Current timestamp: 23/06/2026 06:40:15
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information Risk Management Policy

1. Statement of Policy

Dyfed-Powys Police is committed to ensuring good information management and recognises that the effective management of police information to a high standard is core to efficient policing.

Information is the lifeblood of the Force and as a critical business asset it requires adequate protection and management, commensurate with its degree of reliance and sensitivity.

The Force is committed to adhering to information related legislation and standards, with a particular emphasis on maximising the benefits brought by effective management to operational policing.

Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

2. Policy Scope

This policy applies to all information assets held and used by Dyfed-Powys Police, including that used for policing duties, e.g. crime and incident reports (operational)  and for administrative purposes, e.g. employment records, payroll (corporate).

The policy applies to all Dyfed-Powys Police personnel, including police officers, police staff, police cadets, special constabulary and volunteers, who use the Force’s information as necessary to carry out their duties related to the delivery of policing services. Similarly, it applies to contractors, partner agencies and other individuals who may access or share the Force’s information for the purpose of carrying out ‘partnership-policing duties’ or general processing.

In particular, this policy applies to Information Asset Owners, Project Managers and ICT staff that are most likely to make changes to the manner in which information assets are managed and which could present risks internally within the Force and externally with wider public sector partners.

It is important that officers and staff have the freedom to innovate, exercise discretion and take risk-based decisions (commensurate with the Force’s risk appetite) centred on the needs in the circumstances and the merits of each case.

Information risks are defined as threats to:

  • Confidentiality – ensuring only authorised persons can access or be provided with information
  • Integrity – ensuring the information is authentic, accurate and complete, not excessive; and
  • Availability – ensuring authorised persons can access it when they need to at the right time and in the right way.

Information Risk Management aids the Force in identifying information risks, identifying the strategies the Force can put in place to mitigate those risks and reduce any damage. Strategies can include:

  • Assessing what can go wrong (how, how often, how much damage)
  • Keeping staff up to date and agile with new technology
  • Taking special care over sensitive information and transfer arrangements
  • Ensuring staff are able to identify risks and escalating them[1]
  • Compliance with Information Governance legislation
  • Taking a ‘data protection by design and by default approach through putting in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights[2].
  • Ensuring all officers and staff across the Force have received appropriate information management training.
  • Ensuring that the Force has in place appropriate documentation such as Data Protection Impact Assessments (DPIA’s), Data Processing Contracts (DPC’s) and Information Sharing Protocols (ISP’s) etc.

3.  Powers and Policy/Legal Requirements

The Force is committed to adhering to information related legislation and standards, with particular emphasis on maximising the benefits effective information risk management brings to operational policing.

Accountability is one of the data protection principles and as a consequence the Force is required to comply with the UK- General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018.

By adopting an ethos of accountability, this will allow the Force to show it has actively considered the risks and put in place control measures, mitigations and safeguards in support of the organisation’s vision.

Dyfed-Powys Police has a legal obligation to comply with UK data protection legislation. Dyfed-Powys Police will also refer to the College of Policing, APP - Information Management – Information Assurance – Information Risk Management   

Relevant legislation includes:

  • The Data Protection Act 2018
  • The UK General Data Protection Regulation (UK GDPR)
  • Computer Misuse Act 1990
  • Human Rights Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

This policy should also be read in conjunction with the following related policies, protocols, practices, and guidance:

  • Data Protection Policy
  • Information Security Policy
  • Information Sharing Policy
  • Records Management Policy
  • Data Protection Compliance Audit Policy
  • Data Protection Impact Assessment Policy
  • The National Police Chiefs Council (NPCC) Senior Information Risk Owner Handbook
  • NPCC Information Asset Owner Handbook
  • Police Information and Records Management Code of Practice
  • College of Policing Authorised Professional Practice (APP) Information Management
  • NPCC Data Protection Manual of Guidance.
  • The Information Commissioner’s Office’s Code of Practice and Guidance.

4.  Options and Contingencies

The aim of this policy is to set out the arrangements that are in place to manage Information risks, to facilitate effective, clear direction and to support achievement of compliance with legislation, statutory obligations, and good practice standards. It will achieve this by;

  • Ensuring the Force’s information is processed in compliance with legislation and the Force’s risk appetite.
  • Providing a risk management framework to ensure consistency of approach around the management of information risk.
  • Encouraging a proactive approach to information risk management.
  • Promoting a well-managed and informed information risk management process and improve the quality of decision making; and
  • Ensuring the Force’s assets are safeguarded (people, information, property, finance and reputation).

