information and records management policy … and records management... · information and records...

OFFICIAL

Information and Records Management v1 OFFICIAL

Information and Records Management

Policy

&

Standard Operating Procedure Metadata

Reference No. CR/021/16

Unit/ Department Information Management

Summary This policy document, together with supporting procedures, sets out the British Transport Police’s (BTPs) principles and standards to information and records management

Policy Sponsor Simon Downey, Director for Capability and Resources

Policy Owner Helen Edwards, Head of Information Management

Policy Author Karen Davies, Force Records Manager, Information Management Department

Effective Date June 2016

Review Date June 2017

Protective Marking OFFICIAL

Force Publication Scheme (external)

Yes

Online Location http://policyportal/information_management/info_management/ information_management_policy/key_information.aspx

Revision History

Version Date Comments/ Reason for Amendments

Amended by

0.1 – 0.4 29/03/16 First drafts Karen Davies

Force Records Manager

0.5 22/04/16 Amendments after comments from Glyn Naylor and Jimmy Wright

Karen Davies

0.6 19/04/16 Minor amendments to layout Alec Cartledge

Records Management Officer

0.7 31/05/16 Amendments after comments from Policy Team

Karen Davies

0.8 06/07/16 Amendments after feedback Karen Davies

Approval History

Version Name and Job Title Date of Approval e-Signature

1 Head of Capability & Resources 08/08/2016 Simon Downey

http://policyportal/information_management/info_management/information_management_policy/key_information.aspx

http://policyportal/information_management/info_management/information_management_policy/key_information.aspx

OFFICIAL


Contents

Policy Page Purpose p.1

Scope p.1

Key Information p.1

Monitoring and Review p.2

Who to contact about the Policy p.3

Standard Operating Procedure

1. Policy Framework p.4

1.1. Creation, Collection and Recording p.4

1.1.1. Collection Methods p.4

1.1.2. Recording p.5

1.1.2.1. Recording Unstructured Information p.5

1.1.2.2. Recording Police Information p.5

1.1.2.3. Data Quality Principles p.6

1.1.3.1. Records Appraisal – What constitutes a record? p.6

1.1.3.2. Protective Marking/ Information Classification p.7

1.1.3.3. MoPI Categories p.7

1.1.3.4. Evaluation p.7

1.1.3.5. Information Asset Registers (IAR) p.7

1.2. Storage and Protection Principles p.8

1.3. Sharing Principles p.8

1.4. Scanning Principles p.8

1.5. Records Retention and Archiving Principles p.11

1.6 Records Review and Disposal Principles p.9

2. Regulatory Framework p.11

2.1. Legal Requirements p.11

2.1.1. Data Protection Act 1998 (DPA) p.11

2.1.2. Regulation of Investigatory Powers Act 2000 (RIPA) p.11

2.1.3. Freedom of Information Act 2000 (FOIA) p.11

2.1.4. Public Records Act 1958 (PRA) p.11

2.1.5. Protection of Freedoms Act 2012 (POFA) p.12

2.1.6. Environmental Information Regulations 2000 (EIR) p.12

2.1.7. Re-Use of Public Sector Information Regulations 2005 p.12

2.1.8. Criminal Procedure and Investigations Act p.12

OFFICIAL


2.1.9. Criminal Justice Act (2003) p.13

2.1.10. Serious Crime Act (2007) p.13

2.2. Other Regulatory Guidance p.13

2.2.1. Authorised Professional Practice (APP) Information Management Guidance

p.13

2.2.2. National Crime Recording Standard p.13

2.2.3. National Policing Policies p.13

2.2.4. Home Office Counting Rules p.13

2.2.5. National Standards of Incident Recording (NSIR) p.14

2.2.6. National Intelligence Model (NIM) p.14

2.3. Related Corporate Policies p.14

3. Governance Arrangements p.14

3.1. Team Roles and Responsibilities p.14

3.1.1 Information Management Unit p.14

3.2. Individual Roles and Responsibilities p.15

3.3. External Roles p.16

3.4. Decision Making Bodies p.16

3.4.1. Information Governance Board (IGB) p.16

3.4.2. The Information Management in Police Service (IMPS) p.17

3.4.3. Integrity and Compliance Board (ICB) p.17

3.4.4. Service Excellence Board (SEB) p.17

3.4.5. Service Improvement Board (SIB) p.17

3.4.6. Force Executive Board (FEB) p.17

Annex

Annex 1: Criteria on Record Appraisal p.18

A.1. Information Criteria that Constitutes a Record p.18

A.2. Non Record Criteria p.19

Additional Information

Policy Forms/ Documents p.20

Associated Policies/ Documents p.20

Acronyms/ Abbreviations p.21

Glossary p.23

Frequently Asked Questions (FAQs) p.27

OFFICIAL


Page 1 of 27

Policy

Purpose

This policy document, together with supporting procedures, sets out the British Transport Police (BTP) principles and standards for information and records management. This policy sets out an overarching framework underpinning how BTP will manage its information assets through their lifecycle involving the collection, recording, evaluating, sharing, storing, handling and disposing of records to fulfil its civil duties.

Scope

Content

All Record Formats: This policy covers all data, information, records and documents created, collated and managed by BTP, irrespective of the category or class attributed to these various types. This excludes Evidence and Property.

All record repositories: held within or outside of BTP premises and as listed in the Information Asset Register (IAR) and/or Technology Information Register (TIR).

Intended Audience

Compliance is mandatory by all staff: BTP Police Officers, Police Staff, Police Community Support Officers (PCSOs), Special Constables and Community Volunteers as well as personnel/contractors working on behalf of BTP across England Scotland and Wales.

