Kent Fire and Rescue Service
Data Protection and Information Security Policy

Security requirements 

56. Security is a requirement under the Data Protection Act 2018, and may additionally be contractually required by other organisations, particularly where data sharing operates. Corporate actions are taken by Information Technology to ensure information security from a technology perspective by means of passwords, firewalls and back-ups for example. The Data Protection Officer provides guidance and monitoring for processes and standards. More specific guidance is listed in the Supporting Information section of this Policy. 

57. Information users and Heads of Section must follow all corporate policies and guidance, and where necessary, in liaison with  Information Technology and the Data Protection Officer, adopt any additional security commensurate with the nature, value and risk to the data. Heads of Section must establish this by completing a risk assessment. This applies to personal data as well as any other records held by the Authority which are not personal data but remain sensitive. 

58. The measures implemented must be an appropriate package of technology, process and organisational controls, and ensure the information is protected throughout the life cycle of the information from creation to processing, storage and disposal. 

59. As a minimum, specific security measures must be applied which ensure that:

• Information is valued, then the security of the information risk assessed, and appropriate controls implemented Unauthorized access is prevented 
• Confidentiality is maintained
• Unauthorised disclosure through deliberate or careless action is prevented 
• Integrity of information is assured by preventing unauthorized modification
• Information is accessible to authorised users
• Regulatory and legislative requirements are met
• Business continuity plans for ensuring information availability are produced, maintained and tested as far as practicable
• Information security guidance is available for staff
• All suspected breaches of information security are reported to the Head of Section, and the Data Protection Officer and then investigated under the process set out in Annex 1. Additional guidance for completing a risk assessment for a breach is attached at Annex 2. 

60. All agreements relating to information and data sharing protocols must include a section detailing security requirements.