Information management

Retention, review and disposal

The primary purpose of review, retention and disposal procedures is to protect the public and help manage the risks posed by known offenders and other potentially dangerous people.

The review of police information is central to risk-based decision making and public protection. Records must be regularly reviewed to ensure that they remain necessary for a policing purpose, and are adequate and up to date. This also ensures compliance with the principles of the Data Protection Act 2018 (part 3, chapter 2).


Retaining information relating to criminal activity and known and suspected offenders allows the police service to develop a proactive approach to policing. It assists forces to prevent and detect crime and protect the public. Retaining every piece of information collected is, however, impractical and unlawful. Consideration must be given to the types of information that need to be retained and the practical implications of storing these records in their various formats.

The key points to consider are:

  • The reasons for retention.
  • National Retention Assessment Criteria (NRAC).
  • Which records should not necessarily be retained.
  • All reviews that result in a decision to retain records must be recorded.
  • Methods for storing records depend on whether they carry a security marking, see Government Security Classification (GSC) model.
  • Access and retrieval – information retained must be searchable and retrievable by staff who are appropriately vetted and have a need to know in accordance with the Data Protection Act 2018 (part 3, chapter 3 and part 3, chapter 4, section 62).
  • The supervisor must manage information that is to be retained in accordance with NPIRMT Community Security Policy – this document can be accessed by contacting
  • Records which no longer have a policing purpose, but which may have historical or academic value, may be archived for long-term retention outside the operational environment – it must be clear that the records are kept for this purpose only.
  • Forces can use archives, with limited access, to store records, but this is not to be used for information that must be disposed of.
  • Criminal Procedure and Investigations Act 1996 (CPIA) requirements under Part 2:
    • the retention periods imposed by the CPIA are a minimum requirement and, in most cases, the retention requirements outlined in this APP will far exceed those imposed by the CPIA
    • information should still be retained for as long as it is necessary and proportionate to do so, irrespective of the CPIA requirements for it.
  • Police National Computer (PNC) records ‒ for example, the PNC will hold all conviction data until the record subject is deemed to have reached 100 years of age, regardless of how long this information is required for CPIA purposes.

Deciding to retain

Scheduled reviews require the reviewing officer to conduct an assessment of the risk of harm posed by the subject of the information under review. If the individual under review meets any of the criteria outlined in the NRAC, then the retention of records relating to them is proportionate to the level and type of risk they pose. These records must, therefore, be retained and reviewed again at a later date.

Where individual records cannot be separated out, for example, police pocket notebooks, the entire collection of records should be retained according to the most serious offence they contain. In the case of pocket notebooks and similar documents, relevant police information should be transferred to a primary business area as soon as is practicable.

A decision to retain records relating to a particular individual does not necessarily mean that every piece of information held in relation to them needs to be kept. The reviewing officer should use their discretion to identify those records that contain sufficient information to contribute to understanding the nature of the offence or the type of risk posed.

Which records should not necessarily be retained

During an investigation, a number of pieces of information are collected for purely administrative purposes and do not have any independent significance. It is not necessary to keep these ancillary records as part of a file that has been marked for retention, as they do not contribute to understanding the nature of the offence or the type of risk posed.

Information that is duplicated across force systems should also be minimised. Consideration should be given to the amount and type of detail held on individual systems and the extent to which this is duplicated in others, with a view to disposing of those that are surplus to requirements. It may also be more practical to retain electronic records rather than paper ones. Provided that the reviewing officer is satisfied that the relevant information contained in paper records is also held electronically in a searchable format, the paper records can be destroyed.

Original exhibits do not need to be retained where it is unreasonable to do so, however, a copy should be stored in the form of photographs, video recordings or digital images.

Retaining intelligence products

Special care needs to be taken when deciding whether to keep intelligence products. It may be useful to keep them unless they duplicate information on other systems and do not add any value, in which case they can be disposed of.

National retention assessment criteria

NRAC template.

