Information Management Policy
- Policy Statement
- Introduction
- Scope
- Statutory obligations
- Roles and responsibilities
- Managing our information
- Governance and Assurance
- Delivery and engagement
- Training and skills development
- Equality Impact Assessment
- Review and update of policy
This information management policy is for all CPS staff, contractors, consultants and third parties. It outlines our roles and responsibilities, directing us all on how to manage information, from creation to destruction. Following the policy ensures we are taking the correct approach to information management, to meet CPS’ operational and legal needs.
Policy Statement
Every CPS activity, from ensuring the quality of our prosecutions to the day-to-day management of our staff is impacted by our ability to ensure the information we handle is respected and protected and used in accordance with the Data Protection Act 2018 (DPA 2018) and other relevant legislation.
It is vital we work together to ensure we have the right information, at the right time, in the right place, so we can meet business and legal needs. By adhering to this policy, it will give you the confidence that you are protecting CPS’ information, across its lifecycle.
Introduction
CPS is responsible for prosecuting criminal cases in England and Wales. In doing so, the management of information to support this work is essential. The information risks connected to these prosecutions are self-evident and the consequences of a security incident can be far reaching, particularly for those directly impacted (i.e. victims, witnesses and defendants), on our work and the public’s confidence in how we operate.
The CPS therefore recognises its information as a valuable corporate asset and is committed to achieving appropriate and its ongoing management. This policy will therefore:
- affirm CPS’ commitment to treating our information as a valuable asset so we meet business and legal needs, accountability requirements and stakeholder expectations.
- provide clear, consistent, and concise direction across the organisation to create, access, use, retain and dispose of information appropriately, lawfully and with confidence.
- support the change required to deliver the CPS’ strategic aim around enhancing our digital capability.
- underpin our information management strategy which focuses on the following:
- Information Management Culture
- Information Management Security
- Strategic Collaborations
- Through-Life Information Management
- Governance
Scope
This policy applies to all staff, contractors, consultants and third parties. It relates to the management of all information, in any format (hard copy and electronic), created or received through its lifecycle, to support business activities. This includes employee, financial and case management information.
It is an overarching information management policy which is underpinned by a suite of information and security policies. Key policies, standards and guidance have been linked with appropriate connections made.
Statutory obligations
This policy provides a framework for meeting our information management responsibilities under relevant legislation, guidance and codes of practice. The following is not an exhaustive list:
- The DPA 2018 and the UK General Data Protection Regulation (UK GDPR)
- Freedom of Information Act 2000 (FOI 2000) and the Code of Practice on the Management of Records under Section 46 of the Act.
- The Public Records Act 1958 and 1967
- Re-use of Public Sector Information Regulations 2015
- Government Functional Standard GovS 007: Security
- Security policy framework: protecting Government assets
- Official Secrets Acts 1989
- The Civil Service code
- CPS Code of conduct
Roles and responsibilities
There are specific roles and lines of responsibilities under this policy, which include those mandated and specialists who are part of the Security and Information Assurance Division (SIAD):
All staff need to:
- take responsibility, as per this policy, for the integrity and management of information throughout its lifecycle.
- ensure they do not inappropriately access, disclose or misuse confidential information acquired in the course of employment. Information needs to be protected against unauthorised modification, corruption or loss.
- report any security incidents within 24 hours as per CPS’ Incident Management and Reporting Policy.
- have the required training which includes the annual UK GDPR training.
All managers need to:
- take ownership/responsibility for the integrity and management of information created and used within their area of operation ensuring that information management processes are in line with this policy.
- ensure that the information has appropriate access and security permissions assigned. This includes when employees move teams, leave the organisation etc.
- ensure that all reports of security incidents are taken seriously and managed in accordance with CPS’s Incident Management and Reporting Policy.
- ensure staff complete their required information management training and a review of the management of information is included in their performance reviews i.e. one-to-ones.
Mandated and specialist roles:
- the Senior Information Risk Officer (SIRO) owns the information risk at Board level and ensures that policies and processes are in place for the organisation’s effective management of information.
