Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Information is a valuable asset, and it needs to be managed as such. In this digital age, managing Information Assets requires input and support from ICT and the people responsible for knowledge and information in the organisation. The information we are entrusted with is vital to the work we do, and we therefore need to protect it. If we misuse or lose personal information, it could cause serious harm or distress to people.
The Information Asset Owner (IAO) role is responsible for the management of information (not systems). For any enquiries regarding functionality, performance, and maintenance of each system, please contact the Senior Systems Owner (SSO). The SSO can assist and provide information to the IAO and Senior Information Risk Owner (SIRO) on the security and use of their asset(s). A list of all roles and responsibilities are set out in Section 4 of this policy
This Policy aims to provide you with an understanding of the Information Assurance Ownership function, the governance arrangements, and defines the role and responsibilities.
Specific roles are responsible for ensuring that its value to the organisation is fully realised, and that it is used appropriately, and within the law, for public good.
This Policy must be adhered to at all times and specifically applies to all nominated Information Asset Owners and Information Asset Administrators who must have due regard to the contents of the Policy to ensure full compliance. The Policy also applies to all the key roles identified in Section 4. Compliance with this Policy provides assurance to partner agencies, third parties and the wider community that risks to Force information are being managed to a level acceptable to the wider policing and security community.
Dyfed-Powys Police complies with the College of Policing Authorised Professional
Practice (APP) on Information Assurance, the Information Security Officer (ISO) is responsible for the development and implementation of Information Security Policies and Procedures within the Force in accordance with:
• The Cabinet Office Community Security Policy Framework
• National Policing Community Security Policy, Framework and Principles
• The National Police Chief’s Council (NPCC)
• The Business needs of the Forc
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Related policies, standards, procedures, practices, including, but not limited to:
Key Roles in Information Asset Management
Chief Constable: The Chief Constable is the Data Controller for the Force and, as such, has a legal obligation to comply with the data protection principles subject to exemptions, in relation to all personal information controlled by the Force. The Chief Constable is responsible for the management and use of information within Dyfed-Powys Police.
Senior Information Risk Owner (SIRO): The SIRO (Deputy Chief Constable) has strategic ownership of risk, with a focus on information risks, to ensure the risk relevant to the security of the Information Assets for which they are responsible is effectively managed. The SIRO is responsible for ensuring that each programme, project and information system within their remit meets its business objectives and delivers the required service while maintaining the confidentiality, integrity and availability of the Information Assets that it stores or processes. The SIRO chairs the Information Assurance Board which sets the governance for information management across the organisation.
Information Security & Assurance Officer (ISO): The ISO provides advice on security and good practice in respect to access and use of systems The ISO monitors Force and third-party information security and ensures compliance with relevant guidance and legislation. The ISO acts as an impartial assessor of the risks that an information system may be exposed to in the course of meeting business requirements, and to formally assure systems on behalf of the Force.
Senior System Owner (SSO): The Head of ICT as the SSO, is responsible for ensuring the day to day running of all systems in line with business requirements. The SSO is responsible for providing assurance to the SIRO that all Force information systems processing classified information, comply with the requirements as laid down by Government, and other Regulatory bodies.
Information Management Business Area (IMBA): This business area is responsible for all information obtained, recorded or processed for a policing purpose within DPP. developing and reviewing the Force Records Management and Information Sharing Policies. The department is also responsible for information which is processed and information which has been subject to a process of evaluation. They will provide advice on lawfully and fairly sharing your Information Assets, in line with the principles of the Data Protection Act 2018, UK-GDPR and Information Sharing protocols and processing.
Information Asset Owner(s) (IAOs): IAOs are senior/responsible individuals within the Force who are the nominated owners of one or more identified assets, including cloud hosted solutions. They are required to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information and ensure that information is fully used within the law for public good, and provide assurance to the SIRO that the appropriate security measures are in place to protect their assets. It is the responsibility of the IAO to ensure that all assets are recorded on the Information Asset Register (IAR) and that regular updates are provided to the ISO who maintains the IAR for the Force. IAOs also need to ensure that upon moving roles they hand over responsibility to the relevant individual.
Data Protection Officer (DPO): The DPO is responsible for ensuring Force use of data is compliant with legislation, providing information and guidance on the processing of all personal data, and handling requests from data subjects in exercising their rights to access data and the rectification of any concerns. The DPO is responsible for breach notification to the Information Commissioner’s Office (ICO).
Information Assurance Board (IAB):
The role of the Information Assurance Board is: To maintain strategic oversight, and support the management of, all activities related to the use, processing, retention, and transmission of information or data under the control of Dyfed-Powys Police and the structures, systems and processes used for those purposes in accordance with the College of Policing APP on Information Management. To provide governance support and direction to the Information Management Business Area in line with the Force Priorities and Police and Crime Plan.
Information Technology Security Officer (ITSO): The ITSO is responsible for protecting computers, networks, infrastructure and data from unauthorised access or damage. The ITSO provides advice on technical security architecture and posture.
Users: All users are responsible for recording information for a policing purpose in an appropriate format whilst complying with the recording and data quality principles, ensuring information is relevant, accurate, adequate and, where necessary, up to date.
When sharing information with partner agencies, users need to ensure that they have a lawful basis for providing the information to the third party. Advice on whether information can be shared with a third party can be obtained from the Information Sharing Officer within the Information Management Business Area.
CODE OF ETHICS
The following Code of Ethics principles are relevant to this policy:
• Accountability - You are answerable for your decisions, actions and
omissions.
• Integrity – You always do the right thing.
• Honesty – You are truthful and trustworthy.
• Openness – You are open and transparent in your actions and decisions.
• Selflessness – You act in the public interest.
This Policy is owned by the Information Management Business Area. The review
process will be conducted by the Information Security Officer (ISO) on a biennial basis to ensure the continued effectiveness of the Policy and taking into account any changes to legislation, ,national guidance etc.
The effectiveness of the Policy will be monitored on a regular basis over and above the two-year review period and any major concerns will be escalated as appropriate.
This Policy shall be subject to audit by the Force’s internal or external auditors
The SIRO and Information Assurance Board are kept informed of the information security status of the Force by means of regular reports and meetings.
Compliance with this policy is monitored via:
• Incident reporting and escalation procedures
• Internal information security audits
• Independent audits (such as the Information Commissioners Office (ICO)
• Data Protection audit
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: February 2023