569 060606 10pages · The only information, communication, and technology systems in relation to which any personal use will be permitted are the Metphone telephone system, mobile

Freedom of Information Act Document

Protective Marking: Not Protectively Marked Publication (Y/N): Y

Title: Computer Misuse

Summary: Student Lesson Note - Police Constable Foundation Training

Branch/OCU HR3 Foundation Training

Date Created: 23.11.2010 Review Date: 23.11.2013 Version: 3

Author: Richard Goodwin 195177

Ownership: Amanda Dellar - Chief Inspector

Metropolitan Police ServiceDirectorate of Training and Development

Police Constable Foundation Course

Computer Misuse

Lesson 347

© Metropolitan Police Authority 23.11.10Computer Misuse/347Page 2 HR3 CURRICULUM TEAM

Contents

METSEC CODE ................................................................................................... 2

MPS Security Principals ................................................................................... 3

Protection of Unattended Information .......................................................... 4

Information Code of Conduct ......................................................................... 5

Information Code of Conduct FAQs .............................................................. 8

Personal Use of MPS Information, Communication and

Technology Systems ....................................................................................... 14

Computer Misuse Act 1990 ............................................................................ 18

Management of Police Information .............................................................. 19

Data Protection Act 1998 ................................................................................ 19

Protective Marking system ............................................................................. 20

MPS Information & ICT Systems - Conditions of Use ............................. 20

Information Code of Conduct Acknowledgement Form ........................ 25

THE METSEC CODE

The METSEC Code is the Security Policy Manual for the Metropolitan PoliceService. The METSEC Code deals with all aspects of security and providespolicy, instruction, advice and guidance to protect our assets. Our assets are notjust the property we own, but also our people and information. Our success orfailure in protecting these assets has a direct effect on police operations and theresources available for policing purposes. It also influences the public’s perceptionof our professionalism and has a significant effect on public confidence.

It is, however, the personal responsibility of each member of the MPS to complywith the Code and maintain their awareness of security issues.

It must, however, be clearly understood that the mandatory requirements of theMETSEC Code are instructions; deliberate failure to comply with them may beregarded as a breach of discipline and dealt with under the appropriate code ofconduct.

Computer Misuse/347Page 3

© Metropolitan Police Authority 23.11.10HR3 CURRICULUM TEAM

The MPS Security Principles‘MPS Security is Everyone’s Personal Responsibility’

The MPS is SECURE when:

1. Everyone displays ID whilst on MPS Premises

2. Passwords are strong and not shared

3. Desks are clear and workstations locked

4. Data is accessed and shared only when there is a ‘Need

to Know’

5. All data is Protectively Marked

6. Mobile Devices are secured and data encrypted

7. Security Incidents and vulnerabilities are reported


THE PROTECTION OF UNATTENDED INFORMATION

Information threat - Information leakage is a significant concern for MPSoperations and business processes. Both internal and external threats to informationsecurity are heightened by risks associated with unattended information. Any loss,interference with or compromise of sensitive information will cause seriousdifficulties for the organisation. Consequently there needs to be constant vigilanceby all MPS personnel and a high standard of managerial control in respect of anyunattended information.

Definition - Unattended information is information which, because of its value orsensitivity merits protection and requires controlled access. If at a given momentin time it is not supervised by an individual or protected by appropriate physicalor technical means, it is put at risk of unauthorised disclosure. It follows thatunattended information is information which is vulnerable to access by unauthorisedpersons and to which material access must be controlled. The value or sensitivityrefers to information that would normally be classified as protectively marked [seeGEN1 of The METSEC Code].

Information format - Information is generally considered ‘unattended’, morevulnerable and therefore at greater risk when it has been removed or copied froman ICT system. Information is also unattended prior to processing onto a host ICTsystem or if it only ever exists in a hard copy paper form. Good local practicesand adequate technical/ behavioural controls should be implemented to reduce therisk of any loss of data whilst it is in a vulnerable state.

Risk - Open plan offices, ‘hot desking’ and ‘team space’ office managementarrangements can present security challenges around enforcement of the ‘need toknow’ principle. Working away from MPS premises or environment also increasesthe risks to information. This means that clear desk/ clear screen and otherpolicies/ procedures are important to protect any unattended information.

Compliance - Thus, all MPS personnel, partners and agents need to be aware ofthese risks and should familiarise themselves with the following guidance. It shouldbe realised that individuals [both managers and staff], will be held responsible forfailures to follow any reasonable instructions and guidance to protect MPSinformation under their control.



Information Code of Conduct

Introduction

Information and intelligence leakage poses a significant and growing threat tothe operational effectiveness of the MPS. Misuse of MPS information andinformation, communication and technology systems may result in the loss ofpublic confidence in our ability to safeguard information.

