to add a new content
Data Protection

On the 25th May 2018 the Data Protection Act 2018 was implemented by the UK as the General Data Protection Regulation also known as GDPR. It controls how personal information is captured and used by organisations and the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must ensure that the information they obtain is for a lawful purpose, used fairly and must be transparent about its intended purpose of usage and used explicitly for that purpose only.

Data should also not be kept for more than is necessary, and whilst it is kept, should be kept up to date and handled and secured in a way that does not compromise its protection from unauthorised processing, loss of theft of data.  

It is important to note that there is stronger legal protection for more sensitive information such as race, health, sex life, orientation, ethnic background. There are separate safeguards for personal data relating to criminal convictions and offences.

Under the Data Protection Act 2018, an individual has the right to find out what information the government and other organisations holds about them and this ideally should be provided to the individual within 1 month.  

To make a complaint about the misuse of personal information or lack of security it should be made to the organisation, following their response the complaint can also be made to the Information Commissioner’s Office.

Telephone: 0303 123 1113

Published 01/01/2018
Authoring body: Information Commissioner's Office (ICO)
Equality Act 2010: Guidance (2015)

The Equality Act 2010 replaced previous anti-discrimination laws with a single Act. It protected people from discrimination, age discrimination and public sector Equality Duty, sets out the different ways in which the maltreatment of an individual can be unlawful.

The Equality Act 2010 provides a basic framework of protection against direct and indirect discrimination, harassment and victimisation in services and public functions, work, education, associations and transport, protection against indirect discrimination to disability, allowing claims for direct gender pay discrimination where there is no actual comparator and much more.

Before the Act came into force there were several pieces of legislation to cover discrimination, including:

  • Sex Discrimination Act 1975

  • Race Relations Act 1976

  • Disability Discrimination Act 1995

Complaints made about unlawful treatment, that happened after the 1st October 2010, the Equality Act will apply. However if was before this date, then the legislation that was in force at the time will apply.

The Equality Act 2010 includes provisions that ban age discrimination against adults in the provision of services and public functions. It also includes the public sector Equality Duty public bodies have to consider all individuals when carrying out their day-to-day work – in shaping policy, in delivering services and in relation to their own employees.

Published 01/01/2015
Authoring body: Government Equalities Office
Regulation of Investigatory Powers Act 2000 (RIPA)

The regulation of Investigatory Powers Act 2000 relates to the interception, acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed.

There are three main ways of surveillance and covert human intelligence

  1. direct surveillance

  2. intrusive surveillance

  3. use of covert human intelligence sources

Non-intrusive covert surveillance can be undertaken for a specific investigation, operation or purpose. Its result is to obtain private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)

Intrusive surveillance is carried out either in a residential premises or private vehicle; and involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device.

Human intelligence source is inducing, asking or assisting a person to obtain information by means of the conduct of such a source. This is achieved by establishing a personal or other relationship with a person for the covert purpose and covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship.

Published 01/01/2000
Authoring body: Her Majesty’s Stationery Office (HMSO)
Criminal Procedure & Investigations Act 1996 Code of Practice

The Criminal Procedure and Investigations Code of Practice applies in respect of criminal investigations conducted by police. A criminal investigation can be defined an investigation conducted by police officers with a view to it being ascertained whether a person should be charged with an offence, or whether a person charged with an offence is guilty of it. 

This document sets out the manner in which police officers are to record, retain and reveal to the prosecutor material obtained in a criminal investigation.

The roles and responsibilities within a criminal investigation can vary. The functions of the investigator, the officer in charge of an investigation and the disclosure officer are separate. The amount of persons attached to this case to fulfil the above roles will depend on the complexity of the case and the administrative arrangements within each police force. Commonly, where there are more than one person undertaking the roles, close consultation between them is essential to the effective performance of the duties imposed by this code. 

Persons other than police officers who are charged with the duty of conducting an investigation as defined in the Act are to have regard to the relevant provisions of the code, and should take these into account in applying their own operating procedures. 

Published 01/01/2015
Authoring body: Ministry of Justice (MoJ)
DNA and Fingerprint Provisions

Protection of Freedoms Act 2012: DNA and fingerprint provisions was introduced in October 2013 to cover the retention of DNA and fingerprints where it was ruled in the European Court in the case of S and Marper v UK that the blanket retention of DNA profiles taken from innocent people posed a disproportionate interference with the right to private life.

The protection of Freedoms Act strikes a balance between protecting the freedoms of those who are innocent of any offence whilst ensuring that the police continue to have the capability to protect the public and bring criminals to justice. 

A DNA sample is an individual’s biological material, containing all of their genetic information. The act requires all DNA samples to be destroyed within 6 months of being taken. This allows sufficient time for the sample to be analysed. The only exception to this is if the sample is required for use as evidence in court, in which case it may be retained for the duration of the proceedings.

Fingerprints are usually scanned electronically from the individual in custody and the images stored on IDENT1, the national fingerprint database.

For Scotland, the legal acquisition, retention, weeding and use of DNA and Fingerprint data is outlined in Sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995 -

Published 01/01/2019
Authoring body: Home Office
Website and application accessibility regulations and guidance

Public sector organisations need to think about accessibility at every stage and ensure they meet the Web Content Accessibility Guidelines (WCAG 2.1) design principles. The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 are now active and applicable to all public sector organisations, including policing, and this guidance has been created to support organisations meeting the requirements for all new and existing websites or applications.

