DWP Information Management Policy
Updated 4 March 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/dwp-information-management-policies/dwp-information-management-policy
This is version 7 effective from 2 February 2026
This DWP Information Management Policy is part of a suite of policies designed to promote consistency across the Department for Work and Pensions (DWP) and supplier base with regards to the implementation and management of security controls. For the purposes of this policy, the term DWP and Department are used interchangeably.
Security policies considered appropriate for public viewing are published on DWP procurement: security policies and standards
Security policies cross-refer to each other where needed, so can be confidently used together. They contain both mandatory and advisory elements, described in consistent language (see table below).
Table 1 – Terms
| Term | Intention |
|---|---|
| must | denotes a requirement: a mandatory element. |
| should | denotes a recommendation: an advisory element. |
| may | denotes approval. |
| might | denotes a possibility. |
| can | denotes both capability and possibility. |
| is/are | denotes a description. |
Overview
The DWP Information Management Policy and DWP Information Management Standard ensure we follow the information lifecycle governing how we create, store, use, and dispose of information to meet business requirements and legal obligations.
The DWP Information Management Policy sets out the actions required to ensure that DWP:
- Retains only those documents and Information which support business objectives;
- Saves money by reducing information storage costs;
- Protects against allegations of selective document destruction and;
- Manages our information risks
Effective information management safeguards both our customers and our key corporate information, maintaining DWP’s reputation and protecting the public purse for now and in the future.
Purpose
This Policy and the principles outlined within, have been developed to provide a consistent approach to managing information and records throughout their whole lifecycle. This serves to achieve DWP’s efficient management of records for the effective delivery of its services, to document its activities and to maintain the corporate memory.
Compliance with this policy framework will help DWP to comply with the following obligations:
- The Public Records Act 1958
- The Data Protection Act (DPA) 2018
- The UK General Data Protection Regulation (UK GDPR)
- The Civil Service code: (states you must keep accurate official records and handle information as openly as possible within the legal framework)
- The Freedom of Information Act (FOIA) 2000
- Inquiries Act 2005
This policy must be read and implemented in conjunction with the DWP Acceptable Use Policy (AUP), the DWP Information Security Policy, DWP Generic Recording and Transcription Policy and Information Management Standard.
Scope
This policy applies to:
a) DWP employees, including contractors, consultants, and other workers (referred to in this document as ‘users’) involved in creating, handling, or storing information for the DWP.
b) All contracted third-party suppliers whose systems or services store, handle, or process DWP information, or are involved in the provision of information lifecycle management for the DWP; to ensure the appropriate levels of assurance for the confidentiality, integrity, and availability of the DWP’s assets.
c) This Policy does not replace any legal or regulatory requirements.
d) All Information held in all storage repositories for DWP
e) Information in all formats including but not limited to all paper documents, electronic records and Non-Corporate Communication Channels (NCCC) such as WhatsApp, videos, DVDs, emails, social media posts, databases, websites, and Intranet sites.
Definitions
Users
This is the collective term used to describe all those who have access to the Department’s information and information systems as outlined in the Scope of this policy.
Staff
All DWP employees whether permanent or temporary, including contractors, partners, and service providers.
Information
All information of whatever nature, however conveyed and in whatever form, including in writing, orally, by demonstration, electronically and in a tangible, visual or machine-readable medium.
Records
As defined in ISO 15489 (Standard) as information created, received, and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business.
Personal data
Means any information which relates to a living individual who can be identified from it, or who can be identified when that data is combined with other information.
Corporate records
These include all documents and data created by you in day-to-day business (e.g. Meeting papers, business plans, Risk management documents), including any finance and procurement records.
Customer records
These include any document or information related to a claimant or customer used to administer pensions, welfare, or Child Maintenance, including those used to prevent or detect fraud.
HR records
These include all HR (Human Resources) and staff related documents and Information.
Key Corporate Record
These are high value corporate content documents that record significant decisions, actions, or policies.
Disposal
The process of carrying out decisions on information/records that are no longer needed. This includes secure destruction of information/records and transfer of key records to an approved archive for long-term preservation.
Line Manager
A person with direct managerial responsibility for a particular employee.
Policy Statements
General
1. Users must follow the DWP Information Management lifecycle when Creating, Storing, Using, and Disposing of information.
2. There must be a specific business need or legal requirement to create, store, use, and dispose of any information.
3. Information must be classified in line with the DWP Security Classification Policy.
4. There must be clear ownership of any information throughout the lifecycle.
5. Users must follow good security practices to protect DWP property and information assets as outlined in the Security Portal.
6. Users must report Security incidents and breaches as quickly as possible to the Security Incident Response Team (SIRT).
7. The User Access Control Policy (including access to SharePoint Online) must be followed to manage user accounts. This access should be reviewed periodically to minimise the risk.