This code of conduct summarises Service policy on the use of MPS informationand information and communication systems. You should be aware that instancesof misuse might result in disciplinary action and may constitute a criminal offence.

Use of MPS Information

Only use information for official policing purposes that constitute part of your publicduty. This covers information in all formats e.g. text, images, photographs and videos.

Use for personal purposes is strictly forbidden. - This includes using MPS informationwithin blogs on the internet.

You cannot access information for personal or family reasons. If you believe you maybe in that situation you must bring the matter to the attention of your line management.

Only share information with those with a genuine ‘need to know’. Check with your linemanager or information manager if you are in any doubt before releasing anyinformation.

Only use and disclose information in accordance with legislation e.g. Data ProtectionAct, 1998 and the Freedom of Information Act, 2000.

The statutory Code of Practice on Management of Police Information 2005 defines‘police information’ as “information for a policing purpose” (e.g. crime and publicprotection).

Police information is a corporate resource and must be searchable and retrievableby those that need to use it for official purposes. Unless officially sanctioned to dootherwise by management you must store police information in the relevant ‘corporaterepository’ (i.e. MPS file plan, registered file, or key MPS system, e.g. CRIMINT).You must not store police information where it cannot easily be searched for andretrieved. Police information input or processed in non-corporate systems (e.g. inlocally developed spreadsheets/databases, in your AWARE ‘home directory’, or onstand alone computer), must be transferred into the corporate repository at the earliestopportunity.

Email is not a corporate repository it is a communication tool. Police information thatneeds to be retained must be stored in the relevant corporate repository, rather thanas the contents of an email in your inbox or other Outlook folder.


Use of MPS information, Communication and technologysystems

You must not, unless your duties require you to do so:

Create, adapt, view, display or transmit any material that is defamatory,racist, sexually explicit or pornographic, sexist, homophobic, religiouslyoffensive, illegal, in breach of the MPS diversity and equal opportunitiespolicies or otherwise offensive.

Open, execute, store or install onto any MPS information system, transmitor solicit from others any software or executable files.

Create, adapt, store, view or transmit any malicious code (e.g. acomputer virus or worm)

You must not under any circumstances use any information, communication ortechnology system for personal business reasons.

The only information, communication, and technology systems in relation to whichany personal use will be permitted are the Metphone telephone system, mobiletelephones, facsimile (fax) machines, Microsoft Word, Excel and Outlook (email)on AWARE.

Only a very limited and reasonable amount of personal use will be permitted [seePersonal Use of MPS Information, Communication and Technology Systems SOPson the Information Management website for details].

The use of any other MPS or national information system for personal purposes isstrictly forbidden and may lead to disciplinary action. It may constitute a criminaloffence.

Protective marking

You must:

Mark information in accordance with the Protective Marking System.Information not requiring a protective marking should be markedNot Protectively Marked.

Ensure information is stored, circulated and disposed of in accordancewith the protective marking.



Access control

You must:

Protect your password(s) to information systems.

Log off before leaving a workstation. You are accountable for actionsundertaken under your user identity.

Ensure information is appropriately secured when offices are leftunattended.

Limit access to all information on a ‘need to know’ basis.

Monitoring and audit

It should be noted that as part of the proper management of the MPS, its publicfunctions and its resources, it is necessary to monitor information systems to theextent permitted by law. On occasions this may result in the deletion of information.

Details of the web pages you visit are recorded and may be audited.

The monitoring and recording of communications will only be used where the levelof intrusion is proportionate to the matter under investigation or evaluation.

You must report incidents of misuse or security breaches to your line management.


Information Code of Conduct

Frequently Asked Questions

Why do we have an Information Code of Conduct?The Code sets out rules to ensure that staff and other users know what is expectedof them because we all have an obligation to the public and our colleagues to actin a lawful, ethical and professional manner.

Why Must I follow the Information Code of Conduct?Failure to follow the Information Code of Conduct can jeopardise operational policingand other MPS business and, in certain cases, will be unlawful. Individuals who donot follow the Code face disciplinary action or even criminal prosecution. Deliberatemisuse of MPS information systems usually constitutes ‘gross misconduct’ resultingin penalties, up to, and including, dismissal. In the case of new members of PoliceStaff joining the MPS, a requirement to comply with the Code has recently beenwritten into the contract of employment.

Is Non-Compliance Really a Criminal Offence?There are many acts of Parliament that create criminal offences relevant to youruse of information and information systems, most notably;

Computer Misuse Act, 1990;Copyright, Designs and Patents Act, 1988;Data Protection Act, 1998;Obscene Publications Act, 1959Official Secrets Acts, 1911-18 & 1989.Disability Discrimination Act, 1995;Race Relations Act, 1976;Race Relations (Amendment), Act 2000; andSex Discrimination Act, 1975.