The guidance is split into several sections:

1. Decide how to check the accessibility problems on your website or mobile app
2. Make a plan to fix any accessibility problems
3. Publish your accessibility statement
4. Make sure new features are accessible

The main theme throughout is that accessibility should be considered on how people with impairments to their sight, hearing, movement, memory or thinking may use the website/app. Regular tests should be carried out from the point code writing even through the public beta stage and at every time a new feature is added.

The best way to meet accessibility requirements is to:

  • think about accessibility requirements from the commencement

  • run accessibility tests regularly throughout development

  • get a formal accessibility audit before you go into public beta

  • make sure the service works with the most common assistive technologies - screen readers or speech recognition software

  • test the service with disabled users and with older users

Legislation link:

Published 01/01/2019
Authoring body: Government Digital Services (GDS)
UK Gov Cookie Cutter Data Science Project Template

This is a data science cookiecutter template for analytical, Python-, or Python and R-based projects within Her Majesty's Government, and wider public sector including policing, where it has been trialled and used as a standardised template for effectively sharing data science work and includes security features using pre-commit hooks to preserve sensitive information.

It also provides an Agile, centralised, and lightweight analytical quality assurance (AQA) process. Pull or merge request templates are used to nudge users to complete this process. This helps meet HM Government best practice on producing quality analysis, as defined in the Aqua Book.

The original developer in GDS has provided a blog post explaining the reasons for creation and provided a live demonstration from March 2021 on version 0.5.3

The National Standards Assurance Board reviewed this in January 2022 and found it being owned and actively developed by the Office for National Statistics, Best Practice and Impact team.

Published 20/07/2021
Authoring body: Office for National Statistics (ONS)
Reference Data / Templates
Open Source Software - Exploring the Risk (Good Practice Guide 38)

This guidance seeks to assist a range of IA professionals in exploring the risks associated with the use of Open Source Software (OSS) products. It does so by prompting a number of ‘whole lifecycle’ issues and questions which potential users should ask themselves when making software choices, not just of OSS, but also of proprietary products. This is because there are no ‘right’ or ‘wrong’ answers when it comes to the security of OSS versus that of proprietary (typically closed source code) products. There are good and bad examples of each in this respect and no one type is inherently more, or less, secure than the other.

This guidance supports the Government ICT StrategyI objective of creating a level playing field for open source software solutions. It does not evaluate, recommend or otherwise offer judgement on the following:

Specific OSS products;
Savings in running costs that an organisation may realise by the adoption of OSS over proprietary products;
The legal risks that may arise, for example from issues concerning copyright, intellectual property, or infringement of licences

This guidance was reviewed by the National Standards Assurance Board in January 2021 and was deemed to still provide relevant information

Published 01/10/2015
Authoring body: Communications-Electronics Security Group (CESG) [HMG]
Retention, Storage and Destruction of Materials and Records relating to Forensic Examination

The purpose of this document is to provide guidance on the retention, storage and destruction of forensic materials and their associated records retained by physical and digital Forensic Units.

Published 01/06/2021
Authoring body: National Police Chiefs Council (NPCC)
Biometric Standards and Exchange Requirements for Home Office Partners and their Suppliers v3.04

The purpose of this document is to provide details of the biometric interchange and image standards that must be adhered to by Partner1 organisations and their Suppliers that need to communicate with the back end biometric matching systems governed by the Home Office Biometrics (HOB) programme. (Note that the current HOB systems covered in this document are the HOB Biometric Services Gateway (BSG), Home Office “Immigration and Asylum Biometric System” (IABS) and national police fingerprint system, “IDENT1”.)
The document is divided into five parts as follows:
1) The Home Office biometric exchange format – “HONE-1”
2) Biometric recording and image standards, mandatory
3) Biometric recording and image standards, conditional
4) Biographic data, general
5) Appendices

Published 01/07/2017
Authoring body: Home Office
Open Referral UK Standards

Open Referral UK is an open data standard in use by Local Government. This standard establishes a consistent way of publishing and describing information for councils, to ensure the data is effectively used and shared for the benefit of local communities and services (

Published 01/01/2019
Authoring body: Open Referral UK
POLE Standards

*** POLE standards under development. Use the “Contact us” tab if you need more information. ***

The intended purpose of this standard is to promote interoperability of systems by converging on a common set of POLE data definitions used within Policing. POLE data definitions describe how People, Objects, Locations and Events should be formatted.

There are 44 POLE entities described in this standard including:

  • 20 person entities
  • 13 object entities
  • 5 location entities
  • 6 event entities

The standard also defines the attributes (field size, format, type) used to create the entities and contains and “entity x attribute map”.

Published 07/05/2021
Authoring body: Police Digital Service (PDS)
Cloud Enablement

Project to identify and provide support to forces as they transition capabilities from legacy on-premises systems to cloud technologies.

For further information, please use the 'Contact Us' tab, to get in touch with the relevant authoring team.

Published 01/01/2022
Authoring body: Police Digital Service (PDS)
Police National Database (PND) Interface Business and Technical Guidance for Data Providers v3.5.0

This document provides:
• High level PND requirements
• Overview of Data requirements
• PND Message Schema design
• Data transmission mechanisms
• Data Scope
• Overview of software resources available including Data Test Suite.

