All hard copies of information about MAPPA offenders should be sent by trackable post or trusted courier service using double envelopes, both fully addressed, but with the protective marking and descriptor shown on the inner envelope only.
Electronic information must be sent via secure email only. Secure email addresses are identified by extensions such as pnn, gsi, gsx, nhs.net etc. The inclusion of gov.uk alone does not indicate a secure email address. If the agency does not have a secure email address then arrangements must be made for them to set up a secure email via the CJSM (Criminal Justice Secure email) service.
Information sent by fax must be by secure fax only.
Computers must employ unique user accounts, whose use is auditable to the extent that transactions may be identified to specific individuals, machines, times and dates.
When leaving computers for short periods, users must activate secure screen-locks or log off from the password protected application or account that contains personal or sensitive information. When leaving their computers for longer periods or when leaving the premises, users must close down their computer accounts. Access to the information must be restricted to users who have the authority to see such information and for the agreed purpose.
Ensure when printing MAPPA information that printers are located within sight of the computers to which they are attached. They must not be left unattended when printing out personal or other sensitive information. Printouts must be removed from printers immediately after printing and must be stored securely when not in use.
No hard copies of MAPPA minutes are to be taken from an office by any individual / agency when attending meetings. The host of the meeting must provide numbered hard copies counted out at beginning and in at the end so no hard copies are ever in ‘transit’.
Retention of confidential information on MAPPA eligible offenders, information on offenders subject to determinate sentences must only be retained for 6 years after the end of their statutory supervision or preparation of the report. In respect of offenders subject to indeterminate sentences the data should be destroyed on their death or 99 years after his or her date of birth.