You could be personally liable and may even be arrested and charged with acriminal offence for deliberately breaching legislation. So read the InformationCode of Conduct carefully and seek clarification of anything that is not clear toyou.

I’m a member of a Staff Association – can I use MPS systems for StaffAssociation administration?This is acceptable provided that no relevant MPS Policy/SOPs are breachedand the use is in relation to the organisation’s core business, not foradvertising or other non-core activities. Under the same rules members of thePolice Federation, the police staff unions and Sports and Social clubs arepermitted use of MPS information systems for administration purposes. Youmust be aware that privacy cannot be guaranteed for communications and fileson MPS equipment.



Can I use MPS systems for personal purposes?The only information systems in relation to which any personal use will be permittedare the Metphone telephone system, MPS Mobile phones (but not Airwave radios),facsimile (fax) machines, and the use of the Microsoft Word, Excel, and Outlook(email) applications on AWARE. Web browsing for personal purposes remainsprohibited.

Only a very limited and reasonable amount of personal use will be permitted (seePersonal Use of MPS Information, Communication and Technology Systems SOPson the Information Management website for details).

You must remember that you may only use MPS information for official MPSpurposes and you must not under any circumstances use any MPS informationsystem for personal business reasons. You should also remember that the personaluse of MPS or national policing information systems (such as CRIS, CRIMINT orPNC) is strictly forbidden and may lead to disciplinary action and even prosecution.

If you have any concerns about what constitutes limited and reasonablepersonal use of e-mail and Microsoft Word on AWARE you should consult yourline management who will be able to advise further on what is permitted.

I Am Concerned About The Safety of My Family, Can I Perform a PNC and/or CRIMINT Check on a New Neighbour?You cannot access MPS or national police information for any personal orfamily reasons. This includes where you have a family member or privateassociation with any person whom you know, or suspect, to be involved withcriminality. If you believe that you may be in that situation you must bring thematter to the attention of your line management, who will then make a decisionabout whether a check is necessary. Any check will then be properlyauthorised, completed by Borough Intelligence Unit (BIU) staff, and recorded foraudit purposes. This will protect you from any subsequent accusation of misuseof PNC.

I am considering buying/renting a house and want to know if it is a suitableplace for a Police Officer to reside?Likewise you cannot use MPS or National Police Information for personal or familyreasons. The MPS cannot be held responsible for any decision you make topurchase or rent property based on information to which you may have accessed.Any check must be carried out by BIU staff, who may only be able to give basicinformation as to the suitability or otherwise of such premises.

Do I have a RIGHT to use MPS systems for personal purposes?No, the limited reasonable personal use (see previous FAQ) amounts to aconcession to authorised users and does not grant a right or entitlement. Anysuspected abuse, misuse or negligence in relation to personal use is likely toresult in the removal of this concession, without further notice, for those personswho are reasonably believed to be involved and they may face being disciplined.Local line management will enforce the policy.


Can I e-mail my friends and family?Yes providing that this does not involve the exchange of MPS information andthat you comply with the ‘Personal Use of MPS Information Systems’ SOPs onthe Information Management Intranet site).

Can I send emails containing jokes and funny cartoons/pictures?This is strictly prohibited and will be treated as misconduct. The personal useconcession is intended to enable authorised users to attend to occasionalunforeseen private matters and communicate accordingly, the circulation of jokesor ‘funnies’ and other horseplay is an abuse of the concession.

Think carefully before sending such a message, this type of material maybe amusingto you but can make you (and the MPS) appear very unprofessional or evendeemed offensive by the recipient. Furthermore graphics, sound files and movieclips contained in attachments use a large amount of network capacity and canaffect performance and operational use.

I have received an email with a pornographic image attachment, whatshould I do?You are unlikely to be held responsible for the content of an unsolicited emailthat you have received, however, you must inform your line management assoon as practicable and report the matter as a ‘security incident’ to InformationCompliance on MPS extension number 785084 or online on their Intranet site.

You must not forward the email or display the image to anybody under anycircumstances, to do so may even constitute a criminal offence for which youcan be arrested and charged. When an email with such content is detected,the entire message ‘thread’ can be examined and all those within that threadwho have forwarded the material can be identified.

What should I do if I receive a chain email, or joke via email?Again, you must not forward the email to anyone. Inform your line managementand report the matter as a security incident to Information Compliance on785084 or online of their Intranet site.

I understand that long-term storage of personal emails or files is notpermitted, and if I want to retain such documents/emails I should make aback up on my own storage media. May I use a memory stick for thispurpose?No. Memory sticks are not approved for use on AWARE, and although the newWindows XP desktop which is due to replace the current AWARE workstationswill contain software allowing approved users to use specified additionaldevices, such as USB memory sticks, these must be official devices that havebeen issued by the MPS, not personal media devices. For backing uppersonal files or emails you should use your own recordable CD, DVD orfloppy disc.