Note this document is graded OFFICIAL-SENSITIVE, access can be requested by the 'Contact Us' tab at the top of the page.

Published 18/09/2020
Authoring body: Home Office
ISO 17020:2012 Requirements for the operation of various types of bodies performing inspection (Crime Scene Investigation)

ISO 17020:2012 specifies requirements for the competence of bodies (including police forces) performing inspection and for the impartiality and consistency of their inspection activities, this specifically relates to forensic practitioners conducting examinations at scenes of crime.

Published 01/04/2012
Authoring body: International Standards Organisation (ISO)
Data Protection Manual

This manual has been produced by the NPCC Data Protection, Freedom of Information, information Sharing and Disclosure Portfolio Group on behalf of the NPCC. It is updated and adapted to reflect decisions made by the NPCC, views of the Information Commissioner’s Office (ICO) (where appropriate) and the evolution of the legislation as it is interpreted, challenged or reviewed.

Note that this manual has not yet been updated to reflect the legislative changes arising from The Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020.

The manual should be regarded as a document that both helps to create an environment across the police service in which compliance can be achieved, and as a means of providing guidance in areas of police business where the Act is regularly applied.

The manual contains a wide variety of information including:

  • Breakdown of governance and responsibilities
  • Definitions
  • General processing (GDPR & DPA Part 2)
  • Comparison between General Processing and Law Enforcement obligations
  • Law Enforcement processing (Part 3 of DPA)
  • Intelligence Service processing (Part 4 of DPA)
  • Assessing data protection compliance
  • The Commisioner, enforcement & offences
  • Case studies
  • Wide variety of appendices including
    • Template DPIA
    • Template National data processing contract
    • Template information sharing agreement
    • Template Data Protection policy 
Published 01/03/2021
Authoring body: National Police Chiefs Council (NPCC)
Digital Investigation & Intelligence APP

The digital policing learning programme was created to for officers and staff to update their knowledge regarding digital intelligence and investigation. The programme helps explains the use and misuse of devices and applications and how they appear in the policing world. 

The programme’s aim is to ensure that all staff are:

  • confident facing situations where there is a digital element

  • competent in identifying and carrying out the actions required by those circumstances

  • able to ensure they are compliant in their actions.

The Digital Intelligence and Investigation project will deliver learning and knowledge resources that will ensure that all new and serving officers acquire the digital skills they need to undertake investigations effectively.  

Published 01/01/2020
Authoring body: College of Policing (CoP)
Mobilisation APP

With the Police responding to critical and complex incidents, sometimes these incidents may require resources that go beyond the capacity and capability of the Police force. Some of these incidents may require the need of other partner agencies, other specialist skillsets and equipment and thus would need to be effectively managed and coordinated. Mobilisation is the process which supports mutual aid, at the local, regional or national level.

The National Police Coordination Centre (NPoCC) is responsible for the mobilisation of police assets, including general policing, operations and crime business areas. A lead force will be responsible for resourcing nationally-led crime enquiries. NPoCC should be the initial point of contact for any mobilisation requirements as it can provide advice and national coordination.

It is important to note that this a challenging area of work, particularly when the length of the investigation is unknown and mobilising crime assets is a new and emerging business field (mutual aid) for the Police service.

Published 01/01/2014
Authoring body: College of Policing (CoP)
ISS4PS Annexes Volume 2

This document was retired in July 2021

The Information Systems Strategy for the Police Service (ISS4PS) is an overarching strategy for Information and Communications Technology (ICT) and Information Systems (IS) for the Police service across the whole of England and Wales. Volume 2 Annexes helps to define and establish a list of standards and should be used a requirements for new developments within the Police Service.

Annex contains guidelines and actions points for: 

1. Establishing ISS4PS standards information base (SIB) 

2. Actions and guidance for IT Directors

3. ISS4PS compliance to the architectural principles 

4. Guidelines for National Programmes focusing on 3 critical ISS4PS policies (Establishing Foundations, Delivering Joined-up Services and Delivering National Initiatives) 

5. Criteria's for corporate and national solutions developed or procured by the Police Force 

6. Summary of Principles and actions defined in 'Implementing ISS4PS Volume 2'  

Published 01/01/2005
Authoring body: Association of Chief Police officers (ACPO)
ISO/IEC 27003:2017 Information Technology — Security techniques — Information Security Management Systems — Guidance

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This document was created to provide guidance on the requirements for an information security management system (ISMS) and provides recommendations, possibilities and permissions.

The following areas are very important for ISMS:

  • understanding the organisation’s needs and the necessity for establishing information security policy and information security objectives;

  • assessing the organisation's risks related to information security;

  • monitoring and reviewing the performance and effectiveness of the ISMS

  • practising continual improvement

The ISMS also has key components such as policies, defined responsibilities, documentation and management processes pertaining to policy establishment, planning, implementation, operation, performance assessment, management review and improvement.

Published 01/01/2017
Authoring body: International Organisation for Standardisation (ISO)
ISO 90011:2018 Guidelines for Auditing Management Systems

This document informs the creation of auditing systems.

With many organisations now wanting to combine a number of management systems into one, there has been awareness to also combine auditing capabilities into one for these management systems. As a result the international standard BS EN ISO: 19011:2011 has created this standard to provide organisations the knowledge for auditing modern management systems, the principles and guidance to ensuring they deliver a high standard of auditing capabilities and that organisations do not fail which could have damaging effects such as losing out on contracts, certifications, and operational efficiency.

