Current timestamp: 24/06/2026 00:21:44
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal Activity[Missing text '/SvgIcons/Symbols/Titles/icon-location' for 'English (United Kingdom)']LoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Records Management Policy

1. Statement of Policy

Information is a key asset to the Police Service and Dyfed-Powys Police recognises that the efficient management of its records is necessary to comply with its legal obligations. The effective management of information across all aspects of Policing is vital to delivering the core priorities of the Service, which are to protect the Public and reduce Crime. To carry out the functions of Policing, the Force must process Personal and Organisational information from a range of sources and in a number of different ways.

The integrity of Police Information relies on the Information being trusted, acceptable, useable, and available. It should be in a format that is accessible and easy to use, whether it is an Electronic, Digital, Photographic, or Paper format.

The purpose of Records Management from Policing and Business perspectives is to ensure that Information is recorded and maintained in such a way that its evidential weight and integrity is not compromised over time.

To achieve this, Records need to be managed throughout their lifecycle, from creation through to disposal whilst maintaining the Principles of Data Protection.

  • Dyfed-Powys Police acknowledge that Personal Data will only be retained for a valid policing purpose, and such data needs to be accurate and relevant.
  • All new Processes and Systems must consider Data Protection by Design and Default. The UK-GDPR requires us to put the appropriate technical and organisational measures in place to implement the Data Protection Principles effectively and safeguard individual rights. This is ‘Data Protection by Design and by Default’. In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
  • Effective processes will be utilised to ensure that all such Data is subject to periodic review where decisions can be documented, justifying either the continued retention or deletion of such data.
  • Dyfed-Powys Police will retain and manage all Digital and Paper Records, in compliance with Data Protection Legislation. Organisational records will be retained in line with relevant legislation and guidance (e.g. National Archives).
  • Dyfed-Powys Police will use the Management of Police Information Guidance on the common process, collection and recording, evaluation and retention, review and disposal of police information as contained within the College of Policing Authorised Professional Practice, (APP) - Information Management, to inform its Records Management processes.
  • Dyfed-Powys Police will apply the framework for retention timescales set out in NPCC Retention Guidelines to determine such retention timescales.
  • We will remain cognisant of the Principles of Archiving in the Public Interest as set out in the Data Protection Act 2018 to ensure that records which may qualify for such longer retention, (as defined by National Records Office), are retained for such public interest purposes.

All paper records containing Personal Information which require retention, must be uploaded onto existing electronic systems in order that Records Management processes can be applied to such records.

Paper copies of Records should only remain in existence while Legal obligations for their retention, (such as Criminal Procedures Investigations Act), apply. The Force Practice for ‘Managing the Review, Retention and Storage of documentation accumulated during Criminal Investigations should be adhered to for such paper records.

This will ensure that the Force is aware of what paper records are held and when Records Review, Retention, Disposal Processes are applied to retained records and any decision to delete records is taken, the process will be effective in clearing all copies of such personal information. Consequently, any decision to delete an electronic copy of a record does not result in the continued existence of a paper copy of the same record following the Data Minimisation Principle.

This Policy, applies to the Management of all Organisational, Operational and Business Records, (whether containing Personal Data or not), in all Digital or Physical Formats or Media, Processed, (collected, received, created, held, shared, disseminated, disclosed, maintained, reviewed, retained or disposed), by Officers, Staff and Volunteers of Dyfed-Powys Police and 3rd parties in the course of carrying out the functions of the organisation, whether recorded in the language of Welsh or English.

Applies (but not limited) to: All categories of Dyfed Powys Police officers and staff whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers.   Police officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

 

2. Policy Scope

Key Drivers for this Policy and the need for a consistent approach are legislative, particularly the principles of the Data Protection Act 2018, the requirements of the Code of Practice under Section 46 of the Freedom of Information Act and the College of Policing Authorised Professional Practice, (APP) on Information Management.

A failure to record, retain, review and dispose of information appropriately may constitute a breach and, ultimately, undermine public confidence in the Force.

ISO 15489 defines a record as “information created, received, and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business”.

 

Due to the nature of policing, it is essential to distinguish between information processed for a policing purpose and information required for business functions that support the service to be delivered. 

Records created by the Force broadly fall into two categories:

  • Organisational and Administrative records, (also referred to as Corporate), which contain information processed to enable the discharge of police services such as financial information, policies and procedures and information relating to officers, staff and volunteers under UK-GDPR.
  • Police Records, contain information processed for a Policing purpose under Part 3 of the Data Protection Act 2028, namely:
  • Protecting Life and Property
  • Preserving Order
  • Preventing the Commission of Offences
  • Bringing Offenders to Justice, and
  • Any duty or responsibility of the Police arising from Common or Statute Law

It should be noted that the policing purpose definition is wider than the Part 3 Data Protection Act 2018, (DPA 2018) definition of Law Enforcement purpose, which is:

‘The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.