Can I share my views and experiences via web-logs or blogs?No, because access to the World Wide Web for personal purposes isprohibited.

Whilst there is nothing to stop any serving police officer or member of policestaff from ‘blogging’ in their own time on their own computer equipment, youshould be careful if you do so, ensuring that you are familiar with the bloggingsection in the ‘Internet and Email’ Standard Operating Procedures. In particular,you are not permitted to use MPS information for personal purposes.

Can I do on-line banking or purchasing?Not for personal purposes as web browsing is prohibited.

To protect your details over the Internet such transactions are encrypted. Onceencrypted, the electronic traffic cannot be scanned by the SEG (MPS SecureExternal Gateway), thus exposing our network to computer viruses and other dangers.In exceptional circumstances making official purchases may be permitted on acase-by-case basis with trusted sites. Contact Information Compliance on 785084for further information about this.

Do you monitor my use of MPS systems?Yes. As part of the proper management of the MPS, its public functions and itsresources, MPS information and communication systems are monitored to theextent permitted by law.

Monitoring of all electronic communications is carried out electronically at the SecureExternal Gateway – SEG through which most electronic communications are routed.

It is MPS policy that the monitoring and recording of communications will only beconducted where the level of intrusion is proportionate to the matter concerned.Emails properly marked ‘[Personal]’ in the subject field are not routinely read bymonitoring staff. However, where there is reason to believe that MPS rules havebeen breached, or an offence committed, then the actual content of e-mails andany attachments, as well as files created or used may be examined.

Individuals who come to notice are reported to their OCU commander/head ofbranch or The Directorate of Professional Standards, in accordance with MPSSOPs ‘Security Incident Reporting Handling and Investigation’, published on theInformation Management Intranet site.

If you wish to keep any personal email correspondence or file completely private, thenyou must use your own computer equipment to access your own private email addressaway from MPS premises. Similarly, telephone calls and/or messages may bemonitored or accessed, and you must use your own personal telephone in order tokeep your communications completely private.


How do I identify Personal Emails and Documents?You should identify personal emails by the inclusion of ‘[Personal]’ (including thesquare brackets) in the ‘subject’ field of all personal emails. Emails not marked aspersonal in this way will be treated as business emails for all purposes includingmonitoring and archiving/retention.

To identify personal documents on AWARE, you should create a new folder in ‘mydocuments’, which you will name ‘personal’. Any documents not saved to this folderwill be treated for all purposes as business documents.

As previously stated, these measures do not guarantee that these emails anddocuments will remain private if there is reason to believe that the facility is beingabused, policy/SOPs breached or an offence committed.

Storage of personal e-mails or personal Word documents is not permitted. You mustdelete all such information within 7 days or when you leave the service, whichever issooner.

Can my line management or an authorised third party examine mypersonal email or document?Yes. This may, for example, take place for the purposes of investigating or detectingthe unauthorised use of the MPS’ Information, Communications and/or Technologysystems, for the purposes of preventing or detecting crime or in the interests ofnational security.

I need to work from home using my non-MPS computer. Can I send e-mailshome?The Working Away From The Office (WAFTO) policy does allow for occasionaluse of non-MPS computers. In such circumstances you may e-mail work home butonly if the information is not ‘personal information’ AND does not merit a protectivemarking. Full details are contained in the WAFTO SOPs accessible from theInformation Management Intranet site. If you need to work regularly from homeusing a computer you should obtain approved AWARE computer equipment.

What is meant by the term ‘Police Information’?Police Information is a subset of MPS Information and is widely referred to in theManual of Police Information, known as MoPI. Police Information is information thatis required for a ‘policing purpose’ as defined in the statutory Code of Practice onManagement of Police Information, 2005. MPS Information includes PoliceInformation but also all other information, such as personnel files, sick records andfinancial information.

What material can I send using the Internet?The Internet is an inherently insecure means of communication. You may not sendinformation meriting a RESTRICTED or higher protective marking, unless you areusing an approved encryption package. For further details contact InformationCompliance on 785084.



What is a protective marking?The Protective Marking System (PMS) is a classification framework that shouldroutinely be applied to all information. The purpose is to identify the appropriatemeasures for handling and managing the information on the basis of its value andin accordance with the risks to the MPS if it was ever compromised. It is a nationallyrecognised framework, so it is invaluable for the sharing of information with ourpartners. The detailed guidance on the PMS and the impact criteria to be usedwhen setting a protective marking (or alternatively NOT PROTECTIVELY MARKED)can be found in the METSEC Code (The MPS Security Code) at GEN1, which isaccessible from the Information Management Intranet site.