- the Data Protection Officer (DPO) ensures the organisation handles personal information in compliance with regulation. Their role includes advising on the handling of complex rights requests and dealing with investigations from Information Commissioner’s Office who uphold information rights in the public interest.
- the Departmental Records Officer (DRO) has overall responsibility for maintaining effective and efficient record keeping procedures.
- each CPS Area and HQ Directorate has an Information Asset Owner (IAO) who is usually the Chief Crown Prosecutor (CCP) or Head of Directorate. The owner of an Information Asset is responsible for ensuring that the asset is managed appropriately through its lifecycle and risks to the asset are assessed and mitigated.
- Security Information Managers (SIMs) work closely with their IAO and Area Business Manager. The SIM provides day-to-day guidance to colleagues on issues regarding information management (including retention, information asset management and, data cleansing) and security matters. They also manage ongoing compliance with the statutory obligations as outlined in this policy.
SIAD teams:
- The Information Management and Architect Team (IMAT) provides specialist advice and guidance on the management of information. In addition, IMAT develops and implements strategies to support sound information management practice and monitors compliance with information management policies across the organisation.
- The Records Management Team (RMT) provides advice and guidance and sets procedures on all aspects of records management. In addition, the team deals with the archiving of Long-Term Interest (LTI) cases and the transfer of records to the National Archives (TNA).
- The Data Protection Compliance Team (DPCT) is the first point of contact for all data protection matters which includes supporting to the business with Data Sharing Agreements, Data Protection Impact Assessments and all Rights requests other than right of access requests (ROARs).
- The Operational Security Team (OST) provides specialist operational security advice and guidance, on physical, personnel, and incident management. The team also advises the organisation on business continuity and resilience matters.
- The Information Access Team (IAT) responds to all requests the CPS receives under the FOI 2000 as well as ROARs received under the DPA 2018. The team also manages CPS' response to all claims lodged with the Information Tribunals.
- The Cyber Security Team (CST) provides specialist advice on cyber risk management and day to day operations (e.g. questions around secure digital data systems and devices) as well as strategy and policy.
Managing our information
The following section provides the guidelines that need to be applied for managing information throughout its lifecycle, with consideration given at the outset to ensure effective management from information creation or acquisition to disposal.
Following these guidelines will ensure that this information is managed appropriately and as such give you confidence, that it is:
- processed fairly and lawfully;
- obtained for specific purpose(s) and not used beyond that purpose;
- limited to what is required for the purpose
- recorded accurately and reliably;
- held securely and confidentially;
- used effectively and ethically, and
- shared and disclosed appropriately and lawfully.
Security classifications
Information the CPS receives, stores, processes, generates or exchanges as part of the prosecution process or organisation's administrative corporate functions should be handled in a manner that is appropriate to its sensitivity.
Classifying information is a crucial step in managing information as it indicates the sensitivity of information and the typical controls necessary so the appropriate level of protection can be put in place.
CPS’ Security Classifications Handling Instructions should be referred to, to understand what classification is required, to manage that information appropriately.
Creating information
It is crucial when creating information:
- there is a specific business need or legal requirement for it;
- there is clear ownership to manage access and retention;
- it has been security classified correctly. Having this in place at the outset will inform its future handling, storage, sharing, and destruction; and
- version control and the requirements set out in CPS’ branding guidelines are in place.
Access and permissions
Information should be available and accessible to authorised users when needed. It should however only be accessed and used when it is appropriate and necessary, this is underpinned by the ‘Need to Know’ principle.
Under no circumstances should casework material be accessed for personal interest (defendant, victim, witness etc.) or where there may be an element of media interest (involving a high-profile figure, celebrity or general person of interest).
To support this:
- access to information should be aligned to its security classification so that it receives the appropriate level of protection.
- all users should be vetted to a level appropriate to the sensitivity of the information they will be handling.