Key Information This policy is in place to ensure BTP

1. Makes efficient use of physical and electronic storage space.

2. Has a common approach to managing information across the force

3. Is being efficient in the way it shares knowledge and insights gained across all

departments

4. Does not contravene the law when handling and processing information for a policing

purpose

5. Is in keeping with its corporate strategies.

6. Has a central oversight of all its information assets, with the right controls and

assurance reviews established.

OFFICIAL


Page 2 of 27

7. Documents and maintains records in a manner that supports their evidential weight

and integrity, and to ensure that this is not compromised over time.

8. Improves its performance

9. Improves its auditing of the decision making processes

10. Has an increased understanding of the compliance and regulatory context

11. Clarifies and makes transparent all of BTPs responsibilities in relation to information

management

12. Requires less officer time and effort to access information.

13. Lessens the impact of civil action and formal complaints on officer time and wellbeing

14. Decreases the risk of lost, damaged or missed opportunities to link data or wrong use

of information

15. Has effective and lawful use of information

16. Utilises effective sharing of information with partner agencies

17. Eradicates unnecessary duplication

18. Has a risk management processes to underpin evaluation, classification and storage

principles

19. Ensures that all police information is held in accordance with the law

20. Corroborates other related information

Monitoring and Review This policy document is an update and supersedes the Records Management policy CR-050-13 October 2013 version 1.0. Furthermore this policy replaces the (Interim) Document Scanning policy CR-049-13 and the Record Retention Schedule Management policy CR-048-13. This policy document will be reviewed on an annual basis to ensure alignment with the Force strategic objectives and new guidance or legislation, as well as any updates in relation to BTP’s IM Strategy. For example, this policy currently sets out the principles based on the current circumstances. Some principles will need to be adapted if/when the Force migrates its unstructured records onto a formal Electronic Document and Records Management System (EDRMS).

OFFICIAL


Page 3 of 27

Who to Contact about this Policy

This Policy is owned by Karen Davies, Force Records Manager, Information Management Department.

Any enquires about this Policy should be directed to Records Management Team.

End of policy

OFFICIAL


Page 4 of 27

Standard Operating Procedure

1. Policy Framework This section outlines BTPs policies for managing information and records across the Force. It addresses management principles for the following aspects of the information management lifecycle:

1.1. Creation, Collection & Recording

BTP’s creation, collection and recording of information must be in line with a relevant policing purpose. policing purposes are defined as

protecting life and property

preserving order

preventing the commission of offences

bringing offenders to justice

any duty or responsibility arising from common or statute law.

Information collected for one policing purpose may add value to another policing purpose. All police information should, therefore, be treated as a corporate resource.

Collection, accurate assessment, classification and timely analysis of information must adhere to the

College of Policing’s Authorised Professional Practice (APP) guidance for Collection and Recording.

1.1.1. Collection Methods

The way in which police information is collected may lead to specific requirements for its recording and use, for example, information covered by the Regulation of Investigatory Powers Act 2000. Collection methods may include:

- Routine collection: collected as part of routine operational policing activity. Much of the information will be relevant only for the specific policing purpose for which it was collected, but some may prove to be relevant to an entirely different policing purpose. Information is generated from all policing activities, for example: responding to incidents, arrests, targeted patrol, stop and account, stop and search.

- Tasked information: information concerned with problems and subjects (suspect or victim)

identified by intelligence requirements. It can be accessed from many sources including external databases (PNC), CCTV, covert human intelligence sources (CHIS) and automatic number plate recognition systems (ANPR).

OFFICIAL


Page 5 of 27

- Volunteered information. Usually collected from the general public or community contacts. It refers to any information received which has not been obtained by routine or tasked collection. It will tend to come from anonymous information through hotlines, public contact through command and control or crime systems or via voluntary organisations. The information may not necessarily relate to a specific task or intelligence requirement but can be regarded as such.

BTP shall collect, record and evaluate information in a consistent manner across organisational and force divisions. It shall ensure, through the central publication of its Information Asset Register (IAR) that irrespective of origin, it is understood where information is held to support policing purposes across the country. 1.1.2. Recording The Information Asset Register defines the database repositories where different categories of information are recorded. 1.1.2.1. Recording Unstructured Information Unstructured information is information which does not have a pre-defined system in which to be record within. The majority of BTP’s unstructured information is captured on the G Drive and must follow BTP’s G: and H: Drive Policy and Procedure. Further information can be obtained from the Records Management Team.

1.1.2.2. Recording Police Information

Staff should also note the existence of specific departmental guides on how different types of information are recorded, for example when compliance with National Crime Recording Standards and the Home Office Counting Rules are required. These policies and procedures are owned and managed by the relevant department.

Each department must publish on the intranet all of its relevant information management policies and principles, and show how each relates to BTPs higher level policies.

A record must have been created for a business or policing purpose. A record is information that documents or is used to support business activity, transactions, changes, decisions, outcomes, negotiations, approvals, authorisations or actions.

The following key principles apply to recording police information.

- all records must comply with the data quality principles

- a record of police information is the start of an audit trail and must identify who completed the

record, when it was completed and for what purpose

- before recording information, checks should be made in other business areas to see whether the

information is already held, thereby avoiding unnecessary duplication

mailto:[email protected]


OFFICIAL


Page 6 of 27

- if information is recorded on an individual who is the subject of an existing record, the record

should reflect this

- if it becomes apparent that the information being recorded is connected to other information, it

must be appropriately linked

- police information must be recorded as soon as is practicable in accordance with the standards

relating to the business area in which the information is held

- consideration should be given to applying the appropriate government protective marking

- where appropriate, the source of the information should be recorded to ensure accuracy and to

assist in requesting further information

1.1.2.3. Data Quality Principles All police information must conform to data quality principles. It must be:

Accurate – care must be taken when recording information and, where appropriate, the source of the information must also be recorded. If there is any doubt over the authenticity of the information, clarification must be sought from the source. Inaccurate information must be corrected as soon as possible. In ensuring accuracy, it is important not to delete historic information that may be significant (such as details of previous addresses).