Roles and Responsibilities within Dyfed-Powys Police

Chief Constable

The Chief Constable of Dyfed-Powys Police is the Data Controller and as such has overall responsibility for the lawful processing of all personal data processed by the Force. Similarly, they have responsibility for all information held by the Force whether it be operational or corporate information. They also have overall accountability for procedural documents and have ultimate responsibility for compliance of this policy across the entire Force.

This policy serves to ensure compliance by the Data Controller of their personal responsibility under Article 24 (2) of the UK GDPR and s4.7 of the Police Information and Records Management Code of Practice.

Senior Information Risk Owner (SIRO)

The Deputy Chief Constable (DCC) of Dyfed-Powys Police is the appointed Senior Information Risk Owner (SIRO). The SIRO role is a key role in the Information Risk Management process and have several responsibilities.

 Information Risk within the Force. They are responsible for determining and setting the Force risk appetite for information assets that are not contained within or connected to national systems.

  • Ensuring that the management of information risks are weighed alongside the management of other risks facing the organisation such as financial, legal and operational risks.
  • Ensuring that the information risk appetite is recorded and incorporated in the risk management processes and communicated to the Force.
  • Providing executive-level accountability and greater assurance that information risks are addressed with overall accountability for information risk across the Force.
  • Ensuring that information risks are treated as a priority for business outcomes.
  • Managing information risk from a business, not a technical perspective, focusing on the strategic information risks related to the delivery of corporate objectives.
  • The SIRO will take a holistic approach to information risk across the supply chain and manage it in line with the Force’s risk appetite.
  • The SIRO will establish an information risk strategy which allows assets to be exploited and risks to be managed effectively.
  • The SIRO will identify business-critical information assets and set objectives, priorities and plans to maximise the use of information as a business asset.
  • The SIRO will establish and maintain an appropriate risk appetite with proportionate risk boundaries and tolerances.
  • The SIRO will ensure an effective information governance framework is in place.
  • The SIRO will act as the champion for information risk within the Force, being an exemplar for all staff and encouraging the Executive to do likewise.
  • The SIRO will ensure information risks which affect business objectives are highlighted to the Chief Officer Group and addressed.
  • The SIRO will have an understanding of the impact of information risks on the Force’s risk register, and how those risks may be minimised and managed.
  • The SIRO will establish a reporting and learning culture to allow the Force to understand where problems exist and develop strategies (policies, procedures and awareness campaigns) to prevent problems occurring in the future.
  • The SIRO will chair the Information Assurance Board

Information Asset Owner(s) (IAO)

Information Asset Owners (IAO) are senior staff who are the nominated owners of one or more identified information assets. In Force they will be at Chief Supt or Head of Department equivalent level, in some instances the ACC will be an IAO.  

They are a further key role in the Information Risk Management process:  

  • The IAO is accountable for the confidentiality, integrity and availability of the information assets under their control and are responsible for identifying and managing risk.
  • The IAO is responsible for ensuring that the information systems assigned to them have up to date accreditation.
  • Monitoring and understanding what information – paper and electronic – is being held and how it is maintained; knowing and approving who has access to it and why.
  • Seeking to use information fully within the law.
  • Identifying and addressing risks to the information, including the potential for data protection breaches within their area of business
  • Encouraging a culture that values, protects, and uses information for the public good.
  • Assist and inform the SIRO to establish an information risk strategy which allows assets to be exploited and risks to be managed effectively.
  • Act as the champion for information risk within their business area, being an exemplar for all officers and staff and encouraging other to do likewise.
  • Ensure information risks that affect business objectives are highlighted to the SIRO and / or chief officer group.
  • The IAO will have governance processes and a framework in place to help them understand all important information assets, their value, and their importance to the business and what the impact of their loss would be.
  • The IAO will ensure that all information assets under their control are recorded within the Force Information Asset Register (IAR) and that processing activity is recorded within the Force Record of Processing Activity (ROPA). Both the IAR and ROPA being managed by the Force Information Management and Compliance Department.
  • The IAO will have assigned appropriate roles and responsibilities within their information governance framework.
  • The IAO will ensure that the escalation path for decision-making is clearly defined, and appropriate personnel are empowered to make decisions on their behalf in respect to information risk management and information management generally.
  • The IAO will ensure they have implemented appropriate and proportionate security controls as necessary to reduce risks to an acceptable level.
  • The IAO will agree risk boundaries/tolerances with the SIRO and keep them up to date with evolving threats.
  • The IAO will ensure that threats, vulnerabilities and risks to their business area are regularly reassessed and re-evaluated.
  • The IAO will ensure that Officers and Staff under their control receive regular training on current threats and risks and are aware of the steps to take to mitigate these.
  • The IAO will ensure that they promote a culture where staff are aware of the consequences and impacts of information losses, data breaches or attacks and report them proactively.
  • The IAO will ensure that they promote a culture where staff are aware of the risks to Force information assets and proactively take steps to mitigate new risks as they arise.
  • The IAO will ensure that the officers and staff under their control awareness and training is being maintained and that they are up to date on information compliance training.
  • The IAO will ensure that personal data breaches and information security breaches or incidents are reported in a timely manner to the Information Management and Compliance Department.