The key points relating to the NRAC are:

  • The infringement of an individual’s privacy caused by retaining their personal information must satisfy the proportionality test.
  • Forces should be confident that any records they dispose of are no longer necessary for policing purposes.
  • There should be a consistent approach to retaining police information.
  • Records which are accurate, adequate, up to date and necessary for policing purposes are held for a minimum of six years from the date of creation, thereby helping to ensure that forces have sufficient information to identify offending patterns over time, and to help guard against individuals’ efforts to avoid detection for lengthy periods.
  • Beyond the six-year period, there is a requirement to review whether it is still necessary to keep the record for a policing purpose. The review process specifies that forces may retain records only for as long as they are necessary. The NRAC template provides guidance on establishing whether or not information is still needed for a policing purpose.
NRAC questions

The NRAC asks a series of questions, focused on known risk factors, in an effort to draw reasonable conclusions about the risk of harm presented by individuals or offenders. Wherever a record is assessed as being necessary and proportionate to the purpose it serves, it can be retained.

These questions are:

  • Is there evidence of a capacity to inflict serious harm?
  • Are there any concerns in relation to children or vulnerable adults?
  • Did the behaviour involve a breach of trust?
  • Is there evidence of established links or associations which might increase the risk of harm?
  • Are there concerns in relation to substance misuse?
  • Are there concerns that an individual’s mental state might exacerbate risk?

Where the answer to any of the questions is ‘yes’, information relating to the individual being assessed should be retained and reviewed again at intervals designated by the review schedule, ensuring that:

  • records remain adequate and up to date
  • new information can be considered
  • risks are still relevant.

When used nationally, this method of assessment ensures consistency across forces with regard to the type of information retained for designated time periods.

A completed copy of this assessment template should be kept on file as a record that the review has taken place and to support the subsequent decision.


Reviewing information held by forces to determine its adequacy and continuing necessity for a policing purpose is a reliable means of meeting the requirements of part 3, chapter 2, sections 37 and 39 of the Data Protection Act 2018. Review procedures should be:

  • practical
  • risk focused
  • able to identify valuable information
  • as straightforward as is operationally possible.

The police service should have standard procedures in place for reviewing records and making accountable decisions on the retention or disposal of information. Review procedures ensure that information retained by the police service is held lawfully, and may help to prevent forces being overloaded by the volume of information captured and recorded.

All person records held by the police service are subject to:

  • an initial review and evaluation
  • any necessary triggered reviews
  • scheduled reviews.

For audit and supervision purposes, a record must be kept of every review undertaken, irrespective of whether it results in any alterations or disposal.

Initial review and evaluation

An initial review of police information is conducted at the point of input and should ensure that records comply with the principles outlined in evaluating police information. The initial review and evaluation should also be used as an opportunity to provide feedback to staff about their record creation skills, if necessary.

Triggered reviews

This process ensures that records relating to certain offenders remain adequate and up to date. The policy for triggered reviews in each force should be published and clearly communicated to all staff to ensure understanding and adherence across the organisation.

Wherever further police information is submitted on an individual which relates to certain public protection matters or other sexual, violent or serious offending or the risk thereof, or relates to a person previously identified as presenting such a risk, a review should be conducted of all police information held on that person. Information which indicates risk to children or vulnerable adults should receive particular attention.

Routine amendments or disposals that would have been made regardless of the request should still be made.

By the time a review is triggered, the information under review may have already been used to make decisions and justify police action. Consequently, any updates must be adequately documented for audit purposes.

Related information contained within a person record that is no longer necessary for a policing purpose must be disposed of. Any record that is found to be inaccurate must be updated, but a record found to be inaccurate beyond alteration and has no link to the offender must be disposed of. This also ensures compliance with the principles of the Data Protection Act 2018.

When should a triggered review take place?

Any person record that is more than 10 years old (group 2), or 6 years old (group 3), and is triggered for a review, should be risk assessed using the established NRAC. If a high risk of harm is concluded, the record should be retained and reviewed again at intervals specified in the review schedule.

A triggered review should also take place where there are requests:

  • for statutory disclosures, including those to the Disclosure & Barring Service(DBS), Department for Education, and Department for Business, Innovation & Skills vetting and barring schemes – it is essential that the information being disclosed is correct and relevant to the matter in question.
  • from other law enforcement agencies for information. These should be carried out before information is shared with external agencies.
  • for subject access (this is the term given to the right of any individual under the Data Protection Act 2018 to have access to personal data about themselves, although the right is subject to exemptions). These should be shared first and followed by the trigger review.

