NOT PROTECTIVELY MARKED
Cumbria Constabulary Records – Off-site Storage Policy v2.00
Policy: / This Policy will set out the principles required to be adopted and applied to Constabulary processes and procedures involving the use of off-site storage facilities.Approved by which board (or Chief Officer) and date: / The Information Security Board
27th November 2015
Owner / Director of Professional Standards (PSD)
For release under Freedom of Information? / Yes
Supporting information / procedures / Cumbria Constabulary Records – Off-site Storage Policy Supporting Procedures v2.00
Contact for advice / RISM – Niall Kirkpatrick, PSD
Review date / 27th Nov 2016
If changes have been made to an existing policy, you must complete the boxes below
Amendments made / Revisal of previous version 1.00, updating the content to take account of:- Revised Policy format
- ACPO replaced by NPCC
- minor changes to some supporting references, and to responsibilities for some roles
Date and Version Number / Cumbria Constabulary Records – Off-site Storage Policy v2.00 27th Nov 2015
1
Cumbria Constabulary Records – Off-site Storage Policy v2.00 (27th Nov 2015)
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
EQUALITY ANALYSIS
What is the potential impact in relation to the General Duty of this proposal on each of the protected groups below?
Protectedcharacteristics / Positive Impact
Does the proposal: / Negative Impact (provide details and mitigating actions taken or proposed) / No
Impact
(√)
eliminate unlawful discrimination
(provide details) / advance equality of opportunity
(provide details) / Foster good relations
(provide details) / Other positive impact (provide details)
Age / √
Disability / √
Sex / √
Sexual orientation / √
Gender reassignment / √
Marriage and civil partnership / √
Pregnancy and maternity / √
Race / √
Religion and belief including non-belief / √
If there is no potential impact (positive or negative) please provide a brief explanation why this is the case, e.g. the data utilised in arriving at the decision, summary of responses to consultation etc.
Brief explanation of the ‘no impact’ decisions above:
Overall, the changes made to the content are minor. No potential impacts were identified during the revisal process.
1
Cumbria Constabulary Records – Off-site Storage Policy v2.00 (27th Nov 2015)
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
1. Aims
1.1 Cumbria Constabulary (‘the Constabulary’) relies on the effective management and preservation of information records as a cornerstone of fulfilling its statutory duties, and achieving its strategic aims.
1.2 The Information Management Strategy (‘IMS’) and Records Management Strategy (‘RMS’), set out how the approach to information records management will be implemented at a strategic level, and the RMS provides the mandate to this document, the Cumbria Constabulary Records – Off-site Storage Policy (the ‘Policy’), which will set out guidance and minimum requirements whereby off-site storage facilities, which are managed or controlled other than by Constabulary personnel, may be used to store Constabulary records.
1.3 It must be remembered that archiving records to off-site storage is a form of retention, and must not be used as an alternative to destruction of records which are no longer required by the business.
1.4 It is the first requirement, or aim, of this Policy that all users of information records:
· will have access to this document, and use it as their mandate for the effective management of information records which are stored off-site
· be aware of the conditions and processes under which information records may be stored at any facility such that they can be physically accessed without reference to, or under the supervision of, the Constabulary
· be aware of their responsibilities in relation to off-site records management
1.5 This policy will also set out the principles required to be considered and adhered to as part of all relevant procedures involving information or records handling, which include using off-site storage facilities. This will:
o support implementation of the IMS and RMS, and hence achievement of the Force’ strategic aims concerning the management of police information, by laying down guidelines for preserving the confidentiality, integrity and availability of all records which are owned by the Constabulary, but which are stored off site
o ensure compliance with all legislative requirements, including the Data Protection Act 1998, and the Management of Police Information (MoPI) Code of Practice (2005) and related Authorised Professional Practice (APP).
o ensure compliance with all internal Constabulary policies involving records management, including those concerning information security, information sharing, and the review, retention and disposal of information records, and including the commitment made in the IMS[1] with regard to adherence to the Lord Chancellors Code of Practice for Records Management (2009), issued under s.46 of the Freedom of Information Act 2000.