Information Assurance Board

The role of the Information Assurance Board (IAB) is:

  • To maintain strategic oversight, and support the management of, all activities related to the use, processing, retention, and transmission of information or data under the control of Dyfed-Powys Police and the structures, systems and processes used for those purposes in accordance with the College of Policing Authorised Professional Practice (APP) on Information Management.
  • This includes the Force management of data protection breaches, as data protection breaches are reported upon to the Information Assurance Board (and then further to the Policing Board).
  • The SIRO and IAB will evaluate outcomes and information risk management processes through regular monitoring and taking into consideration the following:
  • Compliance with legislation and national information management standards;
  • Reduction in data protection breaches/ICO (Information Commissioner’s Office) referrals which may be attributable to gaps in information risk management;
  • Improved data quality and consistency in decisions to process; and
  • Improved understanding of information risk from accountable roles.
  • Provide governance support and direction to the Information Management and Compliance Department in line with the Force vision to ‘Safeguard our Communities Together’, and
  • Work in line with the other groups and boards in delivering the mission, vision and values of the Force, the Chief Constable’s vision and the delivery plan in support of the Police and Crime Plan.

Data Protection Officer (DPO)

The Information Manager at Dyfed-Powys Police is the appointed Data Protection Officer (DPO).

  • Protecting the confidentiality of personal data across the Force.
  • Representing and championing data protection issues and requirements.
  • Ensuring that the Force satisfies the highest practical standards for handling data protection breaches.
  • Enabling suitable information sharing with other bodies.
  • Ensuring that data protection breach issues are appropriately reflected in Force policies, procedures, processes and strategies for police officers, police staff and volunteers.
  • Assisting the Force in demonstrating compliance with UK data protection legislation as part of the enhanced focus on accountability.
  • Acting as a point of contact for data subjects and the ICO in regard to data protection breaches.
  • Informing and advising on data protection obligations, in regard to data protection breaches, Force wide.
  • The DPO will oversee the corporate approach to information risk management, ensuring the creation and maintenance of the Information Risk Register.
  • Ensuring that information risks are appropriately recorded within the Information Risk Register and reported to the Information Assurance Board. Where high risks are identified and immediate action is required the DPO will escalate such risks to the SIRO, as necessary. 
  • Taking due regard to the risks associated with processing operations thereby ensuring compliance with UK-GDPR Article 39 (2) on behalf of the Data Controller.

Data Protection Advisor

The Data Protection Advisor is responsible for:

  • Maintaining awareness of data protection breach issues across the Force.
  • Investigating and reporting upon reported data protection breaches and reporting any information risks to the DPO.
  • Ensuring that, where appropriate, information risks are recorded within the Information Risk Register through consultation with the DPO.
  • Encouraging a culture that values, protects and uses information for the public good.
  • Reviewing and updating the Data Protection Breach Policy when appropriate, in line with legislation.
  • Reviewing and updating all procedures and processes relating to the Data Protection Breach Policy, where appropriate.
  • Ensuring all line managers are aware of their responsibilities and accountability regarding data protection breach management and the requirements of the Data Protection Breach Policy.
  • Ensuring all employees are provided with the appropriate and necessary guidance to further their understanding of recognising and reporting data protection breaches.
  • Conducting comprehensive investigations of any data protection breaches reported and identifying any information risks.
  • Where necessary, notifying the ICO of relevant data protection breaches.
  • Where necessary, notifying affected data subjects of relevant data protection breaches.
  • Ensuring that any opportunities of learning are shared Force wide, and
  • Informing and advising on data protection obligations Force wide.

Information Security and Assurance Officer 

The Information Security and Assurance Officer (ISO) is responsible for the development and implementation of security policies, standards, and procedures within the Force. Additionally, the ISO is responsible for:

  • Co-ordinating all aspects of information security,
  • Providing advice and assurance to necessitate the established information security standards necessary to safeguard Force Information Assets,
  • Investigating and reporting upon security incidents and reporting any information risks to the DPO.
  • The Force ISO acts as an impartial assessor of the risks that an information system may be exposed to while meeting business requirements and to formally assure systems on behalf of the Force.
  • The ISO will ensure that, where appropriate, information risks are recorded within the Information Risk Register. Where high risks are identified and immediate action is required the ISO will escalate such risks to the SIRO, as necessary. 