Adequate – recorded information must be sufficient for the policing purpose for which it is processed. The nature of the event determines the information that is relevant. All recorded information must be easily understood by others.

Relevant – information recorded must be relevant to the policing purpose. Opinions need to be clearly distinguished from fact.

Timely – information must be promptly recorded into the relevant business area in accordance with agreed timescales.

1.1.3.1. Records Appraisal – What constitutes a record? As a general rule a record is any artefact, data, document or information in any media that demonstrates or provides evidence of BTPs business duties or data relating to its policing activities.

- To determine whether generated information falls within this category, evaluate the information against the criteria set out in Annex 1.

- Records to be retained must be appraised against the Records Retention Schedule and managed

in accordance with that schedule.

- It is the responsibility of the creator of the record to determine whether information needs to be retained and managed in accordance with this Policy, the Physical Records Management Policy

http://policyportal/information_management/information_security1.aspx

OFFICIAL


Page 7 of 27

and supporting guidance. When unsure, the creator must contact the Force Records Manager for guidance.

1.1.3.2. Protective Marking / Information Classification

All information management procedures must comply with BTP’s Information Classification Policy and as such all documents and record repositories must be appropriately classified. Contact the Information Security Team for further advice if required.

1.1.3.3. MoPI Categories

MoPI Group 1 – certain public protection matters: retain until the subject reaches 100 years of age but reviewed every 10 years

MoPI Group 2 – other serious offences: retain for 10 years then review

MoPI Group 3 – all other offences: retain for 6 years 1.1.3.4. Evaluation All police information should be evaluated to determine

Provenance

Accuracy

Continuing relevance to a policing purpose

What action, if any should be taken.

Evaluation procedures must following the principles set out by Authorised Professional Practice (APP) on Evaluation.

1.1.3.5. Information Asset Registers (IAR)

The creation of an IAR is a requirement of the Government Information Security Framework, and

BTP is required to keep an IAR which lists our information assets. In accordance with this

obligation BTP will :-

Publish a list of applications that hold both personal and non-personal data

Ensure IAOs are responsible for reviewing their information assets on an annual basis.

The IAR is intended to capture the key record repositories and the framework for how

they are managed.

http://btp-one/departments/capability/IM/records-management1/Pages/Records-Management.aspx

mailto:InfoSecurity%20%[email protected]%3e

OFFICIAL


Page 8 of 27

1.2. Storage and Protection Principles

The following principles apply to the management of both electronic databases or shared drive repositories and for filling and storage cabinets.

- Unstructured records must be organised and filed in accordance with the standards documented in the guidance available under the Records Management guidance document section of the intranet and the G: and H: Drive Policy.

- Physical records must be managed in accordance with the Physical Records Management Policy.

- Must respect the security classification. The database / storage cabinet will be classified in

accordance with highest level of its content. Access controls must respect their classification and

managed in accordance with the access control policies. Please refer to the Must respect the

security classification. The database / storage cabinet will be classified in accordance with

highest level of its content. Access controls must respect their classification and managed in

accordance with the access control policies. Please see the Physical security Measures Policy

and Handling, Protecting and Disposing of Police Information Assets Policy for further

information.

1.3. Sharing Principles

Please refer to the Information Sharing Policy and Procedure or contact the Information Sharing Team for further details.

1.4 Scanning Principles Before attempting to scan large volumes of paper records in order to convert them into electronic records, please contact the Records Management Team who will be able to provide further advice. You must not convert records and dispose of originals without approval from the Force Records Manager.

1.5. Records Retention & Archiving Principles

All record series and records repositories will be assigned a retention period in accordance with legal requirements and statutory obligations. BTP has published an overarching BTP Records Retention Schedule which is based upon the guidelines stated within the ACPO Records Retention Schedule.

- The records retention schedule (RRS) held centrally by the IMU is a complete listing of all information categories and their retention periods.

- This is managed centrally by the Records Management Team, but updates must be given on a

yearly basis by all IAOs

- Records are only retained for as long as is necessary for business, legal, historical and regulatory purposes

http://btp-one/departments/capability/IM/records-management1/Pages/Guidance-Documents.aspx


http://policyportal/information_management/information_security/physical_security_measures/key_information.aspx

http://policyportal/information_management/information_security/handling,_protecting_and_dispo/key_information.aspx



http://btp-one/departments/capability/IM/records-management1/Pages/Review-Retention-and-Disposal-Schedules.aspx

OFFICIAL


Page 9 of 27

- The RRS shall outline:

the required period of time [retention period] to keep records.

Identify the responsible IAO for that record type who will also authorise the disposal

schedule, and any disposals.

Clearly outline any sentencing / disposal decisions.

State a clear retention trigger date; i.e. the date from which retention period starts. This

could be creation date, file closure date or other specific triggers such as contract

completion dates.

State where the location of the original record is held.

Identify the format in which the record is required.

Specify the formats in which records must be kept.