8. When moving roles or leaving the department you must follow the Joiners, Movers, and Leavers policy and procedures.
Create
9. DWP creates, captures, collects, and uses information across the following categories:
- Corporate records – these include all documents and information created by you in day-to-day business, including any finance and procurement records
- Customer records - these include all claimant or customer-related documents and information, to administer pension, welfare, and Child Maintenance cases on behalf of customers
- HR records – these include all HR and staff related documents and information
10. Users must only create or collect the minimum amount of information necessary for the business purpose.
11. Information assets created must be added to an Information Asset Inventory in accordance with the IAI guidance.
12. Any information created using Artificial Intelligence (AI) must be in line with the DWP Artificial Intelligence Security Policy
Store
13. All information stored by DWP is classed as ‘held’, unless it is:
- solely stored on back-up drives for disaster recovery
- marked as destroyed on the remote stores IT system
- physically transferred to waste recycling or confidential waste
14. Information must be stored in the correct location to enable the right access controls, disposal, and availability for business and statutory purposes etc.
15. Retention labels must be applied to all information stored in both One Drive and SharePoint.
16. Information must not be kept for longer than is necessary in line with the DWP retention schedules. Corporate, Customer and HR.
17. Information classified above OFFICIAL Sensitive (i.e. SECRET or TOP SECRET) must only be stored in those systems authorised and approved to hold it. Please see Rosa site for more information.
18. Information must be stored in approved DWP storage repositories.
19. High value corporate content (key corporate records) must be transferred to electronic registered files. Please see Registered File Guidance
20. Users must ensure that file naming and version control standards are applied.
Use
21. Users must only access, use, or otherwise process information where there is a clear business need to do so
22. Users must only share Information both internally and externally where there is a clear business need to do so, and where the contents and security classification of the information permits it to be shared. When sharing personal data users must comply with data protection principles and the Data Sharing Policy where it applies. please see Acceptable Use Policy (AUP) and Data Sharing.
23. When undertaking official business to process information users must only use systems, applications, software, and devices (including USBs, laptops, and smart phones), which are approved, procured and the configuration is managed by DWP.
24. The use of Non-Corporate Communications Channels is strictly controlled.
- SECRET or TOP SECRET information must never be communicated via NCCCs.
- DWP customers must never be contacted via NCCCs.
- Official Sensitive or other ‘significant information’ must only be communicated through NCCCs in exceptional circumstances and only with an approved Security Policy Exception. Significant information is information that materially impacts the direction of a piece of work or that gives evidence of a material change to a situation. Where such exceptions are granted, records of official business carried out via an NCCC must be transferred onto corporate systems (e.g. SharePoint) as soon as is practicably possible.
- Logistical or other non-significant information can be accessed through NCCCs with due regard to an individual’s security responsibilities.
Dispose:
25. Information that no longer has a business need or is beyond its retention period must be securely disposed.
26. Personal data must not be retained for longer than is necessary. Once there is no valid business reason to retain the data, it must be securely and permanently disposed or anonymised.
27. All DWP storage repositories must incorporate disposal functionality, whether through an automated process or by requiring user intervention
28. Where a DWP service does not automatically delete data at the end of the prescribed retention period, users must manually apply retention periods or set destruction dates for information in accordance with DWP retention schedules.
29. Users must apply any required DWP Special Waste methods for sensitive information, including shredding or placing paper documents in a confidential waste bin.
30. Users must apply Security Standard – Secure Sanitisation and Destruction SS-036 when disposing of DWP technology/equipment that stores digital information.
Accountabilities and Responsibilities
a) Information Management in DWP is the responsibility of all users, however, additional responsibilities may be assigned to specific roles.
b) The DWP Chief Security Officer is the accountable owner of the DWP Information Management Policy and is responsible for its maintenance and review, through the DWP Data Protection Officer (DPO).
c) The Departmental Records Officer (DRO) has overall responsibility for maintaining effective and efficient record keeping procedures.
d) Data Owner is ultimately accountable for the information within their business area.
e) Information Asset Coordinators (IACs) must support the senior Information owner in ensuring secure and effective information management within their business area. IACs are responsible for, assisting Information Asset Managers (IAMs) in identifying and recording assets in the Information Asset Inventory (IAI) and compiling the IAI return. IAC’s act as the first point of contact for all information management queries and issues.
f) Information Asset Managers (IAMs) must define retention periods for their information assets using business justification, in alignment with approved retention schedules, and must document these in the IAI.
g) SharePoint Site Owners (SSOs) are responsible for managing their SharePoint site, including access, security, structure, and retention labels, and supporting their team in its effective use.
h) Line managers must ensure that employees are aware of their responsibilities when creating, storing, using, and disposing of information. It is the line manager’s responsibility to take appropriate action where non-compliance to policy is identified as detailed in the DWP Discipline Policy.
i) All Staff create, use, store, and dispose of information as part of day-to-day work. All staff are responsible for effectively managing information that is under their control applying this policy and the Information Management Standard.
Compliance
a) All users, whether permanent or temporary have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.
b) Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security.
c) Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss, or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the DWP Security Incident Management Standard (SS-014).
d) DWP’s Security and Data Protection team will provide overarching compliance strategies and content, while individual information owners and business areas will assess, measure and ensure lower-level compliance with this policy within their areas. DWP’s Security and Data Protection Team may need to inspect physical locations, technology systems, design, and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners, and service providers will be required to facilitate, support, and when necessary, participate in any such inspection.
e) Embargo of record destruction, an Easement or exception to this policy can be requested in instances where a business case can be made to undertake any activity that is non-compliant with DWP’s Information Management Policy. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Information and Records Management Team immediately.