Scheduled reviews

These acknowledge:

  • Potentially dangerous people who have not yet been convicted or even accused of serious offending but whose behaviour, nonetheless, causes concern.
  • Prolific offenders whose criminal activity is lower level but higher in frequency. This information needs to be retained on police systems for as long as the offenders continue to engage in criminal activity.

Designated clear periods prevent forces from having to justify the continued retention of information related to prolific offenders for as long as they continue to offend.

The review schedule focuses on the offender rather than on business areas. It is based on the following three premises:

  • Past behaviour is an indicator of future behaviour, and the type of offence an individual is involved in, or alleged to be involved in, is a clear indicator of risk.
  • Information relating to those offenders who pose the highest risk of harm to the community must be retained the longest.
  • Where a person record is linked to multiple offences, the most serious offence determines the review category for all of the offences.

Under the review schedule, information held for policing purposes is divided into four groups. The police national legal database (PNLD) has been updated to show a MoPI review group for each offence. All forces have a comprehensive and regularly updated list, allowing them to search by offence, offence code and MoPI review group.

Group 1 – certain public protection matters

Information is placed within this group until a subject has reached 100 years of age. This information should be reviewed regularly, ie, every 10 years, to ensure that it is adequate and up to date. Some records should not necessarily be retained.

Information retained under this grouping can include intelligence of any grading.

Offences that have been amended by the more recent Criminal Justice Act 2003 (CJA) legislation, and are now considered serious specified offences under the CJA, should be retained as part of this group. For example, under the Sexual Offences Act 1956 the offence of Unlawful Sexual Intercourse with a girl aged 13-16 years old resulted in a maximum sentence of two years’ imprisonment. Under the Sexual Offences Act 2003 this offence, now called sexual activity with a child, carries a maximum sentence of 14 years’ imprisonment and is listed as a serious specified offence under the CJA. For the purposes of this review and retention process, individuals dealt with under the Sexual Offences Act 1956 should have their records retained as though the offence or alleged offence occurred recently.

Group 2 – other sexual, violent or serious offences

This group also includes all specified offences that are not serious offences as defined in the Criminal Justice Act 2003. A full list of these offences is recorded on the PNLD.

Information relating to sexual, violent or serious offences that are not listed as serious specified offences in the CJA can be retained only for as long as the offender or suspected offender continues to be assessed as posing a risk of harm, using the NRAC.

After every 10-year clear period, these records should be reviewed and a risk-based decision made on whether they should be disposed of or retained. This group includes any information related to people convicted, acquitted, charged, arrested, questioned or implicated with an offence within this group. If the individual in question continues to offend or is implicated in continued offending, records relating to them must be retained. In these circumstances, however, the absence of a clear period means that forces do not have to conduct a scheduled review or justify the continued retention of such records. The triggered reviews process ensures that records relating to this group of offenders remain adequate and up to date.

Sexual offences

For the purpose of information management, a sexual offence is any offence listed in Schedule 3 of the Sexual Offences Act 2003.

Violent offences

For the purpose of information management, a violent offence is any of those specified as such in the current Home Office counting rules for recorded crime.

Serious offences

For the purpose of information management, a serious offence is any offence detailed, recorded or listed as such on the PNLD.

Group 3 – all other offences

Records relating to people who are convicted, acquitted, charged, arrested, questioned or implicated for offending behaviour which does not fall within group 1 or group 2 are dealt with in group 3. Records that fall within this group do not necessarily have to be reviewed. Forces may opt to use a system of time-based, automatic disposal for classes of information in this group.

Forces which opt to use time-based disposal for all or a proportion of their group 3 records must observe the following principles:

  • The criteria forces use to decide which group 3 records to review and which to automatically dispose of must be outlined in the force information management strategy (IMS).
  • The risk of disposing of records without review lies with the chief officer.
  • All records subject to time-based disposal must still be retained for an initial six-year period.
  • Forces must have a mechanism for identifying those group 3 individuals who continue to reoffend or who are implicated or suspected of being implicated in offending, and retain records relating to them.
  • Forces must have a mechanism for identifying those individuals who have demonstrated a capacity for inflicting serious harm, using the NRAC and by flagging records relating to them for exception reviews.
  • Any group 3 records that forces wish to retain for longer than the six-year clear period must be reviewed at five yearly intervals and be risk assessed, using the NRAC.
Group 4 – miscellaneous

This group contains information on undetected crime, intelligence products, missing persons, victims and witnesses.