Organisations can save vast amount of time, money and resources, by applying a single approach to multiple management systems by streamlining their auditing processes and removing duplication of effort.

This document shed insights into planning, decision-making and evaluating audits.

The standard includes (but not limited to:

  • Scope

  • Principles of Auditing

  • Managing an audit programme

  • Establishing the Audit programme

  • Implementing the audit programme

  • Monitoring an audit programme

  • Reviewing and improving the audit programme

  • Conducting audit activities

  • Preparing audit report

  • Conducting audit evaluation

  • And much more

Fee applies of £254.00 (members price: £127.00) for accessing the standard.

Published 01/01/2018
Authoring body: British Standards Institution (BSI)
ISO/IEC 27003:2017 Preview

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This document provides guidance on the requirements for an information security management system (ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’) and permissions (‘may’) in relation to them. It is not the intention of this document to provide general guidance on all aspects of information security.

Clauses 4 to 10 of this document mirror the structure of ISO/IEC 27001:2013.

This document does not add any new requirements for an ISMS and its related terms and definitions. Organisations should refer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions. Organisations implementing an ISMS are under no obligation to observe the guidance in this document.

An ISMS emphasises the importance of the following phases:

  • understanding the organisation’s needs and the necessity for establishing information security policy and information security objectives;

  • assessing the organisation's risks related to information security;

  • implementing and operating information security processes, controls and other measures to treat risks;

  • monitoring and reviewing the performance and effectiveness of the ISMS; and

  • practising continual improvement.

Published 01/01/2017
Authoring body: International Organisation for Standardisation (ISO)
Encoding Characters

 UTF-8, an encoding form for Unicode character sets, for government digital services and technology encodes all Unicode characters without changing the ASCII code.

Unicode is based on the American Standard Code for Information Interchange (ASCII) character set.

UTF-8 is an international standard used by, data scientists, data analysts and developers. It allows you to read, write, store and exchange text that remains stable over time and across different systems. It also have accurately translated languages moving between systems and prevent accidental or unanticipated corruption of text as it transfers between systems.

This makes UTF-8 flexible for a wide range of uses.

The government chooses standards using the open standards approval process and the Open Standards Board has final approval. Read more about the approval process for cross-platform character encoding. 

Published 01/01/2020
Authoring body: Government Digital Service (GDS)
All vehicles (VEH01)

All vehicles (VEH01) is a dataset of all licensed and registered vehicles in Great Britain and the UK, produced by Department for Transport.

It contains licensed vehicles, registered vehicles for the first time, vehicles by numbers of keepers, Statutory Off Road Notification (SORN) and the Ultra-low emissions vehicles (ULEVs).

For more information please contact Vehicles statistics

Public enquiries: 020 7944 3077

Published 01/01/2020
Authoring body: Department for Transport (DfT)
Reference Data / Templates
ISO/IEC 27032:2012 Information Technology — Security Techniques — Guidelines for Cybersecurity

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The Cyberspace is a complex environment resulting from the interaction of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. However there are numerous security gaps not covered by current information security, Internet security, network security and ICT security. The aim of this international standard is to address Cyberspace security issues and bridge the gap between different security domains in the cyberspace.

International Standard provides technical guidance for addressing common cybersecurity risks such as social engineering, hacking, spyware and proliferation of malicious software.

It also provides guidelines for addressing risk such as preparing for attacks, detecting and monitoring attacks and responding to attacks.

The International Standard also provides a framework for information sharing, coordination, and incident handling.

Published 01/01/2012
Authoring body: International Organisation for Standardisation (ISO)
Domain-based Message Authentication, Reporting & Conformance (DMARC)

The Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email standard that used in email transactional activity. It helps validates a senders identity using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The receiving email service uses SPF and DKIM to confirm the sender’s identity. If the receiving email service confirms the sender’s identity it will forward the email to the receiver’s inbox. If the receiving email service cannot confirm the sender’s identity it will mark the email as spam. 

Using DMARC has its benefits such as helps to protect the users, employees from cybercrime, reduce customer support costs relating to email fraud and improve trust in the emails organisation sends and receives.

Published 01/01/2016
Authoring body: Government Digital Service (GDS)
Using Open Document Formats (ODF) in your organisation

Open Document Formats (ODF) 1.2 standard was selected by the Open Standards Board for use across the UK government. ODF works on most operating systems (including desktops, laptops, mobiles and tablets). This is because it is an open standards that allows suppliers to create interoperable office productivity solutions, can lower IT costs as ODF is low cost or free to use, allows government staff to share and edit documents, allows stricter security checks therefore helping it to prevent common cyber-attack scenarios, can add digital signatures to a document. 

ODF standard works with several software tools as Mac, Windows, Linux, and Android operating systems as well as many others. User needs are very important when selecting an ODF complaint solution, therefore the research and analysis is critical.