Why is the Internet insecure?When you send an email over the Internet it passes through a network of serversworldwide on its way to the recipient. Your email and any attachment can beviewed by anyone with access to those servers and there is software that is easilyavailable which can be used to ‘harvest’ your document. In essence you should notsend any email or attachment containing information that you would not be happyto be freely available in the public domain.

How can I send protectively marked Information?You must not send information protectively marked CONFIDENTIAL or aboveover the Internet.

Can I let a new member of staff use a system under my login?This is STRICTLY forbidden. You must protect your password and NEVER divulgeit to a third party under ANY circumstances. You will be held responsible for allactions carried out under your user ID. For that reason you should ensure you arenever overlooked when logging in to a system and ‘lock’ your workstation wheneveryou leave it unattended, even for a short period. You should log out altogether toleave your workstation for longer periods.

You should NEVER attempt to log in to a system using another user’s password,or any password not allocated to you.

See Section TEC5.6 ‘PASSWORD USE AND COMPOSITION’ of The METSECCode for more about how to use and protect your password.


Personal Use of MPS Information, Communication andTechnology Systems

Introduction

1.1 The information, communication and technology systems operating within theMetropolitan Police Service (MPS) are a resource provided to authorised users ofthese systems to facilitate the work of the MPS.

1.2 It is understood that authorised users may occasionally need to attend tourgent unforeseen personal difficulties during the working day. As a concession toauthorised users, limited and reasonable personal use of MPS information,communication and technology systems will be permitted as is set out in thesestandard operating procedures (SOPs).

Personal Use

2.1 The only information systems in relation to which any personal use will bepermitted are the Metphone telephone system, MPS Mobile phones, facsimile (fax)machines, and the use of the Microsoft Word, Excel, and Outlook (email) applicationson AWARE.

2.2 Web browsing for personal purposes remains prohibited.

2.3 Browsing of sites approved by the Infrastructure Senior User Assurance Group(listed under ‘www links’ on the MPS Intranet) is not considered as personal use.

2.4 The work of the Police Federation, staff associations, the unions and anycommunication relating to union business is permitted, provided that the use is inrelation to the organisation’s core business, not for advertising or other non-coreactivities. You must be aware that privacy cannot be guaranteed for communicationsand files on MPS equipment (See Section 5.)

2.5 The use of any other MPS or national information, communication, and technologysystem (e.g. browsing PNC, CRIS, TRIS, CRIMINT, etc.) for personal purposes isstrictly forbidden and may lead to disciplinary action up to and including summarydismissal for ‘gross misconduct’. It may also constitute a criminal offence.

Permitted Personal Use

3.1 During working hours, you may send emails, text or fax messages or maketelephone calls and deal with incoming emails, text messages, faxes or telephonecalls for personal purposes, only so far as is necessary to deal with urgent andunforeseen personal matters.

3.2 During permitted breaks from your working time, you may make occasionaltelephone calls, send brief text or fax messages, and use the Microsoft Word, Exceland Outlook (email) applications on AWARE for personal purposes.



The personal use at 3.1 and 3.2 is only permitted provided that such use is;

reasonable;

does not interfere with your work or that of anyone else;

is lawful;

is not for outside business purposes or for personal financial gain;

does not breach any MPS policy or standard operating procedures, and

in the case of personal use for urgent and unforeseen matters at 1, is limited to a few minutes at a time.

If you are in any doubt as to what constitutes a ‘permitted break’, or what is deemedto be ‘reasonable’ use, then you should consult with your line management. You shouldconsider informing line management about the circumstances at 3.1, as they mayneed to know for welfare related reasons.

3.4 Any personal email, text message, or fax message must be brief, normallyconsisting of only a few lines of text. The sending of images, sounds, or video files isprohibited. You must take care not to over-burden MPS information systems byprocessing, storing or transmitting large quantities of personal material or large files.

3.5 Any personal telephone calls must similarly be brief. You must obtain permissionfrom your line manager before you make any personal call to a premium rate orinternational number, or send a personal fax message at international rates. You maybe asked to pay for the call or fax. For audit purposes line managers must keep alocal record of such calls, to include; time, date, extension, number called and duration.

3.6 Long-term storage of personal Word or Excel documents, or personal emails(sent or received) is not permitted. You must exercise good housekeeping and deleteall such documents/emails as soon as they have served their immediate purpose, orwhen you leave the MPS, whichever is the sooner. If you wish to retain such documents/emails as a record then you must make a back-up onto your own storage media(See also 3.9).The MPS reserves the right to delete such information if you fail to dothis, without prior notice to you.

3.7 You must identify personal emails by the inclusion of the word “[Personal]”(including the square brackets) in the ‘subject’ field of the email. Email not markedas personal in this way will be treated as business email for all purposes includingmonitoring and archiving/retention. You must identify personal documents onAWARE by creating a folder under ‘my documents’ which you will name ‘personal’.Any documents not saved to this folder will be treated for all purposes as businessdocuments.