The format of retained records should be determined by considering:

- Physical records principles and whether they are better retained as physical or electronic formats

- The Re-use of Public Sector Information Regulations 2005 as well as on-going uses for

subsequent phases or work or on-going investigations

- Whether records in raw format, datasets/databases or specialist native formats (such as CAD, GIS, spread sheets, databases) have been used to derive related information and records; it may be important and necessary to go back to determine how output records (such as reports) were derived. If records must be fixed and never to be altered, a flat-file PDF will be acceptable;

Otherwise PDF formats, especially those deemed to be of historical value with on-going uses, may need to be a full-text searchable. Please be mindful of this when scanning documents to PDF. Any queries can be directed to the Records Management Team.

The Physical Records Management Policy describes the process for managing physical records and archiving.

1.6. Records Review and Disposal Principles

Disposal can be defined as:

- Destruction after the required period of retention

- Transfer to The National Archives (or other places of deposit) if the records are selected for

permanent preservation


OFFICIAL


Page 10 of 27

- Or Presented. This involves transfer of ownership of the records to the receiving body (may be successor or legacy agencies) as outlined by section 3(6) of the Public Records Act 1958 and is undertaken by The National Archives in consultation with the authority

When executing disposal actions, the disposal management procedures below must be followed

- On at least an annual basis records for disposal must be identified. Please see the record retention schedules for further details on retention dates.

- Records identified must then be reviewed before disposal to ensure there is no longer a purpose

for their retention.

- All disposals undertaken must be accurately and appropriately documented / registered into the Records Disposal Schedule. A template can be found on the Records Management intranet site.

The register must as a minimum record:

The Retention Schedule reference and / or details of the record type

Reason for disposal

Method of disposal

Detail that the CycMOPA system, or file tracking spread sheet, have been updated

Date of action

Transfer and migration details [if any]

Approval authority

- Where official records are earmarked for destruction, disposal must be carried out by a force approved disposal contractor in accordance with Handling, Protecting and Disposing of Police Assets Policy. If the classification is higher than CONFIDENTIAL or OFFICIAL – SENSITIVE please contact the Information Security Team for further information as special arrangements have to be made.

- If destruction is contracted-out to a specialist company their use must be authorised by Information Security Unit. A certificate of destruction will be required; this must be logged to the Record Disposal Schedule register entry. All records related to disposal authorisations must be kept permanently, meaning they must be kept in a format that cannot be changed e.g. PDF.

- Destruction methods must be irreversible and secure as per government policy.

- Disposal must be authorised by a member of the senior management team in which the team / department / station report into.

- The Information Management Unit Audit Team will conduct audits to ensure that records are not retained longer than they should be and will request to see the Record Disposal Schedule.




mailto:http://policyportal/information_management/information_security1.aspx

mailto:http://policyportal/information_management/information_security1.aspx

mailto:InfoSecurity%20%[email protected]%3e

OFFICIAL


Page 11 of 27

2. Regulatory Framework

2.1 Legal Requirements

2.1.1. Data Protection Act 1998 (DPA)

Having established the policing purpose for the collected data, the data must be further evaluated for compliance against the Data Protection Act 1998 (DPA) and must be managed in accordance with the 8 enforceable data protection principles as follows:

1. Being fairly and lawfully processed;

2. Being processed for specified and lawful purposes and not in any manner incompatible with

those purposes

3. Adequate, relevant and not excessive;

4. Accurate and where necessary, up to date;

5. Not being kept for longer than is necessary;

6. Being processed in accordance with individual rights;

7. Secure;

8. Not being transferred to countries outside the EU without adequate protection

The Data Protection Act works in two ways, by giving individuals certain rights and by requiring those who record and use personal information to be open about the information they hold on an individual. The Data Protection Act regulates how personal information is used and protects individuals from misuse of personal details. It provides a common-sense set of rules which prohibit the misuse of personal information without stopping it being used for legitimate or beneficial purposes. In discharging responsibilities under the DPA there must be regard to the principle of proportionality; in short the more sensitive the information, the higher the threshold for processing. For further guidance, please contact the Information Governance Unit.

2.1.3. Regulation of Investigatory Powers Act 2000 (RIPA)

Information collated pursuant to the Regulation of Investigatory Powers Act 2000 (RIPA) must be carefully evaluated. There is a distinction between information that is volunteered (such as a crime report) and that which is gathered covertly, e.g, a Covert Human Intelligence Source (CHIS) or surveillance product. In some circumstances, the way in which police information is collected may lead to specific requirements as to its recording and use.

2.1.4. Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 gives a general right of access to all types of recorded information held by public authorities, sets out exemptions from that right and places a number of obligations on public authorities. Any person who makes a request to a public authority for information must be informed

OFFICIAL


Page 12 of 27

whether the public authority holds that information and, subject to exemptions, supplied with that information. Individuals already have the right of access to information about themselves under the Data Protection Act. As far as public authorities are concerned, the Freedom of Information Act extends this right to allow public access to all other types of information held. Public authorities are required to adopt and maintain a publication scheme setting out the classes of information it holds, the manner in which it intends to publish the information, and whether a charge will be made for the information. The purpose of a publication scheme is to ensure a significant amount of information is available without the need for a specific request. Schemes are intended to encourage organisations to publish more information pro-actively and to develop a greater culture of openness. BTP’s publication scheme can be found on the BTP Internet Site

2.1.5. Public Records Act 1958 (PRA)

The PRA is an “act to make provision with respect to public records and the Public Record Office”. Records that fall under the remit of a public record are deposited with the National Archives who are the custodians who store and retain the records. BTP does not currently fall within the remit of the PRA however, in some cases it shall refer to the act and guidance on retention when making decisions about the management of its wider records. Particularly, the Lord Chancellor (2002) Code of Practice on the Management of Records issued under section 46 of the Freedom of Information Act 2000 is noted as a guide for compliance.

