Data and information management

Fire and rescue services capture data and information to support their core functions, including:

• Operations, including fire control room functions
• Fire safety
• Emergency planning
• Investigations
• Health and safety
• Operational learning

Fire and rescue authorities should take into account the legal responsibilities placed on them regarding the use, storage and transfer of data. In particular there is a requirement that all relevant data held by the fire and rescue service should be available and should be used to reduce and manage operational risk, whether this be to personnel, other service employees or others for whom the fire and rescue authority is responsible.

Data and information strategy

Fire and rescue services should develop a data and information strategy to determine:

• What data and information is collected and stored
• How the data and information can be stored, used or shared
• How data and information will be security classified
• How data and information will be kept secure
• Who is allowed to access data and information
• How long data and information will be retained for
• The information management systems that will be used, including:
  • Whether they are standalone or integrated
  • The implications of their structure
  • How they support operational activity
  • Contingency arrangements
• What assurance processes will be used to check on adherence to the strategy

The data and information strategy should also set out to ensure that all information-related activity complies to current legislation and regulations, including:

• Data Protection Act
• General Data Protection Regulation
• Security Policy Framework
• Freedom of Information Act
• Human Rights Act, for storage and movement of photographic or video records

Processes should be put in place to identify any changes in legislation or regulations, that will require changes to be made to the data and information strategy. There should also be processes in place for updating relevant personnel on any changes in the data and information strategy.

The data and information strategy should also be considered when fire and rescue authorities develop their risk management plan and should consider types of information including:

• Photographs
• Breathing apparatus boards
• Incident command board
• Messaging and incident logs
• Fire control room voice recordings

Operational data and information

Operational data and information is a critical resource, that assists with functions, such as:

• Planning
• Mobilising
• Organising, leading and controlling an incident

To effectively support operational activity, data and information needs to be:

• Available – to the processes and procedures used to gain it, and provided to those who need to use it
• Accurate – as determined by measuring the information against actual events or occurrences
• Timely – current when it is received
• Relevant – it concerns the situation or problem at hand, and can help solve a problem or contribute to a solution

Information management

Information management involves collecting and managing information from one or more sources and distributing the information to one or more audiences. This sometimes involves those who have a stake in, or a right to, that information.

Information management is a discipline that governs accountability for the structure and design, storage and security, movement, quality, delivery and usage of information required for management and business intelligence purposes.

Information management systems

An information management system (IMS) collects, transmits, processes, and stores information that supports the management functions of an organisation. In fire and rescue services, an IMS may also support operational decision-making and appropriate responses to incidents.

Fire and rescue services may decide to use tailored systems to deliver information to personnel, such as vehicle-mounted data systems, often referred to as mobile data terminals (MDTs).

Report writing and note taking

Legislation, such as the Criminal Procedures and Investigation Act, the Criminal Justice Act and the Criminal Justice Act (Northern Ireland) should be referred to regarding the legal standpoint for official report writing and note taking. This includes the need to:

• Record the information as soon as practicable
• Retain the information in its original and complete format
• Reveal the information when requested
• Review the information for accuracy, procedural applications and assessment of corporate or operational risks and threats

National incident recording system

The incident recording system (IRS) is a fully-automated electronic data capture system, which enables data on all incidents attended by the fire and rescue service to be collected. It provides a national standard of data collection to assist with:

• Gaining an understanding of how each service operates
• Planning
• Providing key performance indicators (KPIs)

The IRS also helps to continually improve the timeliness and accuracy of data, and may be used to underpin research and development.

Gathering high quality information from attended incidents is key to understanding and managing risks using the appropriate resources. The use of a core set of questions may assist with this process.

If fire and rescue services input poor quality or inconsistent information, it may result in:

• Inaccurate KPIs
• Inaccurate planning, risk management and decision-making
• Inaccurate shared information, which may affect partners and stakeholders

Information security

The data and information strategy should aim to minimise the risk of inappropriate access to electronic or paper sources of data or information. The following three levels are identified in His Majesty’s Government (HMG’s) Government Security Classifications:

OFFICIAL:  The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile. There is no requirement to mark routine OFFICIAL information.

SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.

TOP SECRET: HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.

There are four key principles for security classification:

Principle one: All information that HMG needs to collect, store, process, generate or share to deliver services and conduct government business has intrinsic value and requires an appropriate degree of protection.

Principle two:  Everyone who works with government (including staff, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any HMG information or data that they access, irrespective of whether it is marked or not, and must be provided with appropriate training.

Principle three: Access to sensitive information must only be granted on the basis of a genuine ‘need to know’ and an appropriate personnel security control.

Principle four: Assets received from or exchanged with external partners must be protected in accordance with any relevant legislative or regulatory requirements, including any international agreements and obligations.

It will be necessary to identify which employees require access to secure data or information. They will need to undergo security clearance if they need access to data or information which has higher levels of security classification.

Further information about security classifications can be found on the GOV.UK website.