- line managers are required to review access controls to the information within their control periodically – i.e. annually, or when staff move - even if this is only for a fixed amount of time (e.g. anything above 6 weeks). As permissions are based on job roles, it is important that when staff move roles their access to current applications, mailboxes and shared drives is reviewed and where relevant, revoked.
Our Access and Monitoring Policy must be referred to with regards to authorising, monitoring and controlling access to CPS’ IT accounts, information and information systems.
Storage
Whether it is electronic or hard copies, information must be saved in prescribed locations, appropriate to its format, content and sensitivity, as per the security classifications. It needs to be saved in a way that it can be available and accessible to authorised users when needed.
The retention schedules as discussed below under 'Retention and disposal' not only set out the period a record should be kept for but also the storage requirements.
When saving electronic information the documents should be easily identifiable using a meaningful, consistent and concise title and with relevant a retention date added.
Hard copy files (administrative or case files) that are active should be stored as per our Clear Desk Policy. Registered files that have been closed should be retained at our offsite storage provider. To avoid a security incident, sensitive and confidential information should not be visible on the boxes. A review/destruction date must be visible on a box sent to the offsite storage provider and an audit trail recorded.
Our Removable Media Policy should be referred to when using external hard drives etc.
Sharing and transporting information
Information should only be shared externally where there is a clear business need to do so, and where the contents and security classification of the information permit it to be shared. Consideration should always be given to the implications of the information being made available and transported outside of the department.
NB. information can be shared with the public, data subjects and third parties through the Freedom of Information request, Right of Access request and/or Third Party Disclosure Processes.
Handling of official material
When handling official information our Handling Protectively Marked Material Guidelines must be referred to. This includes both physical and electronic information.
Sharing personal information
CPS‘ Redaction Guidance should be used for legal and security reasons to protect personal and any special category data not being disclosed in the course of an investigation or prosecution.
When third parties request personal data the Disclosure of Material to Third Parties Guidance should be referred to. The CPS will produce Data Sharing Agreements (DSAs) when personal data is regularly being requested from or by other organisations (third parties). A DSA enables the CPS to consider whether the processing is necessary; ensure it is done in line with data protection law and; to set out the type of information being shared, and the responsibilities of the organisations involved. If a DSA is required, the DPCT must be contacted.
Mobile and email usage
As per our mobile device policy conversations classified as above OFFICIAL-SENSITIVE must not be undertaken on mobile telephones as they are not secure.
CPS’ E-Mail Usage Policy covers the care and attention which is required to protect information when sending, receiving and storing emails. This includes when OFFICIAL-SENSITIVE information is sent and ensuring emails do not get sent to the wrong email address.
Working from a different location
CPS has adopted hybrid working. As per mobile working, further consideration is required to ensure confidentiality and protection of information is preserved at home. This includes not taking home security classified documents or printing at home. To have full awareness of the security measures which are required CPS’ Hybrid Working Policy and Procedure must be referred to, this includes when working from other remote locations.
If there is a requirement to work overseas, there may be additional threats to CPS’ information. Staff are responsible for the safety of their device and the information on it and must therefore follow the required international travel policies and guidance. This includes completing a notification of travel form whether travelling for work on short journeys or being deployed overseas.
Retention and disposal
CPS’ Retention and Disposal Schedule Policy must be followed by all staff on how long information should be kept for and how it should be disposed. At the end of that time, as detailed in the relevant schedule, information will either be destroyed or selected for permanent preservation to TNA. Records that fall under the Long-Term Interest (LTI) criteria) must be sent to the RMT as soon as they have been concluded.
Governance and Assurance
CPS has a robust information governance structure which provides assurance and helps ensure information is managed in a consistent, controlled, and standardised manner across the organisation.
Assurance groups
Key groups:
Information Governance Group (IGG) provides oversight of the organisation’s information governance. It is chaired by the DPO and attended by the SIRO, IAOs, area business managers and other relevant subject matter experts.
Information Assurance Forum facilitates multi-disciplinary perspectives on information assurance issues and the sharing of good practice, having representatives from each area and directorate across the organisation.