1.6 The use of Non ‘PASF[2]’ companies or contractors for supplying off-site storage facilities will be permitted under this Policy, provided that the associated risks have been fully considered and documented, and use of the facility is approved by the Information Asset Owner for the information or records concerned.
1.7 This Policy applies to all personnel working for Cumbria Constabulary, including officers, staff, Special Constables, Police Community Support Officers, contractors, temporary personnel and trusted employees from agencies and organisations who by the nature of their role(s) are provided with access to, or have control over, Constabulary information records.
2. Terms and Definitions
2.1 ‘Off site’ means any facility which is engaged to be used for records storage by the Constabulary, regardless of whether there is an associated financial cost involved, where either :
Ø the control of physical access to the archive area within the storage facility building is managed other than by the Constabulary, for example, where keys are held, or which is partially or wholly owned or occupied, by non police staff
or
Ø the archiving area within the storage facility may be accessed without supervision of Constabulary officers or personnel.
2.2 This Policy applies to all physical records owned by or temporarily in the hands of Cumbria Constabulary, which are transferred for storage off-site. However, this does not include files which are sent to another facility to be worked on, processed, or analysed in any way (including for statistical purposes) in furtherance of Constabulary business.
3. The Policy
3.1 PRINCIPLES OF OFF-SITE STORAGE POLICY
A number of information and records management principles required to be adopted throughout the Constabulary have been set out in the Information Management Strategy (IMS), Records Management Strategy (RMS), and the Records Management Policy (RMP).
Where the use of off-site storage facilities is involved, the following additional principles, will also apply:
3.1.1 Approval of Off-Site Storage Facilities
a) The Office of the Police and Crime Commissioner for Cumbria (‘OPCC’) is responsible for the allocation of financial resources as well as for approving the Constabulary’s policy framework. The procurement of any new or revised arrangements involving contracting for the use of off-site storage facilities will therefore be in accordance with the Cumbria Office of the Police and Crime Commissioner & Cumbria Constabulary Joint Procurement Regulations 2014/15.
This requirement will not apply where there is no financial cost involved in the proposed arrangements for the storage of off-site records.
b) The Information Management Strategy places responsibility on the Chief Information Officer (‘CIO’) to;
Ø have central oversight of the disposition of all Constabulary records, and all functions related to their management and control
Ø ensure that Business Continuity plans are in place to safeguard essential information records.
The use of all off-site storage arrangements for police records protectively marked as RESTRICTED[3] or above, must therefore be approved by the CIO.
c) Similarly, any proposed or planned arrangements for the introduction or use of a new off-site facility must be approved by the CIO, and have a formal agreement in place signed by Legal Services Department prior to the facility being used.
3.1.2 Processes for the Management of Off-Site Storage Records
(a) The Records & Information Security Manager (RISM) has responsibility for overseeing all formal arrangements which involve the use of off-site storage facilities. The introduction of any new off-site facility must therefore be notified to the RISM prior to the transfer of any sensitive files or other materials to the facility.
(b) Information about records stored off-site must be provided by IAOs to the RISM on request.
(c) Information Asset Owners are responsible for ensuring that they keep and maintain an up-to-date, automated, searchable, electronic index of ALL materials for which they are responsible that are sent for off-site storage.
3.1.3 Types of Information Assets Which May Be Stored Off-Site
(a) The formats, or media used to store Information and records which may be stored off site are:
Ø any form of paper-based record, including photographs,
Ø tapes, audio (such as interview tapes), video, (including CCTV) but excluding back-up tapes from sensitive databases)
Ø discs, CDs, DVDs
(b) Information assets in the form of chemicals, liquids, gases, biological samples, or which are toxic, caustic, corrosive or otherwise defined in any way as hazardous substances, or which could pose a health, safety, fire or any other similar risk may not be transferred for storage off-site.
3.1.4 Information Security
(a) Boxes or other containers used to hold records or files, must not have their contents indicated on the outside of the box, but should be marked by reference number only. Similarly, no GPMS markings must be placed on the outside of the box itself.
(b) The records inside the box should be marked in accordance with the Cumbria Constabulary Government Protective Marking Scheme Policy in the usual way.