Undetected group 1 offences – records should be retained for a minimum of 100 years from the date reported to the police. Other records of undetected offences should be retained for a minimum of six years from the date reported to the police. Forces should be mindful that these are minimum periods and that they may keep undetected crime records for longer if they feel it necessary. There are no additional requirements to review these records above and beyond the requirements imposed by relevant investigative guidelines.

Intelligence products – should be reviewed in accordance with the  review schedule guidance. The type of criminal activity being examined determines the length of time between reviews.

Missing persons – information relating to open missing persons cases should be retained until the person is located. For cases of missing persons who have subsequently been located safe and well, information should be retained for a minimum of six years as per the Limitation Act 1980. If this initial six-year period is clear, ie, the individual does not go missing again and there are no subsequent indications of abuse, domestic violence or other factors that might place the individual at risk, the record should be disposed of.

Victim and witness information – should be retained for an initial six-year clear period or for the length of time required by the CPIA 1996, if this is longer. Beyond this point, the decision about whether to retain victim and witness details should be made on a case-by-case basis. Records should be retained if they provide detail of an offender’s MO or any relevant risk factors. Witness statements generally fall into this category. However, if this detail is duplicated elsewhere, it could be deleted from the system.

In all cases, victim and witness details should be handled with care and in accordance with their right to privacy.

In circumstances where a victim or witness is recorded on police systems as an offender or suspect in another matter, their details should be retained and reviewed in accordance with the incident in which they are the person of interest.

Review schedule

Exception reviews

Forces are able to opt for a system of time-based disposal for records that relate to group 3 offences. If, however, an offender’s or suspected offender’s behaviour suggests that they may pose a high risk of harm to others, forces must be able to highlight the relevant person records for an exception review, rather than dispose of them automatically.

To determine whether an individual who has been accused, suspected, arrested, charged, convicted or acquitted of a group 3 offence poses a high risk of harm, forces should use the criteria outlined in the NRAC.

If, however, the exception review identifies any of the following risk factors, the relevant person records must be directed into the review process:

  • Is there evidence of a capacity to inflict serious harm?
  • Are there concerns in relation to children or vulnerable adults?
  • Did the behaviour involve a breach of trust?
  • Is there evidence of established links or associations which might increase the risk of harm?
  • Are there concerns in relation to substance misuse?
  • Are there concerns that the individual’s mental state might exacerbate risk?

The task of highlighting records for an exception review should be done at the point of record creation.

Clear periods

The review schedule in the NRAC states that reviews take place after designated clear periods. For the purpose of information management, a clear period is defined as the length of time since a person last came to the attention of the police as an offender or suspected offender for behaviour that can be considered a relevant risk factor.

A clear period may begin:

  • on the date that the intelligence report was submitted
  • on the date of the last police action
  • when there is an issue date (fixed penalty notice or caution)
  • on the date a decision was taken or handed down (cases either not proceeded with or there is an acquittal).

If the individual’s last relevant contact with the criminal justice system was by way of a court ordered sentence, the clear period begins when that sentence has expired completely. In the case of custodial sentences, this includes any period served on licence in the community following the custodial element of the sentence.

A clear period can be reset when there is:

  • a new offence
  • a suspected offence
  • evidence of a risk of harm to others
  • a request for information from other law enforcement agencies
  • a request for DBS disclosures.

The relevance of such behaviour must be determined on a case-by-case basis. Clear periods are not reset by subject access requests.

Audit and supervision of the review process

The key points to consider are:

  • All triggered, scheduled and exception reviews of police records must be documented, regardless of whether they result in any change.
  • The force IMS should specify the level at which decisions to dispose of records relating to offences are taken.
  • The IMS should specify an inspection of a sample of force records every 12 months.
  • Documenting and authorising the review process.
  • Annual inspections and monthly audits.
Annual inspections and monthly audits

To ensure the quality of reviews and to comply with the Data Protection Act 2018 forces should set out the process for overseeing annual inspections of a sample of force person records in the IMS.

These inspections must be carried out independently of staff in the business area where the records are held.