3.8 All email will be retained in accordance with MPS Retention Rules, includingthose that are personal. The MPS Email Retention Rules will routinely specify longerretention period for MPS Business related email. The MPS will routinely delete email,personal or business, at the end of its specified retention period.

3.9 The security and integrity of any personal e-mails or files cannot be guaranteedand you must ensure that you back-up onto your own storage media any personalinformation you need to retain. Neither the Metropolitan Police Authority nor theCommissioner of Police of the Metropolis can accept any liability for any losssustained in connection with any personal use of MPS information or communicationsystems. Only in highly exceptional circumstances will any technical support (e.g.recovery of a deleted file) be provided in connection with personal use.

3.10 Official MPS business will take priority at all times. Where personal use isbeing made of a workstation, fax machine, printer or telephone and it is required foran operational or business reason the personal use must be discontinuedimmediately.

3.11 All users of computer equipment within the MPS should already be aware ofthe need to take regular short breaks from keyboard and mouse use and from readingmaterial displayed on computer screens. These breaks help reduce the risk of injuryas well as relieving mental and physical fatigue.

3.12 You must reimburse the MPS for the cost of any personal calls made using anMPS-issued mobile telephone. Your local Finance and Resources Manager will beable to advise you accordingly.

3.13 You may only print your personal document or email if it is genuinely necessaryto do so and if the document or email is short.

Prohibited Personal Use4.1 It is strictly forbidden to make any personal use whatsoever of any MPSinformation, communication or technology system other than the limited use outlinedin section 3 above of these SOPs. Browsing of the World Wide Web remainsprohibited. Personal use of email on AWARE does not extend to use of any web-based email.

4.2 Airwave users must not use Airwave telephony for personal purposes under anycircumstances.



4.3 In relation to the use of any MPS information, communication and technologysystem for personal purposes, it is strictly forbidden to;

transmit any MPS information (including ‘personal data’ as defined by the Data Protection Act, 1998) other than for official MPS purposes;

transmit anything that could harm the MPS, its staff or officers, its effectiveness or its reputation;

create, adapt, store, view, display or transmit any material that is defamatory, racist, sexually explicit or pornographic, sexist, homophobic, religiously offensive, illegal, in breach of the MPS diversity and equal opportunities policies or otherwise offensive;

harass, bully, intimidate or offend others;

open, execute, store or install onto any MPS information systems, transmitor solicit from others any software or executable files;

author or transmit to any individual or organisation any material or message that could bind the MPS into a contract to purchase goods or services;

impersonate another individual or organisation;

engage in any activity which may mislead others as to your rank, grade, status, level of authority or responsibilities;

author, store, solicit or circulate chain letters or chain e-mails, junk e-mails, electronic greetings cards or electronic ‘games’;

engage in the activity known as ‘spamming’;

enrol on e-mail mailing lists (except for work purposes) or for marketing or junk e-mail;

create, adapt, store, view, display or transmit any file or attachment (including a virus or worm etc.) other than a Microsoft Word, or Excel document;

create, adapt, store, view, display or transmit any image, sound (e.g. MP3) or video file;

further any business interests (including your own);

conduct, or to assist another or others, in any illegal or immoral activity.

Connect any personal device (e.g. Camera or MP3 player) to MPS equipment, without the specific permission of the MPS Information Security Officer.


It is also forbidden to engage in any of these activities for MPS business use, althoughindividuals may be officially authorised to engage in some of them if their currentofficial duties require it, see also GEN5 of The METSEC Code.

4.4 This personal use policy is a concession and not an entitlement. Any abuse,misuse or negligence in the use of MPS information, communications and technologysystems is likely to result in the removal of this concession, without further notice, forthose who are reasonably believed to be involved. Failure to comply with this policymay also result in disciplinary proceedings, which may result in a penalty up to andincluding your dismissal. Anyone who makes unauthorized use of personal data, orthe information contained within it, is liable to prosecution under the Data ProtectionAct, 1998.

Privacy and monitoring5.1 You should clearly understand that marking an email ‘[personal]’, or saving adocument into a ‘Personal’ folder, does not necessarily mean that it will remain private.There may be occasions where the MPS will be entitled to review emails, documentsand files, including those marked ‘personal’, and disclose any information within them.

5.2 As part of the proper management of the MPS, its public functions and itsresources, MPS information and communication systems are monitored to the extentpermitted by law. Any e-mail and/or attachments as well as files created or used maybe read by monitoring staff for the above purposes as well as, for example, to detectmisuse of the MPS systems, for the purposes of preventing or detecting crime or inthe interests of national security.

