IAR and ROPA remain up to date.
  • The IAO will have assigned appropriate roles and responsibilities within their information governance framework.
  • The IAO will ensure that the escalation path for decision-making is clearly defined, and appropriate personnel are empowered to make decisions on their behalf in respect to information asset management and information management generally.
  • The IAO will ensure that they promote a culture where officers, staff etc are aware of the value of information and the risks associated with not handling the data correctly and in line with legislation.
  • The IAO will ensure that for the officers, staff and volunteers under their control that their awareness and training is being maintained and that they are up to date on information compliance training, including refresher training as required.
  • The IAO will ensure that personal data breaches, information security breaches or incidents (or near misses) and information risks are reported in a timely manner to the Information Management and Compliance Department.

 

Information Assurance Board

The role of the Information Assurance Board (IAB) is:

To maintain strategic oversight, and support the management of, all activities related to the use, processing, retention, and transmission of information or data under the control of Dyfed-Powys Police and the structures, systems and processes used for those purposes in accordance with the College of Policing Authorised Professional Practice (APP) on Information Management. This includes the Force management of data protection breaches.

The SIRO and IAB will evaluate outcomes and information risk management processes through regular monitoring and taking into consideration the following:

  • Compliance with legislation and national information management standards.
  • Reduction in data protection breaches/ICO (Information Commissioner’s Office) referrals which may be attributable to gaps in information asset risk management and information asset management.
  • Improved data quality and consistency in decisions to process data; and
  • Improved understanding of information risk from accountable roles.
  • Provide governance support and direction to the Information Management and Compliance Department in line with the Force vision to ‘Safeguard our Communities Together’, and
  • Work in line with the other groups and boards in delivering the mission, vision and values of the Force, the Chief Constable’s vision and the delivery plan in support of the Police and Crime Plan.

 

Data Protection Officer (DPO)

The Information Manager at Dyfed-Powys Police is the appointed Data Protection Officer (DPO). Their responsibilities include, but are not limited to:

  • Protecting the confidentiality of personal data across the Force.
  • Representing and championing data protection issues and requirements.
  • Ensuring that the Force satisfies the highest practical standards for handling data protection breaches.
  • Enabling suitable information sharing with other bodies.
  • Ensuring that data protection breach issues are appropriately reflected in Force policies, procedures, processes and strategies for police officers, police staff and volunteers.
  • Assisting the Force in demonstrating compliance with UK data protection legislation as part of the enhanced focus on accountability.
  • Acting as a point of contact for data subjects and the ICO regarding data protection breaches
  • To inform and advise the Data Controller of their obligations pursuant to data protection legislation.
  • To monitor compliance with data protection legislation in relation to the protection of personal data.
  • Shall have due regard to the risks associated with processing operations taking into account the nature, scope, context and purposes of processing. This can be achieved by working closely with IAO’s and through the scrutiny of the IAR and ROPA.
  • Informing and advising on data protection obligations, in regard to data protection breaches and information asset management.
  • The DPO will oversee the corporate approach to information asset management, ensuring the creation and maintenance of the Information Asset Register.
  • Ensuring that information assets are appropriately recorded within the Information Asset Register and that processing activities are recorded within the Record of Processing Activity (ROPA). Thereby assisting the Data Controller in their obligations under the ‘Accountability Principle’.
  • Taking due regard to the risks associated with the processing of information assets thereby ensuring compliance with UK-GDPR Article 39 (2) on behalf of the Data Controller.

 

Information Management Business Area (IMBA):

IMBA has governance responsibility for all information obtained, recorded or processed for a policing purpose within the Force.

The department also has governance responsibility for information which is processed and information which has been subject to a process of evaluation.

They will provide advice to Information Asset Owners in respect to the legal requirements associated with the information assets under their control.

They will provide advice on lawfully processing and sharing Information Assets, in line with the principles of data protection legislation and Information Sharing protocols etc.

Both the IAR and ROPA will be managed by the Force Information Management and Compliance Department.

They will ensure that Information Asset Owners are made aware of their responsibilities in respect the inclusion of information assets within the IAR and ROPA via the Data Protection Impact Assessment (DPIA) Process.

 

ICT Department

The ICT department is responsible for protecting computers, networks, and infrastructure and data from unauthorised access or damage.

Information Technology Security Officer (ITSO):

The ITSO provides advice on technical security architecture and posture.

Users: All users of Force information have a personal responsibility in respect to Force information assets and are required to ensure the processing is in line with legislative requirements.  They are responsible for recording and processing information for a policing purpose in an appropriate format whilst complying with recording and data quality principles, ensuring information is relevant, accurate, adequate and up to date.

When sharing information with partner agencies, users need to ensure that they have a lawful basis for providing the information to the third party. Advice on whether information can be shared with a third party can be obtained from the Information Sharing Officer within the Information Management Business Area. Dyfed Powys Police are signed up to the Wales Accord on Sharing Personal Data (WASPI) and will follow the principles of the Accord when developing Information Sharing Protocols (ISP’s). Where regular sharing of personal data takes place with partner agencies ISP’s will be set in place.  It is the responsibility of Information Asset Owners to ensure engagement takes place with the Information Sharing Team to ensure ISP’s are in place.

The Dyfed Powys Police Privacy Notice, available on the Force website, provides information to the public on who the Force shares personal data with. 

Code of Ethics:

In line with the ethical policing principles, this Policy seeks to address the following:-

  • Public service – “working in the public interest, fostering public trust and confidence, and taking pride in providing an excellent service to the public”. the policy is clear and ensures integrity within its purpose; the policy contains clearly defined responsibilities.
  • Courage – “making, communicating and being accountable for decisions, and standing against anything that could bring our profession into disrepute” the policy is lawful and proportionate and respectful of the rights of individuals.
  • Respect and empathy – “encouraging, listening to and understanding the views of others, and seeking to recognise and respond to the physical, mental and emotional challenges that we and other people may face.” The policy promotes equality and diversity considerations wherever possible and is not unlawfully or unfairly discriminatory.

The ethical policing principles will be used to help the Force make and reflect on professional decision making in regard to information asset management.

5. Take action and review

This policy is owned by the Information Management Business Area. The review process will be conducted by the Information Manager/Data Protection Officer on a biennial basis to ensure the continued effectiveness of the policy and taking in to account any changes to legislation, national guidance etc.

The effectiveness of the Policy will be monitored on a regular basis over and above the two-year review period and any major concerns will be escalated as appropriate. This Policy shall be subject to audit by the Force’s internal or external auditors.

 

 

Compliance with this policy will be monitored via:

  • Incident reporting and escalation procedures
  • Data protection compliance audits
  • Internal information security audits
  • Independent audits (such as the Information Commissioners Office (ICO))
  • Data Protection audits

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

 

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

 

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: July 2025