Additionally, local managers should, in line with the IMS, undertake regular quality assurance audits of information held by their unit or business area.

Documenting the review process

If the format of a person record or the system it is held on does not allow an automatic record of its review to be made, the NRAC template should be completed. It should then be stored either electronically or in hard copy in the relevant file.

Any system-generated records created to document a review must log the date of review, the reviewer’s name, the outcome and the reason for the decision taken. In complex cases, where the review process takes several days, a time period can be recorded as the date of review. For triggered reviews, the reviewing officer must provide an explanation of how and why the triggered review came about.

The retention assessment criteria section of the NRAC template determines whether or not the information under review should be retained or disposed of. This section must be used for all scheduled reviews and any triggered reviews of records that have been held for six years or more. The reviewing officer must include an explanation on how the individual in question meets the outlined risk criteria. It is not necessary to explain how or why an individual does not meet the risk criteria if this is the case.

If the NRAC template is being used, the outcome of the review section must always be completed and must include an explanation of any amendments made to a record as a result of the review.

Authorising the review process

All reviews that result in a decision to dispose of a record or change its category should be authorised by the reviewing officer’s line manager. Forces may require line managers to authorise other reviews. The NRAC template includes a space for their authorisation. The decision to retain information can be approved by a line manager at any level.

For group 2 offences, there is a presumption in favour of retention. The decision to dispose of any records from this group therefore requires authorisation. The IMS specifies an appropriate level for this decision to be taken within the force.

Where forces have opted to review group 3 records that they hold, decisions to retain or dispose of them are approved by the reviewing officer’s line manager. The time-based disposal of these records does not require any further authorisation beyond that already given by a chief officer in their decision to take this option. This approach should be specified in the IMS.

Key roles in the review of information


  • ensure that the IMS sets out a process for reviewing records in accordance with information management
  • decide at what level decisions to retain and dispose of records can be taken
  • ensure a dip sample of records held by their department is undertaken
  • ensure staff responsible for undertaking reviews are trained in accordance with the national training and delivery strategy.


  • authorise the outcome of all reviews conducted in their area of responsibility
  • ensure that the review policy in the IMS is followed
  • provide feedback to staff
  • ensure users of systems are aware of and adhere to force policies and procedures relating to information management and systems.


  • access, understand and follow force security policies and operating procedures
  • establish and enter the review date for a record at the point of creation
  • follow the NRAC when reviewing records to determine their continued necessity for a policing purpose
  • document the review process using the NRAC template wherever there is no automated mechanism in place
  • ensure that information to be disposed of is not duplicated and therefore retained elsewhere.


This means removal of information from all police systems justified through the review process, to the extent that it cannot be restored. The IMS, or its supporting documentation, sets out who can authorise the disposal of police records.

The key points to consider are:

  • the decision to dispose of information
  • the secure disposal
  • audit
  • managers should decide at what level decisions to retain and dispose of records can be taken
  • users should ensure that information to be disposed of is not duplicated and therefore retained elsewhere.

Information must be disposed of in accordance with NPIRMT Community Security Policy (this document can be accessed by contacting and depends on whether the records carry a security marking. See GSC Model guidelines. All forces must develop and implement a policy for disposing of records in accordance with the above.

Details of a record marked for disposal must not continue to exist on any police systems. This includes paper copies or those within other documentation such as intelligence products.

Where a scheduled review has taken place after a designated clear period and the completed NRAC does not indicate that the subject continues to pose a risk of harm, the record under review must be disposed of.


In cases where a record has been marked for disposal, it is not appropriate to retain the completed risk assessment form for audit purposes as this contains details of the record and undermines the attempt to remove this from police systems. The IMS should specify that a disposal schedule is maintained containing the following information:

  • date of decision
  • number of records
  • whether the records were considered inadequate or no longer necessary for a policing purpose.

Records documenting a decision to dispose of information should not, under any circumstances, hold the personal details of individuals. Forces should follow the review process to ensure that they can justify the disposal of information. Once a record is considered to be either inadequate or no longer necessary, there should be no indication that they ever had it.

Custody images

This APP supports the Home Office (2017) Review of the Use and Retention of Custody Images.