The standard also includes the following information:

  • Buying ODF compliant solutions

  • Migrating to ODF compliant solutions

  • Securing ODF compliant solutions

  • Integrating ODF compliant solutions

  • Setting up ODF complaint solutions

Published 01/01/2018
Authoring body: Government Digital Services (GDS)
Cybersecurity Framework NIST (Version 1.1)

National Institute of Standards and Technology (NIST), covers a wide range of topics including Bioscience, Chemistry, Advanced Communications, Cybersecurity, Energy, Materials, Nanotechnology, Neutron research, Physics, Health, Infrastructure, Public Safety, Standards, Transportation and many more.

NIST also cover a wide range of publications, laboratories and programs, Research projects, Services and Resources Software, Data, Computer Security Resource Center, and News and Events.

Under Cybersecurity, there is a framework developed to help organisations to better understand and improve their management of cybersecurity risk.

The Cybersecurity framework consists of standards, guidance, and best practices.

It stages of the framework:

  1. Identify

  2. Protect

  3. Detect

  4. Respond

  5. Recover

The cyber security framework help organisations prioritise, become flexible and cost-effective in promoting and dealing with protection and resilience of critical infrastructure and other parts critical to the national security and economy.

For further information and/or questions about the Cybersecurity Framework please contact:

Published 01/01/2018
Authoring body: National Institute of Standards & Technology (NIST)
Technology Code of Practice

The Technology Code of Practice is a set of criteria to help government design, build and buy technology. Technology Code of Practice should be used for all technology projects and programmes and should be aligned to the mandatory code and as much as possible align the organisation’s technology and business strategies to the Technology Code of Practice.

Following the Technology Code of Practice will help introduce or update technology so that it:

  • meets user needs, based on research with your users

  • is easier to share across government

  • is easy to maintain

  • scales for future use

  • is less dependent on single third-party suppliers

  • provides better value for money

  • makes use of open standards

Organisations must consider all points of the Technology Code of Practice as part of the Cabinet Office spend control process as it’s used as a cross-government agreed standard in the spend controls process. Where legacy technology limits your ability to adhere to the standard, you must explain this to the GDS Standards Assurance team.



Published 01/01/2019
Authoring body: Government Digital Service (GDS)
Defence Industry Security Notices

Industry Security Notices (ISNs)

 A Industry Security Notice (ISN) is an official document that tells people in industry about important instructions, guidance or other information relating to security.

Information from Ministry of Defence, that provides updates.

  • ‘ISN 2014/04 Farnborough International Air Show 2014: exhibition clearances’ has been removed

  • ‘ISN 2014/01: Government Security Classification Scheme’ updated April 2014

  • ‘ISN 2011/05 Defence & Security Equipment International (DSEi) 2011: exhibition clearances’ has been removed

  • ‘ISN 2011/02: incident report’ has been superseded by ‘2011/07: incident reporting’

  • ‘ISN 2011/03: Nato personnel security clearances’ has been superseded by ‘2014/03: Procedure for UK contractors to obtain Nato personnel security clearances’

Published 01/01/2021
Authoring body: Government Digital Services (GDS)
Recruitment Guidance - Candidate Management

Ensuring that the right candidates are selected for policing roles is essential. Employing the right selection process is essential to make the most efficient use of money, time and resources and can have the following benefits:

  • Reduce the probability of selecting individuals who will not perform at their jobs effectively.

  • Better value at the national Assessment process

  • Minimises disproportionality in outcomes for underrepresented groups

  • Maximise candidates potential by supporting, them and ensuring a positive candidate experience.

It is known that not all forces handle their recruitment process in the same way in the early process and therefore causes discrepancies in the way people are recruited in the police force. A sifting solution is being undertaken that aims to help effectively mange candidates. Whilst this is still on-going, this document aims to help police forces consider some key principles for an effective end-to-end recruitment process.

Each area should be considered:

  • Recruitment strategy

  • Attraction campaign and positive action

  • Registration

  • Force selection

  • National Assessment Process

  • Post-assessment process activity

  • Appointment

Monitoring of each area and collaborating with other learning providers are critical to the improvement, maximisation and best practise of the selection process.


Published 01/01/2020
Authoring body: College of Policing
Secure Sanitisation of Storage Media (Version 1.0)

Data sanitisation is a key aspect to any organisations dealing with data storage media and who want to ensure that unauthorised parties do not gain access to their data.

Data sanitisation has to do with the safe removal, treatments and disposal of sensitive information from storage media devices to guarantee that retrieval and reconstruction of data is not possible or may be very difficult to reproduce as some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.

There could be many reasons why an organisation may want to sanitise its data:

  • Re-use purposes – new user device allocation, re-purpose or resell device.

  • Repair purposes - return or repair faulty device

  • Disposal purposes – dispose of device

  • Destruction purposes – destroy information held on device or the device itself.

There are risks associated with improper sanitisation as key data may still remain on the device, such as:

  • Sensitive data may end up with the wrong people who can expose the sensitive data

  • Loss of control over information assets

  • Private or personal data could be leaked and used to commit fraud or identity theft.

  • Intellectual property could be used leading to reputational loss

Whilst this may not be entirely a sanitisation issue, it is part of it and one way to combat these risks is using encryption.



Published 13/02/2020
Authoring body: National Cyber Security Centre (NCSC)
Securing Technology at OFFICIAL

Guidance on how organisations should secure their technology and services to protect UK government information classified as OFFICIAL. 

The vast majority of UK government public services are conducted at the Official classification. Business operations and services include information routinely used that can have damaging consequences if lost or stolen.