2.1.6. Protection of Freedoms Act 2012 (POFA)

An Act to provide for the destruction, retention, use and other regulation of certain evidential material; to impose consent and other requirements in relation to certain processing of biometric information, provides a code of practice about surveillance records as well as sets out the provision for the release and publication of datasets held by public authorities via the establishment of Disclosure and Barring Service in England, and the equivalent agencies of Disclosure Scotland in Scotland and Access Northern Ireland in Northern Ireland. In some cases provision supersedes those made by the Police and Criminal Evidence Act 1984, the Crime and Security Act 2010 and the Regulation of Investigatory Powers Act 2000. The Disclosure Unit within the Information Management Team address the relevant disclosure requirements of the Act, in accordance with the Disclosure and Barring Service.

2.1.7. Environmental Information Regulations 2000 (EIR)

The Environmental Information Regulations (EIR) give the general public certain rights of access to environmental information. The definition of environmental information in the EIRs is very wide and includes information that might not be considered environmental at first glance.

2.1.8. Re-use of Public Sector Information Regulations 2005

The Public Sector Information Regulations (2005) encourage the reuse of Government body information by putting in place the appropriate end-user licensing arrangements. BTPs Information Sharing Policy shall address the mechanisms for sharing.

http://www.btp.police.uk/about_us/your_right_to_information/publication_scheme.aspx

http://www.nationalarchives.gov.uk/information-management/legislation/public-records-act/pra-faqs/#what-is-act-for

OFFICIAL


Page 13 of 27

2.1.9 Criminal Procedure and Investigations Act 1996

The Criminal Procedure and Investigations Act (1996) CPIA) in some cases conflicts with the MoPI guidance on retention and must be consulted when making sentencing decisions for crime and intelligence products.

2.1.10 Criminal Justice Act (2003)

The Criminal Justice Act (CJA) defines all the offences that are subject to MoPI Review Groups.

2.1.11 Serious Crime Act (2007)

The Serious Crime Act (2007) covers the disclosure and use of information by the National Crime Agency (NCA).

2.2. Other Regulatory Guidance

2.2.1. Authorised Professional Practice (APP) Information Management Guidance Police forces need to comply with the statutory Code of Practice on the Management of Police Information, published in July 2005 by the Home Secretary under the Police Act 1996.

2.2.2 National Crime Recording Standard

The National Crime Recording Standards (NCRS) promotes consistency between police forces in how to record crime and in providing a victim-orientated approach to crime recording. An incident report must be registered irrespective of whether it is from victims, witnesses or third parties, and whether crime

related or not. An incident is recorded as a crime (notifiable offence) if, on the balance of probability, the circumstances reported amount to a crime defined by law, and there is no credible evidence to the

contrary. Once recorded, a crime remains so unless there is additional verifiable information to disprove it.

2.2.3 National Policing Policies

The Community Security Policy (CSP) and the National Policing Accreditation Policy are two policies that provide a national framework for how national policing systems (such as PNC) are managed and assured.

BTPs access to these systems must adhere to these policies. The External Database Access Register lists all the external national and regional databases accessible to BTP to fulfil its policing duties.

The CSP requires a Senior Information Risk Owner (SIRO) and Force Information Security Officer (FISO) to provide the National Police Information Risk Management Team (NPIRMT) with quarterly statistical information on slow time security incidents, and to report fast-time incidents where they affect other members of the policing community.

2.2.4 Home Office Counting Rules

A number of documents exist which define the Home Office Counting Rules. These must be adhered to by functions that deal with these types of records.

OFFICIAL


Page 14 of 27

2.2.5 National Standards of Incident Recording (NSIR)

The National Standards for Incident Recording (2011) (NSIR) outline a number of minimum data standards to be complied with when recording information on an incident record. They include:

Time and date the report was received

Method of reporting

Time and date the report was recorded

An incident unique reference number (URN)

Details of the person making the report (name, address and telephone number)

Sufficient information to describe the location and nature of the report

Opening and closing category

Time and date of initial and closing classification.

2.2.6 National Intelligence Model (NIM)

The National Intelligence Model (NIM) Code of Practice sets out to Chief Officers of police the basic principles and minimum standards for the National Intelligence Model. It relates to intelligence and information used and outputted to direct police activity through planned and systematic business

processes that result in Intelligence Products (Strategic Assessments, Tactical Assessments, Subject Profile, Problem Profile).

2.3. Related Corporate Policies This policy should be seen as part of a suite of documents which outline BTPs approach to robust information management. Please refer to the Information Management section of the Policy Portal located on the BTP One intranet site.

3. Governance Arrangements This section details the roles and responsibilities in relation to the management of all records, irrespective of type. This section covers key Team Roles, Individual Roles, External Roles and the role of key governing decision making bodies.

3.1. Team Roles and Responsibilities This section outlines the teams responsible for managing significant repositories of data. Whilst it is everyone’s responsibility to manage data and records, these teams have a particular role with regard to coordination, standards setting and advocacy. For fuller details on their responsibilities, please refer to the individual team manager.

3.1.1. Information Management Unit

The Information Management Unit is a corporate-wide support and advisory team within Corporate Resources who lead on strategic information management across the Force. In summary, their role incorporates:

OFFICIAL


Page 15 of 27

Develop, own, manage and update all information management policies and procedures

Answer and respond to IM queries both internal and external

Provide an advisory and training service to all departments within BTP on all matters related to

information management, information security/assurance, information requests, information

sharing, CycMOPA and records management

Give advice and assistance on any records management retention and disposal matters

Responses to requests for information and disclosure

Gauge compliance with IMU policy across the business.

