Data and information management
Control measure knowledge
Fire and rescue services capture data and information to support their core functions, including:
- Operations, including fire control room functions
- Fire safety
- Emergency planning
- Health and safety
- Operational learning
Fire and rescue authorities should take into account the legal responsibilities placed on them regarding the use, storage and transfer of data. In particular there is a requirement that all relevant data held by the fire and rescue service should be available and should be used to reduce and manage operational risk, whether this be to personnel, other service employees or others for whom the fire and rescue authority is responsible.
Data and information strategy
Fire and rescue services should develop a data and information strategy to determine:
- What data and information is collected and stored
- How the data and information can be stored, used or shared
- How data and information will be security classified
- How data and information will be kept secure
- Who is allowed to access data and information
- How long data and information will be retained for
- The information management systems that will be used, including:
- Whether they are standalone or integrated
- The implications of their structure
- How they support operational activity
- Contingency arrangements
- What assurance processes will be used to check on adherence to the strategy
The data and information strategy should also set out to ensure that all information-related activity complies to current legislation and regulations, including:
- Data Protection Act
- General Data Protection Regulation
- Security Policy Framework
- Freedom of Information Act
- Human Rights Act, for storage and movement of photographic or video records
Processes should be put in place to identify any changes in legislation or regulations, that will require changes to be made to the data and information strategy. There should also be processes in place for updating relevant personnel on any changes in the data and information strategy.
The data and information strategy should also be considered when fire and rescue authorities develop their risk management plan and should consider types of information including:
- Breathing apparatus boards
- Incident command board
- Messaging and incident logs
- Fire control room voice recordings
Operational data and information
Operational data and information is a critical resource, that assists with functions, such as:
- Organising, leading and controlling an incident
To effectively support operational activity, data and information needs to be:
- Available – to the processes and procedures used to gain it, and provided to those who need to use it
- Accurate – as determined by measuring the information against actual events or occurrences
- Timely – current when it is received
- Relevant – it concerns the situation or problem at hand, and can help solve a problem or contribute to a solution
Information management involves collecting and managing information from one or more sources and distributing the information to one or more audiences. This sometimes involves those who have a stake in, or a right to, that information.
Information management is a discipline that governs accountability for the structure and design, storage and security, movement, quality, delivery and usage of information required for management and business intelligence purposes.
Information management systems
An information management system (IMS) collects, transmits, processes, and stores information that supports the management functions of an organisation. In fire and rescue services, an IMS may also support operational decision-making and appropriate responses to incidents.
Fire and rescue services may decide to use tailored systems to deliver information to personnel, such as vehicle-mounted data systems, often referred to as mobile data terminals (MDTs).
Report writing and note taking
Legislation, such as the Criminal Procedures and Investigation Act, the Criminal Justice Act and the Criminal Justice Act (Northern Ireland) should be referred to regarding the legal standpoint for official report writing and note taking. This includes the need to:
- Record the information as soon as practicable
- Retain the information in its original and complete format
- Reveal the information when requested
- Review the information for accuracy, procedural applications and assessment of corporate or operational risks and threats
National incident recording system
The incident recording system (IRS) is a fully-automated electronic data capture system, which enables data on all incidents attended by the fire and rescue service to be collected. It provides a national standard of data collection to assist with:
- Gaining an understanding of how each service operates
- Providing key performance indicators (KPIs)
The IRS also helps to continually improve the timeliness and accuracy of data, and may be used to underpin research and development.
Gathering high quality information from attended incidents is key to understanding and managing risks using the appropriate resources. The use of a core set of questions may assist with this process.
If fire and rescue services input poor quality or inconsistent information, it may result in:
- Inaccurate KPIs
- Inaccurate planning, risk management and decision-making
- Inaccurate shared information, which may affect partners and stakeholders
The data and information strategy should aim to minimise the risk of inappropriate access to electronic or paper sources of data or information. The following three levels are identified in Her Majesty’s Government (HMG’s) Government Security Classifications:
OFFICIAL: The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile. There is no requirement to mark routine OFFICIAL information.
SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
TOP SECRET: HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
There are four key principles for security classification:
Principle one: All information that HMG needs to collect, store, process, generate or share to deliver services and conduct government business has intrinsic value and requires an appropriate degree of protection.
Principle two: Everyone who works with government (including staff, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any HMG information or data that they access, irrespective of whether it is marked or not, and must be provided with appropriate training.
Principle three: Access to sensitive information must only be granted on the basis of a genuine ‘need to know’ and an appropriate personnel security control.
Principle four: Assets received from or exchanged with external partners must be protected in accordance with any relevant legislative or regulatory requirements, including any international agreements and obligations.
It will be necessary to identify which employees require access to secure data or information. They will need to undergo security clearance if they need access to data or information which has higher levels of security classification.
Further information about security classifications can be found on the GOV.UK website.
Have a data and information strategy
Procure or develop appropriate information management systems
Conform to legislation and regulations relating to collecting, using, storing, sharing and disposing of data and information
Conform to Government Security Classifications
Identify employees who need to undergo security checks before granting them access to data or information
Ensure all employees understand their individual responsibility for the data and information entrusted to them
Consider inputting data to the national incident recording system (IRS) to support and improve the national standard of data collection
Consider using the data from the national incident recording system (IRS) to improve planning and performance
There are no tactical actions associated with this control measure.