Security at Official is achieved through following good commercial practices and understanding security needs and matching these requirements to the latest available technology availabilities. 

Published 01/01/2015
Authoring body: CESG National Technical Authority for Information Assurance
End User Device (EUD) Security Guidance 2

Guidance for organisations deploying a range of end user device platforms as part of a remote working solution.

Modern smartphones, laptops and tablets provide users with great flexibility and functionality, and include security technologies to help protect information and as such this security guidance document is general to all end user devices (EUD) and their deployments to help harness its security capabilities without hindering its functioning ability by ensuring device configuration are set up correctly.

This guidance is to help optimise security functions, allow for greater user responsibility to reduce security complexity, maintaining user experience, logging and audit information and enable greater interoperability of IT systems.

Published 01/01/2018
Authoring body: National Cyber Security Centre (NCSC)
Intelligence Management APP

Intelligence is information collected and gathered for the purpose of taking action. This process is continuous and critical to effective policing operations that allow for tactical options and prioritisation. Such intelligence can sometimes be classified as confidential or sensitive.

A Code of Practice has been issued by the secretary of state to develop a national intelligence model (NIM), which sets out principles and standards for chief officer and police and crime commissioners to adhere. Ensures the results of the standards are systematic for continuous progress and also helps promote compatibility of procedures and terminology for the (NIM) as well as monitor and evaluate the promulgation of good practice.

The code of the practice came into effect in January 2005.

Published 28/05/2019
Authoring body: College of Policing (CoP)
Setup Government Email Services Securely

All public services sending emails out on behalf of government organisations must follow all protocols, processes and guidelines to ensure that they secure their email service. This includes:

  • the service providing users with mailbox access

  • internal relays and gateways

  • email filtering services

  • third party services that send email on your behalf, like transactional email services

Key configurations are needed to ensure you email services run smoothly:

  • Transport Layer Security (TLS)

  • DomainKeys Identified Mail (DKIM)

  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

  • Public Domain Name System (DNS)

  • Ability to make administrative changes


If there are any changes made to your email security, ensure that you communicate such changes to all staff in your organisation.

Published 01/01/2020
Authoring body: Government Digital Services (GDS)
Securing Government Email

This guidance applies to all email domains that public sector organisations run on the internet. It also helps ensures that public sector organisations exchanges email securely with other public sector organisations. Protecting emails in transit makes it difficult for domains to be spoofed.

All public sector emails must be kept secure by:

Encryption and authentication only work if both the sender and the recipient use them.

The Government Digital Service recommends protecting email by:

  • forcing TLS when sending to

  • forcing TLS when sending to any other domains that supports it if the local risk profile requires it

  • using extra encryption services if needs be

Published 01/01/2019
Authoring body: Government Digital Service (GDS)
DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) verifies an email’s domain and ensures it has not been tampered with in transit. The receiving email service can then filter or reject email that fails the DKIM check. In order for DKIM to verify an emails domain it uses public key encryption to check email by creating a hash using the content of each outbound email. The sending service then encrypts the hash with its private key and adds it to the email header. This is the DKIM signature.

The receiving email service looks up the public key in the sender’s DKIM DNS (DOMAIN NAME SYSTEM) record then uses the public key to decrypt the DKIM signature on the email. It also generates a hash of the email in the same way the sending email service did. If the hash matches the decrypted DKIM signature then the email passes the DKIM check. This means the email came from where it says it came from and has not changed in transit.

Published 01/01/2016
Authoring body: Government Digital Service (GDS)
Criminal Justice System: Data Standards Forum Guidance

An agreed and designed common data standards are used by the Criminal Justice System, ICT suppliers to support ICT communications between systems used by Criminal Justice Organisations (CJO) to support CJS operations. They are also used with open data standards as defined in the government’s Open Standards Principles. These common standards are also used to support data analytics, bidding for CJS contracts etc.

The selection of the CJS data standards is made by the CJS Data Standards Forum. This is a technical forum which has representatives from the principal CJOs.

There is a Data Standard Catalogue used to support the exchange of criminal justice information between different CJOs.

There are three different types of data standard reflected in the catalogued:

  • formatting standards

  • organisational structure standards

  • reference data standard

The Data Standard catalogue is constantly reviewed by the Data Standards Forum to ensure a set of standards is produced that is as small as possible while still being fit for purpose. 


Published 17/12/2020
Authoring body: Ministry of Justice (MOJ)
End User Device (EUD) Security Principles (Version 1.0)

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows: 

1. Data-in-transit Protection: Data should be protected as it transits from the EUD to any services the EUD uses. 

2. Data-at-rest Protection: Data stored on the device should be satisfactorily encrypted when the device is in its “rest” state. 

3. Authentication:

- User to device: the user is only granted access to the device after successfully authenticating to the device.

- User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.

- Device to service: Only devices which can authenticate to the enterprise are granted access.

4. Secure Boot: An unauthorised entity should not be able to modify the boot process of a device, and any attempt to do so should be detected.

5. Platform Integrity and Application Sandboxing: The device can continue to operate securely despite potential compromise of an application or component within the platform, 

6. Application allow Listing: The enterprise can define which applications are able to execute on the device, and these policies are robustly enforced on the device.

7. Malicious code detection and prevention: The device can detect, isolate and defeat malicious code which is present on the device.

