188体育

1. Overview

1.1 The Information Management Policy (IMP) is designed to ensure that Department for Work and Pensions (DWP):

• retains only those documents and data which support business objectives
• saves money by reducing information storage costs
• protects against allegations of selective document destruction and;
• manages our information risks

1.2 The IMP聽tells you which documents and data you need to keep, for how long, and where to keep them.

1.3 This is version 6.9 of the Information Management Policy and is effective from 14 October 2024.

1.4 DWP聽takes its responsibility seriously and ensures that the right levels of security and protection are applied to our information. This means ensuring that we all understand our own responsibilities and help to manage information in the right way. Effective information management safeguards both our customers and our key corporate information, maintaining 顿奥笔鈥檚 reputation and protecting the public purse.

2. Scope

2.1 This policy is for anyone who creates, handles or stores DWP information, including all DWP employees, agents, contractors, business partners, third parties and suppliers. It includes all paper documents, electronic records, Non Corporate Communication Channels (NCCC) such as WhatsApp, videos, DVDs, emails, social media posts, databases, websites and Intranet sites, etc.

3. Policy Statement

3.1 Through effective information management, DWP will comply with the following obligations:

• 迟丑别听.
• 迟丑别听.
• 迟丑别听Civil Service code (link is external): (states you must keep accurate official records and handle information as openly as possible within the legal framework).

3.2 This policy must be read and implemented in conjunction with 迟丑别听DWP Acceptable Use Policy聽(AUP) and 迟丑别听DWP Information Security Policy.

4. Accountabilities and Responsibilities - DWP Information Management Principles

4.1 Creating Information

4.1.1 When creating information it is important to ensure that:

4.1.2 There is a specific business need or legal requirement for information to be created.

4.1.3 There must be clear ownership of all information created.

4.1.4 You are aware of and follow 迟丑别听Ms Teams Recording and Transcription Policy.

4.1.5 Information is recorded under the following categories:

• corporate records聽鈥� these include all documents and data created by you in day-to-day business
• customer records聽鈥� these聽include all claimant or customer-related documents and data
• HR records聽鈥撀爐hese聽include all HR or staff related documents and data聽
• finance and procurement records聽-聽- these include聽day-to-day purchases as well as customer-related provision and large contracts聽
• intranet content聽鈥� some information published on the DWP Intranet is so vital to the understanding of how DWP is administered that it must be saved and stored in a specific way

4.1.6 Customer and corporate information is classified in line with 迟丑别听Government Security Classifications Scheme.

4.1.7 The use of Non-Corporate Communications Channels is strictly controlled.听

4.1.8 DWP聽file naming聽and聽version control聽conventions are applied.听Version control is used to keep track of changes made to files.

4.1.9聽The appropriate聽manual version control聽or聽SharePoint Version History聽is applied.

4.1.10 Only the minimum amount of personal information is used for the business purpose.

4.1.11 When is a document 鈥榟eld鈥� or 鈥榥ot held鈥�?

4.1.12 Documents and information are classed as 鈥榟eld鈥� or 鈥榥ot held鈥� if they meet the following criteria:

4.1.13 Held:聽Registered files, Corporate Record Boxes and benefit records (for Rights of Access Requests) are classed as 鈥榟eld鈥� until the files are marked as 鈥榙estroyed鈥� on the remote stores IT system.

Paper or hard copy documents are classed as 鈥榟eld鈥� until the document is physically transferred to waste recycling or confidential waste bin.

4.1.14 Electronic documents are classed as 鈥榟eld鈥� if they:

• are on the current version of Shared Drives, SharePoint Online, or can be retrieved from the 鈥榬ecycle bin鈥�
• are in the current version of OneDrive or can be retrieved from the 鈥榬ecycle bin鈥� for OneDrive聽(personal storage)
• can be retrieved from the Deleted Items folder or using the 鈥榬ecover deleted items鈥� facility in Outlook

Electronic datasets are classed as 鈥榟eld鈥� until the data is deleted from the database and recycle bin.

4.1.15 Not held: Documents held solely on backup tape/drives are classed as 鈥榥ot held鈥�.

4.2 Storing Information

4.2.1 When storing information聽ensure聽that:

4.2.2 Information is only retained as long as instructed in 迟丑别听retention guidance.

4.2.3 You follow 迟丑别听guidelines for access聽(including access to Shared Folders and SharePoint Online) to the information. This access should be reviewed periodically to minimise the risk. If corporate decisions have occurred on NCCCs that this is transferred into registered files.

