Current timestamp: 23/06/2026 14:29:04
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Information Security Policy

1. Statement of Policy

The objectives of this Information Security Policy are to:

  • Preserve Confidentiality - Access to data shall be confined to those with appropriate authority and protected against unauthorised access, whether deliberate or
  • Preserve Integrity - Information shall be complete and accurate and protected from unauthorised All systems, assets and networks shall operate correctly, according to specification.
  • Preserve Availability - Information shall be available and delivered to the right person, at the time when it is needed.
  • To ensure that any use of cloud services have appropriate allocation of information security roles and responsibilities and confirmation from the cloud service provider that they can fulfil these roles and The Force follows the guidance provided by the National Cyber Security Centre (NCSC) in relation to cloud security.
  • Secure information throughout the delivery
  • Ensure regulatory and legislative requirements are
  • Ensure business continuity plans are produced, maintained, and tested as far as practicable.
  • Ensure information security training is available to all
  • Ensure all breaches of information security, actual or suspected, are reported and investigated.
  • Ensure that protection is through an appropriate combination of personnel, physical, procedural, and technical security controls. Ensure that every police activity or project considers information security as part of the overall risk management Any information risks must be identified and evaluated and where necessary, recorded.

Cyber Mission Statement

Our mission is to proactively protect and secure the digital, data and technology assets of the force from cyber-attack and ensure we remain resilient to known vulnerabilities and attack methods, enabling the force to provide a first-class service that is visible, accessible and safeguards our communities.

The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned, held, or based in a cloud environment by the Force by:

  • Identifying through appropriate risk assessment, the value of information assets, to understand their threats and vulnerabilities that may expose them to
  • Managing the risks to an acceptable
  • Complying with any third party or delivery partner contract/agreement conditions relating to information security.
  • Commitment to achieve and maintain the standards set out in the National Policing Community Security Policy, Framework and supporting Codes of Connection.
  • Maintaining appropriate security standards, specifically with His Majesty’s Government (HMG) Security Policy Framework.
  • Ensuring the security of protectively marked, sensitive information and information assets belonging to DPP and entrusted to it by other organisations.
  • Meeting statutory obligations g.UK General Data Protection Regulations (UK – GDPR) and Data Protection Act (2018).
  • Ensuring that all members of staff and volunteers are aware of and fully comply with the relevant legislation as described in this and other policies.
  • Introducing a consistent approach to security, ensuring that all members of staff and volunteers fully understand their own responsibilities.
  • Creating and maintaining within the Force, a level of awareness of the need for Information Security as an integral part of DPPs day to day business.
  • Protecting information assets under the control of the

Applicability

Applies (but not limited) to: All categories of Dyfed-Powys Police officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates, and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

Information Security is the responsibility of ALL.

2. Policy Scope

The purpose of this policy, associated guidance and standards is to protect from all threats, whether internal or external, deliberate, or accidental, the information assets held by the Force.

Dyfed-Powys Police complies with the College of Policing Authorised Professional Practice (APP) on Information Management which provides clear standards and guidance regarding Information Assurance.

The Force Information Security Officer (ISO) is responsible for the development and implementation of information security policies and procedures within the Force in accordance with:

National Policing Community Security Policy, Framework and Principles

  • The National Police Chiefs Council (NPCC)
  • The business needs of the Force

Compliance with this policy and associated standards, procedures, and guidance, provides assurance to partner agencies, third parties and the wider community that risks to Force information are being managed to a level acceptable to the wider policing and security community. These documents must be read in conjunction with this policy.

Chief Officers, Basic Command Units (BCUs) Commanders, Directors and Heads of Departments are responsible for implementing the policy within their areas, and for adherence by their staff and volunteers.

All are expected to take responsibility for the information that they create, understand its sensitivity, and ensure it is handled appropriately.

In the event of a breach of this policy, DPP may take the following action.

  • restrict or terminate a user’s right to use Force systems and access to Information Assets.
  • where appropriate, disclose information to law enforcement and regulatory agencies and take legal action.
  • refer the matter to the Professional Standards Department for investigation which could result in criminal and/or misconduct proceedings.

3.    Powers and Policy/Legal Requirements

Dyfed-Powys Police recognises that information is a primary asset of immense value to the organisation. To inspire public confidence, minimise risks to the organisation and support high quality service delivery, Dyfed-Powys Police is determined to ensure appropriate information security measures are implemented to preserve the confidentiality and integrity of all information assets.

Dyfed-Powys Police have a duty to comply with relevant legislation and regulations. All staff and volunteers have an individual and collective responsibility to fully comply with the requirements of legislation pertaining to the protection of information including the security of information.