The key individual roles within this team are outlined in the Information Management Policy.

3.2. Individual Roles and Responsibilities Details of the following individual roles and responsibilities can be found in the Information Management Policy.

- Senior Information Risk Owner (SIRO)

- Data Controller – Chief Constable / Chief Officer

- Head of Information Management

- Force Information Security Manager (FISM)

- Force Records Manager (FRM)

- Physical Archiving Applications Administrator (PAAA)

- Disclosure Unit Supervisor

- Information Governance Manager – DP and FOI

- Information Sharing Manager

- System Administrators / Database Administrators

- Information Asset Owner

- IM Programme Manager

- Information Management Champions

- Force Crime Registrar

- All Staff

- Line Managers

OFFICIAL


Page 16 of 27

3.3. External Roles Details of the following external roles and responsibilities can be found in the Information Management Policy.

- Information Commissioner

- HM Inspectorate of Constabulary (HMIC)

- National Police Information Risk Management Team (NPIRMT)

- National Senior Information Risk Owner (NSIRO)

- British Transport Police Authority (BTPA)

- National Police Chief’s Council (NPCC)

- College of Policing (COP)

3.4. Decision Making Bodies

The following named boards make up the main bodies that steer and guide IM decisions.

3.4.1. Information Governance Board (IGB)

The IGB is responsible for:

Overseeing the governance of information and will meet regularly to ensure that compliance

with the policies and procedures that apply to Information Management are adhered to

Approving the records management policy, information security policy, IM strategy and any

related procedures and action plans and the records retention schedule updates resulting from

implementing these strategic documents

Providing clear direction on IM strategy and support of IM across the force

Promoting integrated IM across all work streams

Driving and overseeing any change management processes and IM projects necessary to address

any gaps and risks

Overseeing progress on projects, assurance processes and management information metrics

Acting as the Governing Board for the Information Assurance Maturity Model

Acting as the Governing Board for Public Service Network (PSN) compliance

OFFICIAL


Page 17 of 27

3.4.2. The Information Management in the Police Service (IMPS)

The Information Management in the Police Service is a national group of information and records professionals from the police services who meet quarterly to discuss a wide range of topics. The IMPS has also been responsible for creating the Police National Retention Schedule.

3.4.3. Integrity and Compliance Board (ICB)

The Integrity and Compliance Board is a meeting established to oversee HMIC inspections, internal and external audit, integrity and compliance issues such as hospitality. ICB exists to advise the Deputy Chief Constable who is ultimately accountable for the Professional Standards Department and the Audit and Compliance Unit in the Strategic Development Department. 3.4.4. Service Excellence Board (SEB) The Service Excellence Board has oversight of the performance of all areas of BTP's business, whether policing or operational. Area Commanders and Department Heads are held to account over the performance of their functions and exist to advise the Deputy Chief Constable, who is responsible for the performance of the Force. 3.4.5. Service Improvement Board (SIB) The Service Improvement Board has oversight of all business change being carried out and all major areas of Revenue and Capital spend, and will also meet quarterly as the Capital Review Board. SIB exists to advise the Deputy Chief Constable who is responsible for business change. 3.4.6. Force Executive Board (FEB) Force Executive Board sets the strategic direction for the Force and oversees implementation of the Strategic Plan. FEB has a clear line of sight into all areas of the business and receives exception reports from each Board below it, summarising progress and raising issues by exception.

OFFICIAL


Page 18 of 27

Annex 1: Criteria on Record Appraisal

A.1. Information criteria that constitute a record

- executed business activities - business/corporate operations (such as governance, accountabilities, requirements, policy and

planning) - transactions (communications, dealings) - approved changes - decisions and outcomes - negotiations - approvals and authorisations - past actions - evidence to substantiate the outputs claimed - functions and business activities (as captured by the BCS) - communicated advice or instructions - evidence of what has occurred in the event of further development or discussion or precedents

for future action - issued drafts - drafts that document significant information that is not contained in the final form of the record

and where the change is not captured or minuted elsewhere in formal change procedures or reports

- working datasets that constitute the original data from which reports and other fixed records are derived from that may be needed to explain, and if necessary justify, past actions or communicated information in the event of an audit, public inquiry or other investigation

- original artefacts and hardcopy documents of legal contracts and agreements or documents where significant annotations have been made

- signed originals (Please note: a Microsoft Word document - unsigned is not the record and is only kept to support any future edits or revisions)

- Care must be taken to ensure that related transactions are also kept. Files (for paper) or folders must contain a complete and accurate record of all internal and external documentation that relate to the subject matter so that the stages and the reasoning of the transactions are apparent.

OFFICIAL


Page 19 of 27

A.2. Non Record Criteria

BTP does not consider information with the following characteristics as formal records that must be preserved in accordance with this Policy. These can be routinely ‘weeded/cleaned’ and disposed of in accordance with Normal Administrative Procedures:

- Data, documents and information that are created but never executed, used or communicated, that is, drafts that never come into fruition or draft/working documents/materials which do not demonstrate significant steps in the development of a final version.

- Ephemeral or transitory information such as messages, post-IT notes that are only needed for

short period of time to support local tasks and have no continuing value to the organisation.

- Personal records that do not relate to the business of BTP If in doubt, the creator must contact the Force Records Manager for guidance before destroying the files. The deliberate destruction of records for malicious or otherwise intent will be treated as a disciplinary offence.

