DWP Information Management Policy
Updated 22 October 2024
This is version 6.8.
1. Overview
1.1 The Information Management Policy (IMP) is designed to ensure that Department for Work and Pensions (DWP):
- retains only those documents and data which support business objectives
- saves money by reducing information storage costs
- protects against allegations of selective document destruction
- manages our information risks
1.2 The IMP tells you which documents and data you need to keep, for how long, and where to keep them.
1.3 This is version 6.8 of the Information Management Policy and is effective from 14 October 2024.
1.4 DWP takes its responsibility seriously and ensures that the right levels of security and protection are applied to our information. This means ensuring that we all understand our own responsibilities and help to manage information in the right way. Effective information management safeguards both our customers and our key corporate information, maintaining DWP’s reputation and protecting the public purse.
2. Scope
2.1 This policy is for anyone who creates, handles or stores DWP information, including all DWP employees, agents, contractors, business partners, third parties and suppliers. It includes all paper documents, electronic records, Non Corporate Communication Channels (NCCC) such as WhatsApp, videos, DVDs, emails, social media posts, databases, websites and Intranet sites, etc.
3. Policy Statement
3.1 Through effective information management, DWP will comply with the following obligations:
- The Public Records Act (link is external)
- The Data Protection Act (DPA) 2018 (link is external)
- The General Data Protection Regulation (GDPR) (link is external)
- The Civil Service code (link is external): (states you must keep accurate official records and handle information as openly as possible within the legal framework).
3.2 This policy must be read and implemented in conjunction with the DWP Acceptable Use Policy (AUP) and the DWP Information Security Policy.
4. Accountabilities and Responsibilities – DWP Information Management Principles
4.1 Creating information
4.1.1 When creating information, it is important to ensure that:
4.1.2 There is a specific business need or legal requirement for information to be created.
4.1.3 There must be clear ownership of all information created.
4.1.4 You are aware of and follow the Ms Teams Recording and Transcription Policy
4.1.5 Information is recorded under the following categories:
- corporate records – these include all documents and data created by you in day-to-day business
- customer records – these include all claimant or customer-related documents and data
- HR records – these include all HR or staff related documents and data
- Finance and Procurement records – these include day-to-day purchases as well as customer-related provision and large contracts
- Intranet content – some information published on the DWP Intranet is so vital to the understanding of how DWP is administered that it must be saved and stored in a specific way
4.1.6 Customer and corporate information is classified in line with the Government Security Classifications Scheme.
4.1.7 The use of Non-Corporate Communications Channels is strictly controlled.
a. SECRET or TOP SECRET information must never be communicated via NCCCs.
b. DWP customers should never be contacted via NCCCs.
c. Official Sensitive or other ‘significant information’ must only be communicated through NCCCs in exceptional circumstances and only with an approved Security Policy Exception. Significant information is information that materially impacts the direction of a piece of work or that gives evidence of a material change to a situation. Where such exceptions are granted, records of official business carried out via an NCCC must be transferred onto corporate systems (e.g., SharePoint) as soon as is practicably possible.
d. Logistical or other non-significant information can be accessed through NCCCs with due regard to an individual’s security responsibilities.
Please see table for support on when NCCCs can be used https://intranet.dwp.gov.uk/page/non-corporate-communication-channels-guidance
4.1.8 DWP file naming and version control conventions are applied. Version control is used to keep track of changes made to files.
4.1.9 The appropriate manual version control or SharePoint Version History is applied.
4.1.10 Only the minimum amount of personal information is used for the business purpose.
4.1.11 When is a document ‘held’ or ‘not held’?
4.1.12 Documents and information are classed as ‘held’ or ‘not held’ if they meet the following criteria:
4.1.13 Held: Registered files, Corporate Record Boxes and benefit records (for Rights of Access Requests) are classed as ‘held’ until the files are marked as ‘destroyed’ on the remote stores IT system.
Paper or hard copy documents are classed as ‘held’ until the document is physically transferred to waste recycling or confidential waste bin.
4.1.14 Electronic documents are classed as ‘held’ if they:
- are on the current version of Shared Drives, SharePoint Online, or can be retrieved from the ‘recycle bin’
- are in the current version of OneDrive or can be retrieved from the ‘recycle bin’ for OneDrive (personal storage)
- can be retrieved from the Deleted Items folder or using the ‘recover deleted items’ facility in Outlook
Electronic datasets are classed as ‘held’ until the data is deleted from the database and recycle bin.
4.1.15 Not held: Documents held solely on backup tape/drives are classed as ‘not held’.
4.2 Storing information
4.2.1 When storing information ensure that:
4.2.2 Information is only retained as long as instructed in the retention guidance.
4.2.3 You follow the guidelines for access (including access to Shared Folders and SharePoint Online) to the information. This access should be reviewed periodically to minimise the risk. If corporate decisions have occurred on NCCCs that this is transferred into registered files.
