Dyfed-Powys Police ensures the controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and ICT equipment for the purposes of conducting official Dyfed-Powys Police business.
This document states the Removable Media policy for Dyfed-Powys Police and is to be read in conjunction with the Removable Media Guidelines. The policy and guidelines establish the principles and working practices that are to be adopted by all users in order for data to be safely stored and transferred on removable media.
This policy ensures that the use of removable media devices is controlled in order to:
Enable the correct data to be made available where it is required.
Maintain the integrity of the data.
Prevent unintended or deliberate consequences to the stability of Dyfed-Powys Police
Avoid contravention of any legislation, policies or good practice requirements.
Build confidence and trust in the data that is being shared between systems.
Maintain high standards of care in ensuring the security of sensitive information.
Prohibit the disclosure of information as may be necessary by law
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
2. Policy Scope
This policy must be adhered to at all times, specifically whenever any user stores or transfers any information used by Dyfed-Powys Police to conduct official business on removable media devices.
Removable media are data storage devices capable of computer system removal without powering off the system. Removable media devices are used for backup, storage or transportation of data.
This policy does not refer to Mobile Data Devices issued to officers, there is a separate policy covering the use of these devices.
Dyfed-Powys Police recognises that there are risks associated with users accessing and handling information in order to conduct official business.
Securing data is of paramount importance – particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.
Any loss of the ability to access information or interference with its integrity could have a significant effect on the efficient operation of Dyfed-Powys Police. It is therefore essential for the continued operation of the Force that the confidentiality, integrity and availability of all information recording systems are maintained at a level, which is appropriate to Dyfed-Powys Police requirements.
This policy and associated guidelines aim to mitigate the following risks:
Disclosure of information as a consequence of loss, theft or careless use of removable media devices.
Contamination of the Dyfed-Powys Police networks or equipment through the introduction of viruses through the transfer of data from one form of ICT equipment to another.
Potential sanctions against Dyfed-Powys Police or individuals imposed by the Information Commissioner’s Office as a result of information loss or misuse.
Potential legal action against Dyfed-Powys Police or individuals as a result of information loss or misuse.
Dyfed-Powys Police reputational damage as a result of information loss or misuse.
Non-compliance with this policy could have an adverse effect on the efficient operation of Dyfed-Powys Police and may result in financial loss and an inability to effectively carry out efficient functions within the Force.
A key element of the Removable Media Policy is the requirement to ensure BitLocker encryption is used when using removable media devices, particularly USB sticks. The ICT department can provide guidance on this where required.
This policy affects all categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff, specifically in relation to the use of Removable Media devices. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
3. Powers and Policy/Legal Requirements
This policy meets organisational requirements and is compliant with control measures as recommended under the ‘Protect’ function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, specifically ‘PR.PT-2 Removable media is protected and its use restricted according to policy’, and with recommendations provided by the National Cyber Security Centre (NCSC) in relation to the use of removable media.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Computer Misuse Act 1990
Data Protection Act 2018
UK General Data Protection Regulation
Human Rights Act 1998
Official Secrets Act 1989
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 (RIPA)
Freedom of Information Act 2000
Related policies, standards, procedures, practices, include, but are not limited to:
Dyfed-Powys Police Information Security Policy and Associated Standards
Dyfed-Powys Cyber Security Policy
Dyfed-Powys Police Data Protection Policy
Dyfed-Powys Police Technical Support Unit Guidance: DPP Guidance in the use of USB Drives for Digital CCTV Retrieval
4. Options and Contingencies
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST/NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy are made by the Information Assurance Board.
The Removable Media Guidelines: These guidelines identify the procedures and processes in relation to the use of Removable Media.
The procedures and processes identified within the Removable Media Guidelines are applicable to all police officers and police staff who are involved in any aspects of the use of Removable Media within Dyfed Powys Police. Referral to supervisors and managers for advice and guidance will be sought where deemed appropriate.
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
5. Take action and review
Reports via the Workstream Tracker system in relation to the use of removable media are used to quantify issues relating to the use of removable media.
The ICT Department carries out Protective Monitoring across the Force network which can highlight issues relating to the usage of removable media devices and this is used to highlight any failure in the processes and procedures outlined in the Removable Media Guidelines.
As part of the Force’s Protective Monitoring capability, the ICT Department is presented with alerts from the National Management Centre (NMC), further supporting ICT in the monitoring of removable media improper usage.
Any significant failures within the procedures contained within the Removable Media Guidelines are referred for consideration to ICT Management.
Guidance and recommendations from relevant organisations, including NIST and NCSC, are considered when reviewing and updating this policy.
This policy is reviewed annually.
CODE OF ETHICS CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
EQUALITY IMPACT ASSESSMENT
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equalityduty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.