Legislation includes but is not limited to the following:

  • Computer Misuse Act 1990
  • Data Protection Act 2018
  • UK-General Data Protection Regulation (UK-GDPR)
  • Human Rights Act 1998
  • Official Secrets Act 1989
  • Electronic Communications Act 2000
  • Regulation of Investigatory Powers Act 2000 (RIPA)
  • Freedom of Information Act 2000
  • Crime & Disorder Act 1998
  • Criminal Procedure & Investigations Act 1996

Related policies, standards, procedures, practices, including, but not limited to:

  • DPP Information Security Standards and Procedures
  • DPP Acceptable Use Policy and Standard
  • DPP Cyber Security Policy
  • DPP Data Protection Policy
  • DPP Freedom of Information Policy
  • DPP Smarter Working Policy & Associated IS Standard
  • NPCC National guidance on the Minimum Standards for the Retention and Disposal of Police Records
  • College of Policing Authorised Professional Practice (APP) – Information Management – Information Assurance

4. Options and Contingencies

Responsibilities for Information Security

Information Security is a responsibility shared by all members of the Force, the ultimate responsibility rests with the Chief Constable.

Chief Constable: In their capacity as Data Controller the Chief Constable shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the UK-GDPR and the Data Protection Act 2018. The Data Controller has specific responsibilities under the UK-GDPR and the Data Protection Act 2018

Senior Information Risk Owner (SIRO): The SIRO holds the responsibility of understanding how the strategic aims of the Force may be affected by failures in the secure use of the organisation’s information systems and assets. The SIRO has ultimate responsibility for deciding the proportionality of security measures against vulnerabilities to mitigate risk. The SIRO has specific responsibilities in relation to information risk as identified within the NPCC SIRO Handbook (2018)

Information Security & Assurance Officer (ISO): The ISO is responsible for the development and implementation of security policies, standards, and procedures within the Force. The ISO is additionally responsible for coordinating all aspects of security, providing advice and assurance to necessitate the established information security standards necessary to safeguard Force Information Assets, as well as investigating and reporting all security incidents. The Force ISO acts as an impartial assessor of the risks that an information system may be exposed to while meeting business requirements and to formally assure systems on behalf of the Force.

Senior System Owner (SSO): The Head of ICT as the SSO, is responsible for providing assurance to the SIRO that all Force information systems processing classified information comply with the requirements as laid down by Government, and other Regulatory bodies.

Information Asset Owner(s) (IAOs): IAOs are senior/responsible individuals within the Force who are the nominated owners of one or more identified assets, including cloud hosted solutions. They are required to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they can understand and address risks to the information and ensure that information is fully used within the law for public good and provide assurance to the SIRO that the appropriate security measures are in place to protect their assets.

 

Data Protection Officer (DPO): The DPO is responsible for ensuring Force use of data is compliant with legislation, providing information and guidance on the processing of all personal data, and handling requests from data subjects in exercising their rights to access data and the rectification of any concerns. The DPO is responsible for breach notification to the Information Commissioner’s Office (ICO). The DPO has specific tasks mandated by data protection legislation.

Information Technology Security Officer (ITSO): The ITSO is responsible for protecting computers, networks, infrastructure and data from unauthorised access or damage. The ITSO will provide advice on technical security architecture and posture, identify security vulnerabilities across the estate and through the supply chain and advise on improvements.

Police Officers/Police Staff, Volunteers, and Non-Police Personnel: Following the provision of initial guidance and training, individual members of staff, including contracted staff and police volunteers, are required to comply with the requirements of this policy and associated working practices, including specific system Security Operating Procedures where these are in place. Each system user shall comply with the security requirements that are currently in Force, and shall also ensure that the confidentiality, integrity, and availability of the information they use are maintained to the highest standard. Failure to do so may result in disciplinary action.

Line Managers/Supervisors: Shall be responsible for ensuring security processes are followed to protect the physical environment where information is processed or stored. They are also responsible for ensuring that their permanent, temporary staff, volunteers, and contractors are aware of the information security policy and associated standards applicable in their work areas, their personal responsibilities for information security, and how to access advice on information security matters. It is also the line manager’s responsibility to make sure all staff and volunteers know how to report a security breach.

CODE OF ETHICS

The following Code of Ethics principles are relevant to this policy:

  • Courage - “making, communicating and being accountable for decisions, and standing against anything that could bring our profession into disrepute” the policy is lawful and proportionate and respectful of the rights of individuals.
  • Respect and Empathy - “encouraging, listening to and understanding the views of others, and seeking to recognise and respond to the physical, mental and emotional challenges that we and other people may face.” The policy promotes equality and diversity considerations wherever possible and is not unlawfully or unfairly discriminatory.
  • Public Service “working in the public interest, fostering public trust and confidence, and taking pride in providing an excellent service to the public.” The policy is clear and ensures integrity within its purpose; the policy contains clearly defined responsibilities.

5. Take action and review.

This Policy is owned by the Information Management Business Area. The review process will be conducted by the Information Security Officer (ISO) on a triennial basis and will be updated in line with relative changes in legislation, Information Security Standards, connection requirements or other relevant standards.

The effectiveness of the Policy will be monitored on a regular basis over and above the three-year review period and any major concerns will be escalated as appropriate.

This policy shall be subject to audit by the Force’s internal and external auditors and be used for certification purposes for the Public Services Network and the National Policing Community Security Policy. The SIRO and Information Assurance Board are kept informed of the information security status of the Force by means of regular reports and meetings.

Compliance with this policy is monitored via:

  • Information Security Incident reporting and escalation procedures
  • Internal information security audits
  • Independent audits (such as the Information Commissioners Office (ICO)
  • Data Protection audits

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: February 2025