4.2.4 You are aware of and follow 迟丑别听retention and destruction dates.

4.2.5 Storage of the information follows DWP聽file naming聽and聽version control聽standards.

4.2.6 OneDrive within the electronic desktop should be used to store employee personal information related to activities as an employee of DWP, as a member of a聽team,聽and any charitable activity authorised by DWP (documents including your flexi sheets, People Performance, HASSRA, Community 10,000 etc).

4.2.7 Documents stored on SharePoint or OneDrive must have a聽retention label聽applied.

4.2.8 Where there are clear and agreed business reasons for holding HR records containing personal information in SharePoint, and these have been agreed with a Grade 6, the records must be stored securely with appropriate permissions in SharePoint.

4.2.9 Shared email inboxes are not used as an archive or store for non-active team emails or employee personal information.

4.2.10 Shared email inboxes are regularly cleansed and information moved to the appropriate storage dependant on the classification.

4.2.11 Customer information is retained for no longer than is necessary. All data is permanently deleted securely or anonymised, see聽Guide to the GDPR, Principle (e): Storage limitation聽once there is no business reason to keep it.

4.2.12 Any cloud storage systems used to help manage the sharing of information with Other Government Departments, third parties or suppliers are managed in line with this policy.

4.2.13 DWP聽registered paper files聽and聽customer paper records聽are sent to 迟丑别听Remote Stores.

4.2.14 Information classified above OFFICIAL (i.e., SECRET or TOP SECRET)聽must聽only be stored in those systems authorised and approved to hold it.

4.3 Using and sharing Information

4.3.1 When using and sharing information聽ensure聽that:

4.3.2聽Freedom of Information聽(FoI)聽and聽Rights of Access Request聽(RAR)聽are responded to within the set time limits.听 This includes any corporate information which the department must share under FOIA guidance, which may have occurred in NCCCs.听

4.3.3 Good security practices to protect DWP property and information assets as outlined in 迟丑别听Physical Security Standards聽are followed.

4.3.4 When outside of the office no one is able to read your papers or screen over your shoulder or listen to your work conversations. For more information, please read 迟丑别听DWP Acceptable Use Policy聽(AUP).

4.3.5 聽DWP information must only be shared on a need-to-know basis, and only shared in non-DWP environments with the express permission of the information owner. For more guidance, please see paragraph 3.10 of the Acceptable Use Policy (AUP).

4.3.6聽Security incidents and breaches聽must be reported as quickly as possible to 迟丑别听Security Incident Response Team (SIRT).听聽Failure to report a security incident, potential or otherwise, could result in disciplinary action.

4.3.7 Information assets created are added to an Information Asset Inventory (IAI) in accordance with 迟丑别听IAI Guidance.

4.4 Disposing of Information

4.4.1 When disposing of information聽ensure聽that:

4.4.2 All information that has no business value or is beyond its retention period is deleted and disposed of securely.

4.4.3 You are aware of the retention and destruction dates for your data. The聽Retention of Specific Information Guidance will tell you how long to keep certain information.

4.4.4 You apply any required鈥�DWP Special Waste鈥痬ethods for sensitive information, including shredding or placing paper documents in a confidential waste bin.

5. Compliance

5.1 Compliance with this policy is the responsibility of聽all聽DWP staff, contractors, third parties and suppliers working on the DWP estate. If for any reason users are unable to comply with this policy this should be discussed with their line manager in the first instance and then 迟丑别听Information and Records Management team.

5.2 Line managers are responsible for ensuring that all DWP staff, contractors, third parties and suppliers working on the DWP estate understand their responsibilities as defined in this policy and that they continue to meet its requirements for the duration of their employment within DWP. It is a line manager鈥檚 responsibility to take appropriate action if individuals fail to comply with this policy. Breaching this policy may result in a breach of Section 3 of the Acceptable Use Policy which could lead to disciplinary procedures.

5.3 The DWP Security and Data Protection Team聽will regularly assess compliance with this Policy and may inspect technology systems, paper holdings, design, processes, people, and physical locations to facilitate this. All staff, contractors, third parties and suppliers, who create, handle or store information on the DWP estate are required to facilitate, support, and when necessary, participate in these inspection requests.

5.4 Employees are responsible for ensuring that they understand their responsibilities as defined in this policy and the Acceptable Use Policy.

5.5 Once this document has been read and understood by a member of staff, they should record the information in line with 迟丑别听Security Responsibilities Checklist.