OFFICIAL


Page 20 of 27

Additional Information

Policy Forms / Documents

Record Retention Schedules

Record Disposal Schedule template

Associated Policies / Documents

Information Management intranet pages

Information Management Policy

Handling, protecting and disposing of police information assets Policy

Information Sharing Policy

Information Classification Policy

Physical Records Management Policy



http://btp-one/departments/capability/IM/Pages/11711.aspx

http://policyportal/information_management/information_management_policy/key_information.aspx


http://policyportal/information_management/information_sharing/key_information.aspx


OFFICIAL


Page 21 of 27

Acronyms / Abbreviations

ACC Assistant Chief Constable

ACPO Association of Chief Police Officers. Now superseded by NPCC

APP Authorised Professional Practice

BCS Business Classification Scheme

BS British Standard

BTP British Transport Police

BTPA British Transport Police Authority

CCTV Close Circuit Television

CHIS Covert Human Intelligence Sources

CJA Criminal Justice Act

COG Chief Officer Group

COP College of Policing

CPIA Criminal Procedure and Investigations Act

CSP (National Policing) Community Security Policy

DBA Database Administrator

DCC Deputy Chief Constable

DIMC Divisional Information Management Champion

DPA Data Protection Act

DVD Digital Video Disks

ECHR European Convention on Human Rights

EIR Environmental Regulations Act

FCR Force Crime Registrar

FCR Force Crime Registrar

FIMC Functional Information Management Champion

FISM Force Information Security Manager

FOI Freedom of Information Act

FRM Force Records Manager

GIS Geographical Information Systems

HMIC Her Majesty's Inspectorate of Constabulary for England and Wales

HOCR Home Office Counting Rules

HRA Human Rights Act 1998

IAO Information Asset Owner

IAR Information Asset Register

ICB The Integrity and Compliance Board

IGB Information Governance Board

IM Information Management

IMC Information Management Champion

IMPB Information Management Programme Board

IMPS Information Management in the Police Service

IMS Information Management Strategy

IMU Information Management Unit

InfoSec Information Security

IPB Information Portfolio Board

OFFICIAL


Page 22 of 27

ISO Information Security Officer

IT Information Technology

ITPB Information Technology Programme Board

MoPI Management of Police Information

MOU Memorandum of Understanding

NAP Normal Administrative Procedures

NAS National Archives of Scotland

NCA National Crime Agency

NCRS National Crime Recording Standard

NDA Non-Disclosure Agreement

NPCC National Police Chiefs’ Council

NPIRMT National Police Information Risk Management Team

NSIR National Standards for Incident Recording

NSIRO National Senior Information Risk Owner

PNC Police National Computer

PRA Public Records Act 1958

PRM Physical Records Management

RIPA Regulation of Investigatory Powers Act 2000

RMADs Risk Management and Accreditation Document Set

RRS Records Retention Schedule

SEB Services Excellence Board

SIB Service Improvement Board

SIRO Senior Information Risk Owner

SPF Security Policy Framework

TAR Technology Asset Register

TIR Technology Information register

TNA The National Archives for England and Wales

TOR Terms of Reference

URN Unique Reference Number

OFFICIAL


Page 23 of 27

Glossary

Term Explanation

Appraisal Appraisal is the process of evaluating business activities to determine which records need to be captured and how long the records need to be kept, to meet business needs, the requirements of organisational accountability and community expectations.

Artefacts Archaeological relics, samples or awards.

Authentic Records Records that can be proven to be what they purport to be. They are also records that are considered by the creators to be the official record of their work and activities.

Authoritative Records Records that are authentic, reliable, trustworthy and useable and are complete and unaltered.

Business Classification Scheme

BCS. A tool designed to formally organise or group an organisation’s information assets (information, data, documents etc.) to facilitate their retrieval and management.

Data A collection of individual pieces of information which are collated then evaluated / analysed in order for conclusions to be drawn.

Declare (or Register) The deliberate action that results in the registration of a record into a recordkeeping system. For certain business activities, this action may be designed into electronic systems so that the capture of records is concurrent with the creation of records.

Destruction Process of eliminating or deleting records beyond possible recognition.

Disposal The action of either destroying, deleting, migrating (that is, the movement of records from one system to another (for example paper to electronic)) or the transfer of custody or ownership of the record into archival custody. Must follow the processes associated with BS ISO 15489 Part 1: 4.9.

Disposal Schedule A register that documents which records are destroyed within BTP’s lifetime.

Document Describes recorded information or objects that can be treated as a unit. (BS ISO 15489, Part 1, 3.10).

Electronic Document and Records Management System -EDRMS

A formal core record keeping system. It is used to manage the creation, use, maintenance and disposal of electronically created records in a secure and reliable manner.

File An accumulation of paper records maintained in a predetermined physical arrangement. Used primarily in reference to current records.

Or an electronic document/object.

OFFICIAL


Page 24 of 27

File Plan A pre-determined classification plan by which records are filed and/or electronically indexed to facilitate efficient retrieval and disposal of records.

Government Security Classifications (GSC)

This replaces the Government Protective Marking System. It allows for OFFICIAL (including OFFICIAL – SENSITIVE), SECRET and TOP SECRET information asset classifications.

Information Typically involves collections of data and qualitative or quantitative conclusions/or derived reports on a particular topic that leads to an increase in understanding of that topic.

Information Asset Register - IAR.

A register of unpublished information ,i.e. information or collections of information, held electronically or in hard copy, which have (usually) not been published or made publicly available. The creation of an Information Asset Register is one of a series of initiatives designed to facilitate greater openness documented in the White Paper, The Future Management of Crown Copyright (Cm 4300), which proposed a number of initiatives aimed at "improving and encouraging access to the broad range of public sector information".