5.3 If you wish to keep any personal e-mail correspondence or file completely private,then you must use your own computer equipment to access your own private emailaddress away from MPS premises in your own time. Similarly, telephone calls and/or messages may be monitored or accessed, and you must use your own telephonein order to keep your communications completely private.

COMPUTER MISUSE ACT 1990

The Computer Misuse Act 1990 [as amended by the Police & Justice Act 2006]creates three main offences:

unauthorised access to computer material;unauthorised access with intent to commit or facilitate commission of furtheroffences; andunauthorised acts with intent to impair the operation of computers.



MANAGEMENT OF POLICE INFORMATION

The importance of the DPA and its application by all police forces to the governanceof ‘police information’ is reiterated by the statutory Code of Practice on theManagement of Police Information 2005, issued under the provisions of the PoliceActs 1996 & 1997; and the accompanying Guidance on the Management of PoliceInformation 2010 (MoPI). Police information is defined as all information, includingintelligence and personal data, obtained and recorded for police purposes, asdetailed below:

Protecting life and property;Preserving order;Preventing the commission of offences;Bringing offenders to justice; andAny duty or responsibility of the police arising from common or statute law.

MoPI states that for public protection records [e.g. managing sex/violent offendersand potentially dangerous persons] it is essential that information [including personaland sensitive personal data] is recorded and is searchable against other businessareas, in order to ensure its accuracy and to facilitate the provision of consistentinformation. MPS information systems will be designed to these requirements andto meet standards of data quality, reduction in the re-keying of data, evidentialweight and systems interoperability.

For police information all MPS officers, police staff and agents should ensure [tomeet statutory [including the DPA] and other information management requirements]:

Information is recorded for a policing purpose;Information is recorded in the appropriate format for the business area inwhich it is held;Information is recorded according to the data quality principles – accurate,adequate, relevant and timely [for personal data this also in effect supportsthe 8 DPA Principles;Checks are made to avoid creating duplicate records;Make necessary efforts to ensure person records are unique; andInformation has the correct protective marking applied.

DATA PROTECTION ACT 1998

The Data Protection Act 1998 (DPA) replaced the Data Protection Act 1984 witheffect from 1 March 2000. The DPA has since been amended in certain importantrespects by the introduction of the Freedom of Information Act 2000 (FOIA), effectivefrom 1 January 2005.

The DPA makes provision for the regulation of the processing of personal data.It governs what an organisation, such as the MPS, can and cannot do with personaldata including the obtaining, holding, use or disclosure of such information.


Besides damage to the reputation of the MPS, a failure to comply with the DPAcould also lead to claims for compensation from data subjects and censure/enforcement action from the Information Commissioner. It may also jeopardisepolice operations, criminal prosecutions, intelligence gathering and put policeofficers and the communities they serve at risk.

PROTECTIVE MARKING SYSTEM

The government Protective Marking System (PMS) is designed to help us protectour assets from both internal and external threats.

It is a framework for assessing the value of our sensitive material and provides aset of rules for the handling of such material.When you originate a document [whether in hard copy or electronic form] youmust consider whether it needs a protective marking.

MPS information assessed as requiring a protective marking must be markedwith one of the following:

· PROTECT· RESTRICTED· CONFIDENTIAL· SECRET· TOP SECRET

Information not meriting a protective marking should be marked ‘NOTPROTECTIVELY MARKED’.

MPS INFORMATION & ICT SYSTEMS - CONDITIONS OF USE

If at any time you do not understand any of the Conditions of Use, or need advice,you must contact the DoI2 (3-1) Information Assurance Unit by e-mailing: DoIMailbox - Security Advice.You are fully accountable for any actions attributable to your user account. It istherefore important that you never leave unattended a workstation at which youare logged-on, without previously ‘locking’ the screen or logging-off. Any abuse,misuse or negligence in the use of MPS information and/ or ICT may result indisciplinary proceedings, which could lead to summary dismissal, prosecution and/or civil proceedings.



PERMITTED USE OF MPS INFORMATION, COMMUNICATIONS &TECHNOLOGY (ICT) SYSTEMS

You may use MPS Information and/ or ICT Systems as required to carry out yourcurrent official duties, provided that you:

· Are officially authorised to do so;

· You have official authorisation to use the system and have been providedwith a unique user id and password;

· Have received any training required to use the system [and passed anycompetency test];

· Have read the MPS Information Code of Conduct; The Personal Useof MPS ICT Systems SOPs and additionally any system specificSecurity Operating Procedures (SyOps).


PROHIBITED USE OF MPS INFORMATION, COMMUNICATIONS &TECHNOLOGY (ICT) SYSTEMS

You must never access an MPS information system via a system ‘logon’ that hasnot been officially allocated to you, nor access any MPS information, informationsystem or application that you are not authorised to use as part of your officialfunction. Furthermore, you must never allow or facilitate anyone else to do so bywhatever means.