Consequently, some Information recorded for a policing purpose may be processed under Part 3 of the DPA 2018 and some under the UK General Data Protection Regulation, (UK GDPR).

It is recognised that Police records include data obtained both overtly and covertly, (in accordance with authorisations approved under Regulation of Investigatory Powers Act 2000, and Investigatory Powers Act 2016). Such authorised data is managed through the Central Authorisations Bureau, and this Policy applies equally to the Management and Retention/Disposal of such data.

The core principles for processing all types of information that becomes a record are the same for the two categories. However, the nature of Information recorded for a policing purpose requires extra safeguards.

The purpose of this policy is to provide police personnel with guidance to assist the Records Management process, taking into account the requirements of relevant legislation and the rights of individuals whose information is recorded and retained and the requirements associated with organisational and corporate records held by the Force.

Personal Information: Application of Information Management Guidance to achieve legal compliance with Data Protection Law and Regulations will ensure that Personal Data is retained for no longer than that which is necessary for policing purposes, and members of the public can be confident that their data is being retained appropriately and securely.

Corporate Records:  Corporate and Organisational Records will be retained in line with the NPCC National Guidance on the Minimum Standards for the Retention and Disposal of Police Records.

This policy will also ensure consistency across systems in respect of the retention and management of such records. Such processes will apply to all existing electronic systems including Command and Control, Case Management and Intelligence, as well as records retained within internal communication systems including those within Microsoft Office 365.

The policy will apply equally to data held within Cloud services, and deletion will include deletion from such remote storage facilities.

 

The Force will comply with APP guidance by ensuring information entered onto a record, (paper or IT based) conforms to the following:

  • Information is recorded for Law Enforcement Purposes.
  • Information is recorded in the appropriate format for the business area in which it is held.
  • Information is recorded according to the data quality principles: accurate, adequate, relevant and timely.
  • Checks are made to avoid creating duplicate records.
  • Links are made to existing records.
  • Correct Government Security Classification, (GSC), Marking is used.

Compliance with APP guidance on record creation and local data quality standards is the responsibility of everyone who enters new data onto police databases. This important principle should be conveyed and reinforced in initial Training and in subsequent practice.

It will be the Line Manager’s responsibility to carry out regular dip samples to check that the information recorded is to the required standard. Where the standard is not being met, feedback should be given, and where necessary, appropriate training or guidance arranged using the Development Appraisal Process.

Each Operational and Business area will have in place clearly worded and effectively disseminated procedures, rules and conventions, relating to each police system and process in that area. These procedures will consider the Legislative and Regulatory Environments in which the Operational or Business area operates and include controls to ensure each record is created using the appropriate templates, forms or database.

There will be an audit process in place to ensure that these processes are effective.

Information received from other Agencies will be treated and evaluated as a piece of Intelligence.

Where guidance allows for Automated Processes to Delete Data following the expiry of ‘Clear Periods’ of time, it is acknowledged that such automation creates some risk of Deletion of Data which may later have been of value within Policing. Such automated processes will only be applied to information or subjects which are Graded lower than Group 2 under Management of Police Information, (MOPI), Guidance, which relates to matters NOT perceived as presenting significant risk of harm to communities.

Other Relevant Guidance:

  • Freedom of Information Policy.
  • Data Protection Policy.
  • Information Security Policy and Associated Standards.
  • Government Security Classification Policy.
  • Information Sharing Policy.

 

3. Powers and Policy/Legal Requirements

Dyfed-Powys Police will use the College of Policing, APP, Information Management when managing its records and will comply with the requirements of the Lord Chancellor’s Code of Practice on the Management of Records issued under Section 46 of the Freedom of Information Act 2000.

Relevant Legislation:

  • Data Protection Act 2018
  • UK General Data Protection Regulation (UK GDPR)
  • Data (Use and Access) Act 2025
  • Human Rights Act 1998
  • Freedom of Information Act 2000
  • Code of Practice under S46 of the Freedom of Information Act 2000
  • Environmental Information Regulations 2004
  • Criminal Procedure and Investigations Act 1996
  • Protection of Freedoms Act 2012
  • Regulation of Investigatory Powers Act 2000
  • Investigatory Powers Act 2016

Other Policy and Code of Practice

  • College of Policing Authorised Professional Practice (APP) on Information Management
  • Information Commissioner’s Office Code of Practice on Data Sharing

 

4. Options and Contingencies

Governance

Roles and Responsibilities for Records Management within Dyfed-Powys Police

Good records management is a responsibility shared by all members of the Force but ultimate responsibility rests with the Chief Constable as Data Controller.