8. Security policy enforcement: Security policies set by your organisation are robustly implemented across the platform.

9. External interface protection: The device is able to constrain the set of ports (physical and logical) and services exposed to untrusted networks and devices. 

10. Device Update Policy: You are able to issue security updates and can remotely validate the patch level of your entire device estate.

11. Event Collection for Enterprise Analysis: The device reports security-critical events to your audit and monitoring service. 

12. Incident Response: Your organisation has a plan in place to respond to and understand the impact of security incidents.

All of these principles must be considered when securing and deploying devices.

Published 01/01/2019
Authoring body: National Cyber Security Centre (NCSC)
End User Device (EUD) Security Guidance

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows:

  1. Data-in-transit Protection

  2. Data-at-rest Protection

  3. Authentication

  4. Secure Boot

  5. Platform Integrity and Application Sandboxing

  6. Application allow Listing

  7. Malicious Code Detection and Prevention

  8. Security policy Enforcement

  9. External Interface Protection

  10. Device Update Policy

  11. Event Collection for Enterprise Analysis

  12. Incident Response

All of these principles must be considered when securing and deploying devices.


Published 01/01/2019
Authoring body: National Cyber security Centre (NCSC)
Auditing Principles - Directive 2006/43/EC of the European Parliament and of the Council

Statutory auditors should adhere to the highest ethical standards and should be subject to professional ethics. This Directive aims at high-level to bring about harmonisation of statutory audit requirements as a result of lack of a harmonised approach to statutory auditing in the Community. This was the reason why the Commission proposed, in its 1998 Communication on the statutory audit in the European Union that a creation of a Committee on Auditing which could develop further action in close cooperation with the accounting profession and Member States be established.

The output/recommendation from the committee setup was a Recommendation was a set of Fundamental auditing Principles. The statutory audit requires adequate knowledge of matters such as company law, fiscal law and social law for Audit qualifications obtained by statutory auditors. In order to protect third parties, all approved auditors and audit firms should be entered in a register which is accessible to the public and which contains basic information concerning statutory auditors and audit firms. 

It is important to note that good audit quality contributes to the orderly functioning of markets by enhancing the integrity and efficiency of financial statements. 

Published 01/01/2006
Authoring body: European Parliament
Retrieval of Video Evidence and production of working copies from digital CCTV Systems (Version 2.0)

Digital CCTV installations vary greatly in terms of the recording methods as a result of varying solutions with different capabilities and functionality which are used to capture picture and video evidence with export facilities provided.

This document provides guidance on the retrieval of video from any digital CCTV system in its native file format and the methods for the production of working copies in non-native file formats, where this is necessary to facilitate further processing or replay in court.

The document contains a flowchart to help the user select the most appropriate retrieval method to use for any given CCTV system. Explanatory notes are also provided for each option and guidance

given for assessing the practicality and suitability of each technique to ensure that the right retrieval method is selected to uphold evidential integrity.

The guidance also covers the production of working copies, specifically where this involves a conversion between video formats.

Options have also been presented for final storage of the working copy. Information is given as to the suitability of each conversion technique and storage medium, so that appropriate choices can be made to best minimise the potential degradation in image quality.

A checklist of actions is provided when retrieving data to ensure that all relevant information is captured and evidential integrity is maintained.

Published 01/01/2008
Authoring body: Defence Science and Technology Laboratory
National Intelligence Model

The National Intelligence Model (NIM) is a well-established model within the policing world that was established in 2000 by the National Criminal Intelligence service (NCIS) and adopted by Association of Chief Police Officers (ACPO) to help to mange the use of setting strategic direction, making prioritised resourcing decisions, intelligently allocating resources in the most efficient manner, developing and outlining tactical plans, coordinating activities and managing associated risks.

NIM has three levels which it operates on:

  • Level 1 – Local/Basic Command Unit (BCU)

  • Level 2 – Force and/or regional

  • Level 3 – Serious and organised crime that is usually national or international

NIM doesn’t just only help to serve crime and intelligence decision-making but is expansive in its dynamics and touches on the general policing business and decision-making. It also serves as a standardised approach for gathering, co coordinating and disseminating intelligence, which can be integrated across all forces and law enforcement agencies.

NIM allows for greater consistency of policing across the UK, operational strategies to focus on key priorities, ensures more officers are focused on solving priority problems and targeting the most active offender, achieves greater compliance with human rights legislation, improves direction and briefing of patrols, helps to reduce rates of persistent offenders through targeting the most prolific and helps to improves integration with partner agencies.

Published 01/01/2005
Authoring body: Home Office
Code of practice for the deployment and use of Body Worn Video (BWV) BS 8593:2017

The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.

BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.

To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.

Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.

Intended readers are Police officers, security companies, entertainment venues, local authorities.

Fees to accessing the standard may apply.

Published 01/01/2017
Authoring body: British Standards Institute (BSI)
Criminal Intelligence Manual for Analysts

Intelligence is information (raw data) worked, evaluated in context to its source and reliability to create added value and meaning to its user (Information + Evaluation = Intelligence).

Analysis is about tracing their source to discover the general principles behind the information and ascertaining parts. Therefore we can say that intelligence analysis is about collecting and utilising information, evaluating it to process it into intelligence, and then analysing that intelligence to produce products to support informed decision-making. 

Analysis goes beyond the facts asking questions such as: 

  • What exactly is the problem?