4.2.4 You are aware of and follow the retention and destruction dates.
4.2.5 Storage of the information follows DWP file naming and version control standards.
4.2.6 OneDrive within the electronic desktop should be used to store employee personal information related to activities as an employee of DWP, as a member of a team, and any charitable activity authorised by DWP (documents including your flexi sheets, People Performance, HASSRA, Community 10,000 etc).
4.2.7 Documents stored on SharePoint or OneDrive must have a retention label applied.
4.2.8 Where there are clear and agreed business reasons for holding HR records containing personal information in SharePoint, and these have been agreed with a Grade 6, the records must be stored securely with appropriate permissions in SharePoint.
4.2.9 Shared email inboxes are not used as an archive or store for non-active team emails or employee personal information.
4.2.10 Shared email inboxes are regularly cleansed and information moved to the appropriate storage dependant on the classification.
4.2.11 Customer information is retained for no longer than is necessary. All data is permanently deleted securely or anonymised, see Guide to the GDPR, Principle (e): Storage limitation once there is no business reason to keep it.
4.2.12 Any cloud storage systems used to help manage the sharing of information with Other Government Departments, third parties or suppliers are managed in line with this policy.
4.2.13 DWP registered paper files and customer paper records are sent to the Remote Stores.
4.2.14 Information classified above OFFICIAL (i.e., SECRET or TOP SECRET) must only be stored in those systems authorised and approved to hold it.
4.3 Using and sharing information
4.3.1 When using and sharing information ensure that:
4.3.2 Freedom of Information (FoI) and Rights of Access Request (RAR) are responded to within the set time limits. This includes any corporate information which the department must share under FOIA guidance, which may have occurred in NCCCs.
4.3.3 Good security practices to protect DWP property and information assets as outlined in the Physical Security Standards are followed.
4.3.4 When outside of the office no one is able to read your papers or screen over your shoulder or listen to your work conversations. For more information, please read the DWP Acceptable Use Policy (AUP).
4.3.5 DWP information must only be shared on a need-to-know basis, and only shared in non-DWP environments with the express permission of the information owner. For more guidance, please see paragraph 3.10 of the Acceptable Use Policy (AUP).
4.3.6 Security incidents and breaches must be reported as quickly as possible to the Security Incident Response Team (SIRT). Failure to report a security incident, potential or otherwise, could result in disciplinary action.
4.3.7 Information assets created are added to an Information Asset Inventory (IAI) in accordance with the IAI Guidance.
4.4 Disposing of information
4.4.1 When disposing of information ensure that:
4.4.2 All information that has no business value or is beyond its retention period is deleted and disposed of securely.
4.4.3 You are aware of the retention and destruction dates for your data. The Retention of Specific Information Guidance will tell you how long to keep certain information.
4.4.4 You apply any required special disposal methods for sensitive information, such as shredding or placing paper documents in a confidential waste bin.
5. Compliance
5.1 Compliance with this policy is the responsibility of all DWP staff, contractors, third parties and suppliers working on the DWP estate. If for any reason users are unable to comply with this policy this should be discussed with their line manager in the first instance and then the Information and Records Management team.
5.2 Line managers are responsible for ensuring that all DWP staff, contractors, third parties and suppliers working on the DWP estate understand their responsibilities as defined in this policy and that they continue to meet its requirements for the duration of their employment within DWP. It is a line manager’s responsibility to take appropriate action if individuals fail to comply with this policy. Breaching this policy may result in a breach of Section 3 of the Acceptable Use Policy which could lead to disciplinary procedures.
5.3 The DWP Security and Data Protection Team will regularly assess compliance with this Policy and may inspect technology systems, paper holdings, design, processes, people and physical locations to facilitate this. All staff, contractors, third parties and suppliers, who create, handle or store information on the DWP estate are required to facilitate, support, and, when necessary, participate in these inspection requests.
5.4 Employees are responsible for ensuring that they understand their responsibilities as defined in this policy and the Acceptable Use Policy.
5.5 Once this document has been read and understood by a member of staff, they should record the information in line with the Security Responsibilities Checklist.
Version Number | Date Drafted | Change |
---|---|---|
6.5 | 27/09/2023 | Changed from Old style ‘view’ to new security policy template style ‘view’ changed in full. Updated content to be consistent with the current published internal version of IMP. |
6.6 | 01/02/2024 | To include NCCC following Cabinet Office memo |
6.7 | 01/07/2024 | To add in reference to MS Teams at 4.1.4, as per GIAA/ICO suggestion, renumbering of section. |
6.8 | 01/10/2024 | 4.3.5 changed following CINDE surge 2 update |