3.1.5 Corporacy
(a) Adherence to the Information Management Strategy and the supporting Records Management Strategy is mandatory for all personnel with access to information records within Cumbria Constabulary. Adherence to this Policy is therefore also mandatory.
(b) By implementing this policy, and aligning it with the Information Management Strategy and Records Management Strategy, as well as any other Constabulary policies concerning records management, it is intended that the Constabulary will achieve corporate and uniform management of police information stored off-site.
3.1.6 Cost Effectiveness
(a) It is a strategic aim of the Constabulary to ensure that information is managed:
“in such a manner as to provide the best possible service to our communities by providing reliable information at the point of need where individuals understand the importance of using it correctly, sharing it lawfully, and protecting it from compromise”. (IMS v7.00 Section 2.2).
(b) In order that this commitment can be supported, and evidenced as being supported, where an outside storage facility is being considered for use, the long-term cost effectiveness of the use of off-site will be monitored by the RISM, and the effectiveness of its continued use fully considered in the face of all other viable options.
3.2 ROLES AND RESPONSIBILITIES
Responsibilities at the strategic level in relation to information and records management are set out in the IMS and RMS. In addition, the further responsibilities set out in Records Management Policy Supporting Procedures v7.00 and Cumbria Constabulary Records – Off-site Storage Policy Supporting Procedures v2.00 will be owned by the role-holders involved.
3.3 FILE TRACKING
The movement of files to and from off-site storage will be monitored by the RISM as described in Cumbria Constabulary Records – Off-site Storage Policy Supporting Procedures v2.00.
3.4 AUDITS OF RECORDS HELD IN ‘OFF-SITE’ STORAGE FACILITIES
Scheduled audits
3.4.1. The RISM will maintain records of the numbers of boxes held in each off-site storage facility on an ongoing basis, to include details of their owners within the business, and an outline of their general contents and GPMS sensitivity, for inspection on request by the CIO.
Unscheduled audits
3.4.2 The IMS provides that ALL information systems may be audited, or inspected, at any time at the discretion of the CIO, to verify compliance with legislation, national guidance, and Constabulary policies or to investigate a security incident. There is no requirement on the CIO to publish the reason for an unscheduled audit.
3.4.3 Auditors of unscheduled audits will be nominated by the CIO and may be tasked with reviewing any aspect of the records system concerned.
3.5 THIRD PARTY ACCESS
Access by non-Constabulary personnel, to Constabulary information records stored off site, other than as provided for under this Policy and / or under the terms of any written agreement with the off-site storage supplier, will be subject to prior approval of the RISM.
3.6 DISCIPLINE
Contravention of this policy is a breach of the Police Code of Conduct and the Police Staff discipline arrangements, and may result in criminal or disciplinary proceedings.
4. Supporting Information
Acts:
· The Data Protection Act 1998
National Documents:
· Management of Police Information, Code of Practice and Guidance
· Lord Chancellors Code of Practice (2009) issued under s.46 of Freedom of Information Act 2000
· ISO 15489-1:2001
Constabulary Documents:
· Cumbria Office of the Police and Crime Commissioner & Cumbria Constabulary Joint Procurement Regulations 2014/15
· Cumbria Constabulary Information Security Policy
· Cumbria Constabulary Government Protective Marking Scheme Policy
· Cumbria Constabulary Information Management Strategy
· Cumbria Constabulary Records Management Strategy
· Cumbria Constabulary Records Management Policy
· Cumbria Constabulary Information Sharing Policy
· Cumbria Constabulary Retention Schedule
5. Monitoring and Reviewing
5.1 This Policy will be monitored by the Policy Owner on an on-going basis for implementation issues, consistency of application and potential for discrimination.
5.2 This Policy will be reviewed in line with the published review schedule, normally annually. The Policy will also be reviewed whenever new legislation/guidance that may have an impact is introduced.
5.3 In the event that an individual feels disadvantaged by the requirements of a Policy or Procedure or where they perceive there to be an impact which is intentionally or unintentionally unfair the matter should be dealt with in accordance with the Policy and Procedure Review Process contained within the Fairness at Work (Grievance Resolution) Policy and Procedure. This information will also be monitored and considered when reviewing this Policy.