  • What is it a problem?

  • What information do we already possess that is relevant to the problem?

  • Where is the information held?

  • How can we obtain it?

  • What meaning can we extract from the information?

  • Are we ready to take action with the information received?

The process of applying these questions, evaluating the answers, choosing the response and outputs/actions is the process and essence of what analysis is about. Analysis is going beyond the facts and digging deeper.

Therefore criminal intelligence analysis is the in-depth analysis of criminal activity, criminal information and the criminals. This also includes the retrieval and storage of digital/online content. The use of Information Technology has become ever so critical in the modern age.

Published 01/01/2011
Authoring body: United Nations Office on Drugs and Crime (UNODC)
Forensic Science Regulator Information Legal Obligations (Issue 8)

The role of the forensic science regulator is to advise the Government and the criminal justice system on quality standards in the provision of forensic science. Recommend new requirements for new and improved standards and providing advice and guidance so that providers will be able to demonstrate compliance with common standards, in procurement and in courts 

A key requirement of any standards framework in forensic science is that the output meets the requirements of the Criminal Justice System (CJS). 
 This document sets out the view of the Regulator as to the legal landscape within which forensic scientists operate within the CJS. 

There are legal obligations placed on expert witnesses as sources in the Criminal Justice System in England and Wales as Expert evidence is admissible “to furnish the court with scientific information which is likely to be outside the experience and the knowledge of a judge or jury”. This places the expert witness in a privileged position.

It is important to note that expert evidence can only be given by a person who is an expert in the relevant field. An expert witness must provide the court with objective, unbiased opinion on 
matters within his expertise 
Witnesses must act with honesty and good faith. 

Published 30/04/2020
Authoring body: Forensic Science Regulator (FSR)
Engagement & Communication APP

Police engagement and communication is key to the success of community policing and having an effective presence in the area the police serves in. Developing and maintaining healthy and positive relationships with community leaders and the wider public is crucial for establishing engagement. Without this being able to prevent, detect or investigate and solve crime may become much more difficult, as well as bringing offenders to justice. It will reduce confidence and public image in the Police service as service to the public may become unworkable. There it is important that both the public and Police service both cooperate and be in intentional about developing strong relations.

It is important to the local police that communities have confidence and trust in the Police Service in order for the Police to carry out their duties effectively and to keep communities safe. Both parties play an essential role in the world of policing.

This document sets out the principles of engagement and communication, including public relations.

Published 01/01/2017
Authoring body: College of Policing (CoP)
ICT Asset Recovery Standard 7.0

Asset Disposal & Information Security Alliance (ADISA) is an organisation designed to improve risk management and data protection within business processes for IT asset retirement and disposal.

The ADISA ICT Asset Recovery Standard 7.0 is an updated version released in January 2020 from its first launch from its first launch in 2010. It better aligns to the updates and amendments of the Data Protection legislation including but not limited to the EU General Data Protection Regulation, the UK Data Protection Act and the Californian Consumer Privacy Act 2018.

This area covers asset management and data sanitisation. The ADISA ICT Asset Recovery Standard was developed to identify risk which might exist within this process and to then assess countermeasures which are in place to mitigate that risk.

 The objective of the ADISA Asset Recovery Standard is to ensure that every data bearing asset is managed throughout the process and that any resident data is sanitised in accordance with the client’s requirements or to industry best practice levels, to promote the re-use of assets through risk management and to help organisations comply with Data Protection Laws.

These are achieved by creating a physical environment within the ITAD process which offers equivalent levels of security to those in place when the asset is in its live environment, testing the abilities of the service provider to create and then maintain the chain of custody throughout the process, ensuring the process is consistent and repeatable, assessing current data sanitisation processes on ALL media types.

The Standard is presented in 10 Modules each covering different aspects in asset recovery and contain mandatory requirements.

There are current plans for version 8 of this document.

Published 01/01/2020
Authoring body: Asset Disposal & Information Security Alliance (ADISA)
European Pool against Organised Crime (ePOC IV) Version 1.0

European Pool against Organised Crime (EPOC IV) was introduced in 2004 as the Eurojust Case Management System.  It facilitates the secure storage of case-related personal data, the exchange of information amongst National Members and the analysis of that data.

EPOC also provides a set of tools to facilitate interoperability of national systems and can be used as a component to support international cooperation in national systems.   

Reference Dataset consists of:

  • Currency Class

  • EU EPOC Country (Bulgarian)

  • EU EPOC Country (English)

  • EU EPOC Country (French)

  • EU EPOC Country (Lithuanian)

  • EU EPOC Country (Slovene)

  • EU EPOC Crime Type (Bulgarian)

  • EU EPOC Crime Type (English)

  • EU EPOC Crime Type (French)

  • EU EPOC Crime Type (Lithuanian)

  • EU EPOC Crime Type (Slovene)

  • EU EPOC Currency Type (English)

  • EU EPOC Currency Type (Lithuanian)

  • EU EPOC Drug Code (English and Other Languages) L1 (English)

  • EU EPOC Drug Code (English and Other Languages) L2 (Other Languages)

  • EU EPOC Drug Code (Lithuanian)

  • Home Office Drug Codes L2 (Description)

  • ISO 3166-1 Country Codes 2 Char


Published 01/01/2019
Authoring body: Reference data service platform
Reference Data / Templates