Chief Constable: 

As Data Controller the Chief Constable is the person who determines the purpose and means by which the Processing of Personal Data occurs.

Senior Information Risk Owner (SIRO): 

The Force SIRO is the Deputy Chief Constable. The SIRO is responsible for the setting the information risk appetite and the risk tolerance parameters and overseeing the Policy.

 

Information Asset Owner(s) (IAO’s):

IAO’s are Senior responsible individuals within the Force who are the nominated owners of one or more identified assets, including Cloud hosted solutions. They are required to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information and ensure that Information is used within the Law for public good and provide assurance to the SIRO that the appropriate security measures are in place to protect their assets. Information Asset owners are responsible for ensuring that assets are used appropriately for the storage and retention of records. They are responsible for ensuring that review and/or automated deletion timescales are set in accordance with NPCC Records Retention Guidance.  

 

Records Management Unit:

Records Management Unit staff are responsible for making decisions in respect to the matching and retention of records by undertaking Scheduled and Triggered Reviews.

They will also provide support to the Records and Data Quality Supervisor by responding to Records Management enquiries, providing advice, guidance and escalating to the Records and Data Quality Supervisor where appropriate.

 

Data Protection Officer:

The Data Protection Officer performs a protected statutory and independent role and is the responsible Officer for the provision of strategic advice, planning, and compliance with all aspects of the Data Protection Act 2018, UK-General Data Protection Regulation and associated Legislation and Guidance.

Officers, Staff and Volunteers: 

All Officers, Staff and Volunteers will ensure that all information processed and held, for which they are responsible is secure, accurate, relevant, up to date and retained or disposed of in line with Force Policies and Procedures and the Retention Schedule.

Data Accuracy and Data Quality Standards is the responsibility of all officers, staff and volunteers.

Business area leads/departmental managers have ownership of records within their business area. All business area Leads and Managers will:

  • Ensure that all information and assets for which they are responsible, are processed securely, accurately, are relevant, up to date and reviewed/retained or disposed of in line with the Force Retention and Destruction Schedule.
  • Ensure that all Officers, Staff and Volunteers are involved in the implementation of records management through internal communication, profile raising, publicity and training.
  • Ensure that appropriate resources are available to properly maintain their business area’s records.
  • Publish accurate procedural guidance, support and tools designed to help each person in that business area manage and use the information effectively and in accordance with the APP on Information Management, relevant policies and supporting guidance.
  • Where local procedures dictate, any deviation from the APP on Information Management will contain full rationale which will be documented and authorised.
  • Conduct and record periodic Data Quality Assurance audits on the information held in their business area to ensure that Data Quality Standards and Recording Principles are complied with and utilise performance information to provide feedback and support where appropriate.
  • Conduct and record Annual Audits of the information held in their business area to ensure the ongoing compliance with the Force Records Management Policy, the Force Records Retention Schedule and other appropriate local and national policies and procedures.
  • Ensure that the records in their business area are backed up, that Business Continuity and Disaster Recovery processes are in place to ensure that the records can be preserved over time.

 

Line Managers:

Line Managers are responsible for ensuring security processes are followed to protect the physical environment where information is processed or stored. They are also responsible for ensuring that Officers, Staff and Volunteers are aware of the Information Security policies and procedures applicable in their work areas, their personal responsibilities for information security, and how to access advice on information security matters. It is also the Line Manager’s responsibility to make sure officers, staff and volunteers know how to recognise and report a security breach.

Code of Ethics

The Code of Ethics principles apply to this policy:-

  • Courage
  • Respect and Empathy
  • Public Service

These principles underpin and strengthen the existing procedures and regulations for ensuring standards of professional behaviour for police officers, staff and volunteers.

 

5. Take action and review

The SIRO and Information Assurance Board will be kept informed of the records management status of the Force by means of regular reports and meetings. The Information Assurance Board meets on a quarterly basis.  The Data Protection Officer reports regularly to the SIRO.

Records management processes will be subject to regular audit to ensure their effectiveness in delivering records management services which adhere to requirements of law and comply with best practice promoted via Information Management guidance. 

These processes and this policy shall be subject to audit by the Force’s internal and/or external auditors as necessary. Findings will be reported to the SIRO and the Information Assurance Board.

The Records and Data Quality Supervisor who has the responsibility for this policy, will update the policy in line with relative changes in legislation, ICO guidance, College of Policing guidance, NPCC guidance etc.

Compliance with this policy will be monitored via:

  • Data Protection and Information Security breach reporting processes
  • Internal Data Protection Compliance Audits
  • Independent audit.

 

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: November 2025