The IAO Network provides a forum for the IAO’s to collaborate with each other on key information management and security activities ensuring that a consistent approach is taken across the organisation. It further gives an opportunity to engage with the SIRO and DPO to provide assurance and highlight key information risks and opportunities.
The SIAD and SIM Network provides a forum for the SIMs and representatives from SIAD to provide updates, share best practice and to discuss key information management and security issues in relation specific Areas/Division/Directorate.
Each area/ HQ Directorate has a local Data Assurance Forum (DAF) which provides an opportunity to discuss key information management risks/issues. The DAF provides the means to validate and monitor improvement activities and escalate issues or concerns to the IGG. It further supports the SIM in discharging their duties through proactively engaging relevant teams/ staff in improvement and compliance activities and discussions.
Controls and assurance mechanisms
Controls and assurance mechanisms are in place to continuously assess and improve the management of information, across the organisation, so we are compliant with the required legislation and the information related risks are managed. Controls include:
As legally required, the CPS holds Information Asset Registers (IAR) across the organisation. They describe what information assets are held locally, where they are held, security requirements and who the responsible owner is for each asset. In addition to this, as mandated by the Government’s Security Policy Framework it values information assets in terms of the potential impact from loss of confidentiality, integrity and availability.
The completion of the annual Security and Information Assurance Framework (SIAF) helps the CPS demonstrate it is compliant with the required Government’s security, data protection and information management standards and regulations. It measures each Area’s/HQ Directorate’s activity towards the aforementioned standards and requirements. SIMs are responsible for the completion of the SIAF and the maintenance and update of the related security improvement plan (SIP) and local risk register.
The organisation’s Business Continuity Management Policy and Strategy is directly linked to corporate governance and the management of risk in general. It provides an operational framework which will support CPS’ ability to deliver its critical business activities to an agreed level within an agreed period of time following a disruption. This includes the backup, replication, and recovery of critical information assets.
Security incident management and reporting
Despite taking steps to reduce risks, security incidents can still happen and will vary in severity and impact. Security incidents may include a range of situations which could lead to damage, such as operational effectiveness, harm to reputation – both organisationally and personally – and in the most extreme cases can lead to prejudice of national security, result in crime and even endanger lives. All security incidents, or potential incidents, are taken seriously and investigated in a swift and proportionate manner.
All staff should be aware of CPS’ Incident Management and Reporting Policy which details what is required to detect, report and respond to all security incidents. It’s essential that security incidents are reported within 24 hours so they can be reviewed, appropriately actioned and referred, if necessary, to the Information Commissioner’s Office within the statutory 72 hours deadline.
Monitoring compliance
Ongoing monitoring of compliance with this policy and its supporting policies, guidance and procedures will be undertaken on a regular basis by IMAT and those with assigned responsibilities. This will be supported by the completion of the control and assurance mechanisms, internal checks and external audits.
Our Access and Monitoring Policy outlines the rules relating to the monitoring of CPS IT accounts, information and information systems.
Delivery and engagement
The IGG steers the delivery of this policy. An ongoing campaign is designed to support policy engagement and embed an information management culture across the organisation.
Training and skills development
Induction materials, training and guidance will be made available to support responsibilities being carried out, as outlined in this policy:
- All staff to complete CPS’ bespoke UK GDPR mandatory training and associated modules annually, which is also part of the staff induction programme.
- All staff to complete Cyber mandatory training annually.
Equality Impact Assessment
Due regard is being given to ensure CPS’ Public Sector Equality Duty is complied with. At present no detriment has been identified with this policy.
Review and update of policy
This policy has been approved by the IGG. There is a commitment to keep this policy live and agile to allow for continuous improvement and any changes to the business, technical or regulatory requirements. We also keen that it continues to be fit for purpose and meet your needs.
The next comprehensive review will take place in two years by the Policy Review Board (PRB).
To provide feedback on this policy, please email informationarchitecture@cps.gov.uk.