Unless your duties require you to do so, it is strictly forbidden to use MPSinformation systems [which includes e-mail] to:

• Create, adapt, store, view, display or transmit any MPS information[including ‘personal data’ as defined by the Data Protection Act, 1998)other than for official MPS purposes;

• transmit anything that could harm the MPS, its staff or officers, itseffectiveness or its reputation;

• create, adapt, download, store, view, display or transmit any materialthat is defamatory, racist, sexually explicit or pornographic, sexist,homophobic, religiously offensive, illegal, in breach of the MPSdiversity and equal opportunities policies or otherwise offensive;

• harass, bully, intimidate or offend others;• open, execute, store or install onto any MPS information systems,

transmit or solicit from others any software or executable files;

• author or transmit to any individual or organisation any material ormessage that could bind the MPS into a contract to purchase goodsor services;

• impersonate another individual or organisation;

• engage in any activity which may mislead others as to your rank,grade, status, level of authority or responsibilities;

• author, store, solicit or circulate chain letters or chain e-mails, junke-mails, electronic greetings cards or electronic ‘games’;

• engage in the activity known as ‘spamming’;

• enrol on e-mail mailing lists or for marketing or junk e-mail;

• further any business interests other than the interests of the MPS; or

• conduct, or to assist another or others, in any illegal or immoralactivity.



In relation to the personal use of the e-mail and/ or Microsoft Word application onAWARE; and in addition to the prohibited use just described, it is also strictlyforbidden to:

• use MPS information or other police information [e.g. information held on PNC]for personal purposes;

• create, adapt, store, view, display or transmit any file or attachment other thana Microsoft Word; or

• create, adapt, store, view, display or transmit any image, sound or videofile.

PRIVACY AND MONITORINGYou should clearly understand the fact that marking an e-mail ‘[personal]’ in accordancewith the Personal Use of MPS ICT Systems SOPs, does not necessarily mean that itwill always remain private. There may be occasions where legally the MPS will beentitled to review e-mails marked ‘[personal]’ and disclose any information withinthem.

As part of the proper management of the MPS, its public functions and its resources,MPS information and communication systems [telephones, FAX machines, computers,e-mail, web-browsing, word processing applications etc.] are monitored to the extentpermitted by law. Any e-mail and/ or attachments as well as files created or used andyour web-browsing history, may be read by monitoring staff for the above purposes.All police officers, police staff and any other users of MPS systems are thereforereminded that their conversations and communications may not be private.

For more information on the METSEC Code (MPS Security Policy Manual) seethe Directorate of Information (DoI) Information Assurance Unit Intranet pages.

http://intranet.aware.mps/DoI/DoI/Productsandservices/Information_Security/index.htm

© 2010 Metropolitan Police Authority.

All worldwide rights reserved. No part of this work may bereproduced, stored in a retrieval system, or transmitted in anyform by any means: photocopy, electronic mechanical recording orotherwise, without prior written permission of the copyright holder.

Lesson verified by DoI Information Assurance Unit - November 2010


CONDITIONS OF USE OF MPS INFORMATIONAND ICT SYSTEMS

You may access AWARE and systems or applications accessible from AWARE to carryout your current official duties, provided that you are officially authorised to do so, havecompleted any training required to use the system(s) (and passed any competency test)and have read the relevant security operating procedures.

If you are a new AWARE user you must complete the mandatory online (via NCALT) 'MPSComputers and You' training course.

You must never attempt to access AWARE or any system or application accessible fromAWARE using a user ID and password not officially issued to you, nor must you ever 'log in'another person or provide them with your User ID and password.

You must comply with the mandatory rules contained within the following documents:

• Conditions of Use of MPS Information and ICT Systems, The METSEC Code - Gen 5• The AWARE Security operating Procedures• The Information Code of Conduct SOPs• The Personal Use of MPS ICT Systems SOPs

You are fully accountable for actions attributable to your user account. Any misuse ornegligence in the use of MPS information and/or information systems may result indisciplinary proceedings, which could lead to dismissal, criminal prosecution and/or civilproceedings.

As part of the proper management of the MPS, its public functions and its resources, MPSinformation and communication technology systems are monitored to the extent permittedby law. Any e-mail and/or attachments as well as files created or used may be read bymonitoring staff.



This form MUST be signed and returned to your staff as requested.

Information Code of Conduct Acknowledgement Form

1. I have read, understood and undertake to comply with the Metropolitan Police Service (MPS) Information Code of Conduct.

2. I understand that misuse of MPS information or any information, communication or technology system may result in disciplinary or criminal proceedings.

Signature: Date:

Name:

Rank / Appointment:

Warrant / Pay No:
