Search - National Standard Microsite
On the 25th May 2018 the Data Protection Act 2018 was implemented by the UK as the General Data Protection Regulation also known as GDPR. It controls how personal information is captured and used by organisations and the government.
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must ensure that the information they obtain is for a lawful purpose, used fairly and must be transparent about its intended purpose of usage and used explicitly for that purpose only.
Data should also not be kept for more than is necessary, and whilst it is kept, should be kept up to date and handled and secured in a way that does not compromise its protection from unauthorised processing, loss of theft of data.
It is important to note that there is stronger legal protection for more sensitive information such as race, health, sex life, orientation, ethnic background. There are separate safeguards for personal data relating to criminal convictions and offences.
Under the Data Protection Act 2018, an individual has the right to find out what information the government and other organisations holds about them and this ideally should be provided to the individual within 1 month.
To make a complaint about the misuse of personal information or lack of security it should be made to the organisation, following their response the complaint can also be made to the Information Commissioner’s Office.
Telephone: 0303 123 1113
The Equality Act 2010 replaced previous anti-discrimination laws with a single Act. It protected people from discrimination, age discrimination and public sector Equality Duty, sets out the different ways in which the maltreatment of an individual can be unlawful.
The Equality Act 2010 provides a basic framework of protection against direct and indirect discrimination, harassment and victimisation in services and public functions, work, education, associations and transport, protection against indirect discrimination to disability, allowing claims for direct gender pay discrimination where there is no actual comparator and much more.
Before the Act came into force there were several pieces of legislation to cover discrimination, including:
Sex Discrimination Act 1975
Race Relations Act 1976
Disability Discrimination Act 1995
Complaints made about unlawful treatment, that happened after the 1st October 2010, the Equality Act will apply. However if was before this date, then the legislation that was in force at the time will apply.
The Equality Act 2010 includes provisions that ban age discrimination against adults in the provision of services and public functions. It also includes the public sector Equality Duty public bodies have to consider all individuals when carrying out their day-to-day work – in shaping policy, in delivering services and in relation to their own employees.
The regulation of Investigatory Powers Act 2000 relates to the interception, acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed.
There are three main ways of surveillance and covert human intelligence
use of covert human intelligence sources
Non-intrusive covert surveillance can be undertaken for a specific investigation, operation or purpose. Its result is to obtain private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)
Intrusive surveillance is carried out either in a residential premises or private vehicle; and involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device.
Human intelligence source is inducing, asking or assisting a person to obtain information by means of the conduct of such a source. This is achieved by establishing a personal or other relationship with a person for the covert purpose and covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship.
The Criminal Procedure and Investigations Code of Practice applies in respect of criminal investigations conducted by police. A criminal investigation can be defined an investigation conducted by police officers with a view to it being ascertained whether a person should be charged with an offence, or whether a person charged with an offence is guilty of it.
This document sets out the manner in which police officers are to record, retain and reveal to the prosecutor material obtained in a criminal investigation.
The roles and responsibilities within a criminal investigation can vary. The functions of the investigator, the officer in charge of an investigation and the disclosure officer are separate. The amount of persons attached to this case to fulfil the above roles will depend on the complexity of the case and the administrative arrangements within each police force. Commonly, where there are more than one person undertaking the roles, close consultation between them is essential to the effective performance of the duties imposed by this code.
Persons other than police officers who are charged with the duty of conducting an investigation as defined in the Act are to have regard to the relevant provisions of the code, and should take these into account in applying their own operating procedures.
Protection of Freedoms Act 2012: DNA and fingerprint provisions was introduced in October 2013 to cover the retention of DNA and fingerprints where it was ruled in the European Court in the case of S and Marper v UK that the blanket retention of DNA profiles taken from innocent people posed a disproportionate interference with the right to private life.
The protection of Freedoms Act strikes a balance between protecting the freedoms of those who are innocent of any offence whilst ensuring that the police continue to have the capability to protect the public and bring criminals to justice.
A DNA sample is an individual’s biological material, containing all of their genetic information. The act requires all DNA samples to be destroyed within 6 months of being taken. This allows sufficient time for the sample to be analysed. The only exception to this is if the sample is required for use as evidence in court, in which case it may be retained for the duration of the proceedings.
Fingerprints are usually scanned electronically from the individual in custody and the images stored on IDENT1, the national fingerprint database.
For Scotland, the legal acquisition, retention, weeding and use of DNA and Fingerprint data is outlined in Sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995 - https://www.legislation.gov.uk/ukpga/1995/46/part/II/crossheading/prints-and-samples”
Public sector organisations need to think about accessibility at every stage and ensure they meet the Web Content Accessibility Guidelines (WCAG 2.1) design principles. The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 are now active and applicable to all public sector organisations, including policing, and this guidance has been created to support organisations meeting the requirements for all new and existing websites or applications.
The guidance is split into several sections:
1. Decide how to check the accessibility problems on your website or mobile app
2. Make a plan to fix any accessibility problems
3. Publish your accessibility statement
4. Make sure new features are accessible
The main theme throughout is that accessibility should be considered on how people with impairments to their sight, hearing, movement, memory or thinking may use the website/app. Regular tests should be carried out from the point code writing even through the public beta stage and at every time a new feature is added.
The best way to meet accessibility requirements is to:
think about accessibility requirements from the commencement
run accessibility tests regularly throughout development
get a formal accessibility audit before you go into public beta
make sure the service works with the most common assistive technologies - screen readers or speech recognition software
test the service with disabled users and with older users
Legislation link: https://www.legislation.gov.uk/uksi/2018/852/contents/made
This is a data science cookiecutter template for analytical, Python-, or Python and R-based projects within Her Majesty's Government, and wider public sector including policing, where it has been trialled and used as a standardised template for effectively sharing data science work and includes security features using pre-commit hooks to preserve sensitive information.
It also provides an Agile, centralised, and lightweight analytical quality assurance (AQA) process. Pull or merge request templates are used to nudge users to complete this process. This helps meet HM Government best practice on producing quality analysis, as defined in the Aqua Book.
The original developer in GDS has provided a blog post explaining the reasons for creation and provided a live demonstration from March 2021 on version 0.5.3.
The National Standards Assurance Board reviewed this in January 2022 and found it being owned and actively developed by the Office for National Statistics, Best Practice and Impact team.
This guidance seeks to assist a range of IA professionals in exploring the risks associated with the use of Open Source Software (OSS) products. It does so by prompting a number of ‘whole lifecycle’ issues and questions which potential users should ask themselves when making software choices, not just of OSS, but also of proprietary products. This is because there are no ‘right’ or ‘wrong’ answers when it comes to the security of OSS versus that of proprietary (typically closed source code) products. There are good and bad examples of each in this respect and no one type is inherently more, or less, secure than the other.
This guidance supports the Government ICT StrategyI objective of creating a level playing field for open source software solutions. It does not evaluate, recommend or otherwise offer judgement on the following:
Specific OSS products;
Savings in running costs that an organisation may realise by the adoption of OSS over proprietary products;
The legal risks that may arise, for example from issues concerning copyright, intellectual property, or infringement of licences
This guidance was reviewed by the National Standards Assurance Board in January 2021 and was deemed to still provide relevant information
The purpose of this document is to provide guidance on the retention, storage and destruction of forensic materials and their associated records retained by physical and digital Forensic Units.
The purpose of this document is to provide details of the biometric interchange and image standards that must be adhered to by Partner1 organisations and their Suppliers that need to communicate with the back end biometric matching systems governed by the Home Office Biometrics (HOB) programme. (Note that the current HOB systems covered in this document are the HOB Biometric Services Gateway (BSG), Home Office “Immigration and Asylum Biometric System” (IABS) and national police fingerprint system, “IDENT1”.)
The document is divided into five parts as follows:
1) The Home Office biometric exchange format – “HONE-1”
2) Biometric recording and image standards, mandatory
3) Biometric recording and image standards, conditional
4) Biographic data, general
Open Referral UK is an open data standard in use by Local Government. This standard establishes a consistent way of publishing and describing information for councils, to ensure the data is effectively used and shared for the benefit of local communities and services (https://www.localdigital.gov.uk/)
*** POLE standards under development. Use the “Contact us” tab if you need more information. ***
The intended purpose of this standard is to promote interoperability of systems by converging on a common set of POLE data definitions used within Policing. POLE data definitions describe how People, Objects, Locations and Events should be formatted.
There are 44 POLE entities described in this standard including:
- 20 person entities
- 13 object entities
- 5 location entities
- 6 event entities
The standard also defines the attributes (field size, format, type) used to create the entities and contains and “entity x attribute map”.
Project to identify and provide support to forces as they transition capabilities from legacy on-premises systems to cloud technologies.
For further information, please use the 'Contact Us' tab, to get in touch with the relevant authoring team.
This document provides:
• High level PND requirements
• Overview of Data requirements
• PND Message Schema design
• Data transmission mechanisms
• Data Scope
• Overview of software resources available including Data Test Suite.
Note this document is graded OFFICIAL-SENSITIVE, access can be requested by the 'Contact Us' tab at the top of the page.
ISO 17020:2012 Requirements for the operation of various types of bodies performing inspection (Crime Scene Investigation)
ISO 17020:2012 specifies requirements for the competence of bodies (including police forces) performing inspection and for the impartiality and consistency of their inspection activities, this specifically relates to forensic practitioners conducting examinations at scenes of crime.
This manual has been produced by the NPCC Data Protection, Freedom of Information, information Sharing and Disclosure Portfolio Group on behalf of the NPCC. It is updated and adapted to reflect decisions made by the NPCC, views of the Information Commissioner’s Office (ICO) (where appropriate) and the evolution of the legislation as it is interpreted, challenged or reviewed.
Note that this manual has not yet been updated to reflect the legislative changes arising from The Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020.
The manual should be regarded as a document that both helps to create an environment across the police service in which compliance can be achieved, and as a means of providing guidance in areas of police business where the Act is regularly applied.
The manual contains a wide variety of information including:
- Breakdown of governance and responsibilities
- General processing (GDPR & DPA Part 2)
- Comparison between General Processing and Law Enforcement obligations
- Law Enforcement processing (Part 3 of DPA)
- Intelligence Service processing (Part 4 of DPA)
- Assessing data protection compliance
- The Commisioner, enforcement & offences
- Case studies
- Wide variety of appendices including
- Template DPIA
- Template National data processing contract
- Template information sharing agreement
- Template Data Protection policy
The digital policing learning programme was created to for officers and staff to update their knowledge regarding digital intelligence and investigation. The programme helps explains the use and misuse of devices and applications and how they appear in the policing world.
The programme’s aim is to ensure that all staff are:
confident facing situations where there is a digital element
competent in identifying and carrying out the actions required by those circumstances
able to ensure they are compliant in their actions.
The Digital Intelligence and Investigation project will deliver learning and knowledge resources that will ensure that all new and serving officers acquire the digital skills they need to undertake investigations effectively.
With the Police responding to critical and complex incidents, sometimes these incidents may require resources that go beyond the capacity and capability of the Police force. Some of these incidents may require the need of other partner agencies, other specialist skillsets and equipment and thus would need to be effectively managed and coordinated. Mobilisation is the process which supports mutual aid, at the local, regional or national level.
The National Police Coordination Centre (NPoCC) is responsible for the mobilisation of police assets, including general policing, operations and crime business areas. A lead force will be responsible for resourcing nationally-led crime enquiries. NPoCC should be the initial point of contact for any mobilisation requirements as it can provide advice and national coordination.
It is important to note that this a challenging area of work, particularly when the length of the investigation is unknown and mobilising crime assets is a new and emerging business field (mutual aid) for the Police service.
This document was retired in July 2021
The Information Systems Strategy for the Police Service (ISS4PS) is an overarching strategy for Information and Communications Technology (ICT) and Information Systems (IS) for the Police service across the whole of England and Wales. Volume 2 Annexes helps to define and establish a list of standards and should be used a requirements for new developments within the Police Service.
Annex contains guidelines and actions points for:
1. Establishing ISS4PS standards information base (SIB)
2. Actions and guidance for IT Directors
3. ISS4PS compliance to the architectural principles
4. Guidelines for National Programmes focusing on 3 critical ISS4PS policies (Establishing Foundations, Delivering Joined-up Services and Delivering National Initiatives)
5. Criteria's for corporate and national solutions developed or procured by the Police Force
6. Summary of Principles and actions defined in 'Implementing ISS4PS Volume 2'
ISO/IEC 27003:2017 Information Technology — Security techniques — Information Security Management Systems — Guidance
ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
This document was created to provide guidance on the requirements for an information security management system (ISMS) and provides recommendations, possibilities and permissions.
The following areas are very important for ISMS:
understanding the organisation’s needs and the necessity for establishing information security policy and information security objectives;
assessing the organisation's risks related to information security;
monitoring and reviewing the performance and effectiveness of the ISMS
practising continual improvement
The ISMS also has key components such as policies, defined responsibilities, documentation and management processes pertaining to policy establishment, planning, implementation, operation, performance assessment, management review and improvement.