Custody image management should be in line with the review schedule for management of police information (MoPI) groups. An individual should be able to apply to chief officers to request deletion of their custody image. The individual may request deletion where they were:

  • not charged
  • not convicted of the offence for which the image was taken
  • convicted and a predetermined time (group 3 deletion) has elapsed since the conviction.

Where an individual who was not convicted makes an application, there should be a presumption in favour of deletion. Chief officers have the discretion to retain a custody image where this is necessary for a policing purpose and there is an exceptional reason to do so. Examples might include where the individual is considered to pose a substantial risk of harm when assessed against NRAC.

A force’s ability to manage its data is dependent on technology, processes and resources. Forces should record and report information management-related issues, including gaps, risks, and any risk mitigation or future plans. The force senior information risk owner should understand the extent of each risk, and ownership within the force should be identified.

Where records are required to be retained under specific legislation (eg, Inquiries Act 2005), flag and archive them and only access them for this purpose.

Forces should ensure that the process for making an image deletion application is clear and transparent. They should include information about the right to have images deleted and other information requests on the force website.

Where a formal request for deletion is not made, the image should be managed in line with APP information management. Images should be deleted at the first scheduled review, including clear periods. The review schedule within APP information management should be used to manage the process.

Request for deletion

Further information

Accepting a request for deletion.

Individuals have the right to apply to chief officers to have their custody image deleted. Individuals applying for deletion of custody images must produce suitable identification to allow the processing of their personal information. This must be photographic identification, eg, passport or photographic driving licence, and proof of address such as a council tax letter or a bank statement. Identification materials should be deleted once the decision to retain or dispose is reached.

Individuals arrested but not charged, or charged but not convicted, have the right to request deletion earlier than those timescales set out by information management APP. Only images that relate to the offence that removal has been requested for should be taken into account. Previous or subsequent images for convictions or arrests should not be considered unless part of the general review process.

Images held in relation to custody and that have been requested to be removed in the application will be the only images considered as part of the process.

These requests also ensure compliance with individual rights under the Data Protection Act 2018, namely the ‘Right to Erasure’.

Image information

Understanding the level of risk associated with continued retention and bulk deletion of custody images is important. The overall risk is determined by the force risk appetite.

The following considerations will help forces gain a better understanding of the image and the offender/suspect:

  • age of the offender/suspect at the time the image was taken
  • nature of the offence for which the specific image was taken
  • date the image was taken
  • number of images relating to a single person and the timeliness of these images.

There is less risk of deleting images older than six years for people under the age of 18 arrested for a MoPI 3 offence, irrespective of outcome.

Custody image review

When a custody image is reviewed either by exception or scheduled review, consideration on retention must include:

  • whether the image meets the national standard on size
  • resolution
  • how well it identifies the person (quality).

Decision making

Where an application for deletion is made, forces should use the NRAC to review whether the custody image should continue to be retained, regardless of the Management of Police Information (MoPI) group. The NRAC questions will:

  • support forces in identifying any risk posed by the individual and will ensure that any decision to retain or dispose is based on known evidence/intelligence
  • provide the necessary audit trail for any possible subsequent appeal/complaints to the Information Commissioner’s Office
  • ensure consistency in decision-making locally and nationally.

Police presumption criteria

When reviewing images with a view to deleting, consider the following:

Accepting a request for deletion

The following diagram outlines the requirements that need to be met in order to process a deletion request:

Where any of the above criteria are not met, the applicant should be informed and updated on when they can make a further application for removal.

Managing the process

Forces have the ability to retain an image if there is clear and evidenced risk. Forces must be able to justify continued retention and not attempt to justify deletion. This process should be documented using the NRAC.

Where the police presumption criteria for accepting the request have been met, the flow chart below should be considered when dealing with and managing the request:

Responding to applicants

Where deletion of a custody record has taken place, the applicant must be informed. All NRACs can be requested by the individual invoking their ‘Right to Access’, commonly known as Subject Access, under the Data Protection Act 2018, unless an exemption applies. Where the decision is to refuse deletion, the applicant should be informed of:

  • the reasons for refusing deletion, unless there is a compelling reason not to do so, for example, ongoing investigation or intelligence that is not to be disclosed
  • the date of the next review schedule
  • the date of when the applicant can reapply for deletion.

When responding to an applicant who is requesting an image deletion, the following templates should be used:

Page last accessed 23 September 2020