Information Classification

These are the allowed classifications for information, previously governed by the Government Protective Marking System. It allows for OFFICIAL (including OFFICIAL – SENSITIVE), SECRET and TOP SECRET information asset classifications. This new systems is referred to as the Government Security Classifications (GSC).

Information Management

Is a process of creating authentic and authoritative information through practices that ensure version control, access rights, reuse and eventual archiving.

Information Management Unit

The department who support and advise on strategic Information Management across the force.

Metadata Data elements that are recorded to describe other data. Data that describes the content, context and structure around information. The metadata recorded about a record could include its title, reference number, its current location, history of its use, when it is to be or was disposed of, its security classification, etc.

Migration The act of moving records from one system to another, while maintaining the records’ authenticity, integrity, reliability and usability.

Normal Administrative Procedures - NAP.

Day to day deletion or desk tidying of documents no longer required, or which are not records.

Paper Records and hardcopy

A subset of physical records in the form of files, volumes, folders, bundles, maps, plans, charts, etc.

Physical Records Can include, but not limited to: paper/hard copy documents, official publications, maps, media, models, artefacts such as archaeological relics, samples or awards.

OFFICIAL


Page 25 of 27

Police Information Information for a policing purpose that should be managed lawfully in accordance with statutory guidance and the law. The Code of Practice defines policing purposes as: (a) protecting life and property; (b) preserving order; (c) preventing the commission of offences; (d) bringing offenders to justice; (e) any duty or responsibility arising from common or statute law

Protective marking The process of determining security restrictions on records. Also referred to as the records “Security Classification” in accordance with the Government Security Classification System which is the national standard for classifying a document, file or other information according to its value and the impact if it is wrongly disclosed. It allows government organisations and agencies share information - paper or electronic - with confidence.

Public Record A record (as defined in paragraph 2 of the First Schedule to the Public Records Act 1958) that is created or received by a governmental body in pursuance of its activities, regardless of form or medium. Unpublished records.

Record A record is information that documents or is used to support business activity, transactions, changes, decisions, outcomes, negotiations, approvals, authorisations or actions. A record can be in any format or stored on any medium.

ISO 15489 definition: “information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of Business”

Recordkeeping Making and maintaining complete, accurate and reliable evidence of official business in the form of recorded information.

Records Management A sub function of information management. Records management activities focus on the classification of information with the purpose of deciding retention and disposal, in accordance with legal obligations. For effective records management to be possible, Information management processes must ensure the proper creation, maintenance, use and disposal of records throughout their whole life cycle to achieve efficient, transparent and accountable governance.

Register A list of records, usually in simple sequence such as date and reference number, serving as a finding aid to the records.

Retention Period The length of time that records should be retained (or continuously stored and maintained), either by the creator or holding organisation until their disposal, according to their administrative, legal, financial and historical evaluation.

Retention Schedule A list or register of BTP’s records with an assigned and approved retention period and recommended disposal date. This will ultimately form the basis of BTP’s register of information assets (it’s IAR).

OFFICIAL


Page 26 of 27

Security Classification The process of determining security restrictions on records. Also referred to as the records “Protective Marking”.

Sentencing The process of applying retention and disposal decisions to records.

Temporary Records Records with a short lived interest or usefulness. As soon as the business use ends, they should be disposed of by destruction.

Transfer Transfer of custody or ownership of the record into archival custody.

Vital Records Vital records are those that are essential for the ongoing business of an agency, and without which the agency could not continue to function effectively.

OFFICIAL


Page 27 of 27

Frequently Asked Questions

Q. Is there a record retention schedule (RRS) specific for each department?

A. Not for every department however the vision is that each department will have a bespoke

RRS which will make up an overall Force wide RRS. Whilst individual department RRS are being

worked on BTP has published an overarching RRS based upon the guidance stated within the

ACPO National Retention Schedule. If a team has a bespoke RRS it will be published on the

Records Management intranet pages where you will also find the BTP overarching RRS and the

Records Management decisions log.

Q. What should I do if I can’t find the retention details for the records I hold?

A. Contact the Records Management Team. Please provide as much information as you can

about the records i.e. what are they, why are they created, where are they currently stored,

what is the volume you hold etc. This will help the team to advise you best going forward. On

occasion they may be no approved retention period know, in these circumstances this would be

escalated to the Force Records Management for a decision to be made.

Q. What is the difference between Police records and Corporate records?

A. Police records are those created as part of a policing activity i.e. crime reports, intelligence

records etc. and the majority of these records are subject to the MoPI review and retention

rules. Corporate records are records that are generated as part of running the “business” i.e.

personnel records, payroll records, agendas, minutes of meetings etc. and have specific

retention rules arising from other legislation. If you have a specific query please do not hesitate

to contact the Records Management Team.

Q. On page 8 it states before recording information to check with other business areas to see

whether the information is already held in order to avoid duplication – can you clarify what is

meant by this?

A. Due to new ways of working or new processes etc. you may feel the need to record new (or

add additional) information, however it is advised that you check before doing so to see

whether any other team or department create similar records. This helps to ensure that we are

not recording excessive or duplicate information e.g. if you have information about a crime you

wouldn’t record it on a spread sheet saved on your G: drive because NICHE is used to hold all

crime information. The same is true for personnel files; the HRBC are responsible for personnel

files so you wouldn’t create your own to store locally. If you have information to add to a file

you would speak to the relevant team so that the information can be passed on and recorded in

the correct place by the correct business area. If you need further advice regarding this please

contact the Records Management Team.