Information Technology Security Officer

The Information Technology Security Officer (ITSO) is based within ICT and is responsible for:

  • Protecting computers, networks, infrastructure and data from unauthorised access or damage.
  • Providing advice on technical security architecture and posture.
  • Identifying security vulnerabilities across the estate and through the supply chain and advise on improvements.
  • The ITSO will ensure that any information risks identified are escalated to the DPO in order that the DPO can assess whether they require inclusion within the Information Risk Register and if necessary, escalation to the SIRO.

Line Managers/Supervisors

  • Shall be responsible for ensuring security processes are followed to protect the physical environment where information is processed or stored.
  • They are responsible for ensuring that their permanent, temporary staff, and contractors are aware of the information security policy and associated standards applicable in their work areas, their personal responsibilities for information security, and how to access advice on information security matters.
  • It is the responsibility of line managers and supervisors to ensure that officers and staff under their control know how to report a data breach and an information security breach.
  • Line managers and supervisors will ensure that the officers and staff under their control awareness and training is being maintained and that they are up to date on Information compliance training.
  • Line managers and supervisors will ensure that information risks are escalated to their Line Manager and if necessary, the relevant IAO.

All Officers, Staff and Volunteers  

  • All officers, staff and volunteers will ensure they are aware of the consequences and impacts of information losses, data breaches or attacks and report them proactively.
  • All officers, staff and volunteers will familiarise themselves with the data breach and information security breach reporting procedures and ensure that any such breaches are reported promptly and that any information risks are escalated to their Line Manager.
  • All officers, staff and volunteers will ensure they are aware of the risks to Force information assets and proactively take steps to mitigate new risks as they arise.
  • All officers, staff and volunteers will ensure that they use Force information for a Policing Purpose and not for their own self-interest. They will ensure that they value, protect, and use Force information for the public good.

Code of Ethics

In line with the ethical policing principles, this Policy seeks to address the following:-

  • Public service – “working in the public interest, fostering public trust and confidence, and taking pride in providing an excellent service to the public”. the policy is clear and ensures integrity within its purpose; the policy contains clearly defined responsibilities.
  • Courage – “making, communicating and being accountable for decisions, and standing against anything that could bring our profession into disrepute” the policy is lawful and proportionate and respectful of the rights of individuals.
  • Respect and empathy – “encouraging, listening to and understanding the views of others, and seeking to recognise and respond to the physical, mental and emotional challenges that we and other people may face.” The policy promotes equality and diversity considerations wherever possible and is not unlawfully or unfairly discriminatory.

The ethical policing principles will be used to help the Force make and reflect on professional decision making in regard to information risk.  

5.  Take action and review

This policy is owned by the Information Management and Compliance Department. The review process will be conducted by the Information Manager/Data Protection Officer on a bi-annual basis to ensure the continued effectiveness of the policy, and taking into account any changes to legislation, national guidance, ICO guidance, NPCC guidance etc.

The effectiveness of the policy will be monitored on a regular basis over and above the review period and any major concerns will be escalated as appropriate. 

Effectiveness of the policy will be measured through the Force Data Protection Compliance Audit process. The aim being to check awareness of the need to report information risks to line managers, IAO’s etc.

Any amendments to this policy will be approved by the Information Assurance Board.

In the case of any queries regarding this policy, its content, or associated guidance documentation - individuals should contact:

  • Dyfed-Powys Police Data Protection Officer
  • Email: [email protected]
  • Post: Data Protection Officer, Dyfed-Powys Police, PO BOX 99, Llangunnor, Carmarthenshire, SA31 2PF

Appropriate promotion of this policy will take place, which can include awareness raising when training inputs and presentations are provided to employees across the Force. The policy will be made available on the Force intranet and internet sites.  Publication via the internet will ensure that it is available for public view.

Any issues of concern or risk in respect to compliance with UK data protection legislation across the Force will be escalated to the Force Data Protection Officer, Force SIRO and Information Assurance Board, dependent on severity.

Information regarding any other potential data protection issues or information security issues across the Force, will be processed in line with the Force Data Protection Policy and/or the Force Information Security Policy and associated standards.  Such reporting, and subsequent investigation may highlight issues with this policy and associated guidance, which could result in a necessary review. If this is the case, relevant action will be taken. The Data Protection Officer will work closely with representatives from the relevant departments to address the issues and ensure that any lessons learned will be fully reported and cascaded as necessary.

[1] An introduction to information risk - The National Archives blog

[2] Data protection by design and default | ICO

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: September 2024