to add a new content
Criminal Procedure & Investigations Act 1996 Code of Practice

The Criminal Procedure and Investigations Code of Practice applies in respect of criminal investigations conducted by police. A criminal investigation can be defined an investigation conducted by police officers with a view to it being ascertained whether a person should be charged with an offence, or whether a person charged with an offence is guilty of it. 

This document sets out the manner in which police officers are to record, retain and reveal to the prosecutor material obtained in a criminal investigation.

The roles and responsibilities within a criminal investigation can vary. The functions of the investigator, the officer in charge of an investigation and the disclosure officer are separate. The amount of persons attached to this case to fulfil the above roles will depend on the complexity of the case and the administrative arrangements within each police force. Commonly, where there are more than one person undertaking the roles, close consultation between them is essential to the effective performance of the duties imposed by this code. 

Persons other than police officers who are charged with the duty of conducting an investigation as defined in the Act are to have regard to the relevant provisions of the code, and should take these into account in applying their own operating procedures. 

Published 01/01/2015
Authoring body: Ministry of Justice (MoJ)
Data Protection

On the 25th May 2018 the Data Protection Act 2018 was implemented by the UK as the General Data Protection Regulation also known as GDPR. It controls how personal information is captured and used by organisations and the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must ensure that the information they obtain is for a lawful purpose, used fairly and must be transparent about its intended purpose of usage and used explicitly for that purpose only.

Data should also not be kept for more than is necessary, and whilst it is kept, should be kept up to date and handled and secured in a way that does not compromise its protection from unauthorised processing, loss of theft of data.  

It is important to note that there is stronger legal protection for more sensitive information such as race, health, sex life, orientation, ethnic background. There are separate safeguards for personal data relating to criminal convictions and offences.

Under the Data Protection Act 2018, an individual has the right to find out what information the government and other organisations holds about them and this ideally should be provided to the individual within 1 month.  

To make a complaint about the misuse of personal information or lack of security it should be made to the organisation, following their response the complaint can also be made to the Information Commissioner’s Office.

Telephone: 0303 123 1113

Published 01/01/2018
Authoring body: Information Commissioner's Office (ICO)
ACPO Good Practice Guide for Digital Evidence (Version 5)

This ACPO guide contains a set of golden principles for management of digital evidence and guidance on each stage in the evidence lifecycle: Plan, Capture, Analyse and Present. This guide represents good practice across a broad digital forensic landscape for policing.

Although dated, this guide has been reviewed in March 2021 by the National Standards Assurance Board and deemed current and relevant.

Published 01/03/2012
Authoring body: Association of Chief Police Officers (ACPO)
National Digital Case File Standards

The Digital Case File national programme has established standards for how a case file is built and sent to the CPS through collaboration with suppliers and police forces. 

Authoring body: Police Digital Service
ISO 27000:2020 Information Technology - Security techniques - Information Security management systems - Overview & Vocabulary

The International Organisation Standardisation (ISO) and the International Electrotechnical Commission (IEC) form the specialised system for worldwide standardisation. National bodies that are apart of the ISO or IEC participate through technical committees in the development of International standards to deal with particular areas of technical activities.

ISO/IEC in light of information technology provides an international standard and overview by for management systems by which a model can be followed in setting up and operating a management system. Information Security Management System (ISMS) is responsible for ensuring continuous development of the international management system standards.

Through the various standards developed, organisations can develop and implement a framework for managing and protecting the security of the information assets and systems including financial information, intellectual property, employee details, customer, client and third parties personal details.

The ISMS Standard includes standards that define requirements for an ISMS, provides direct support and guidance for the overall process to implement and maintain an ISMS standard, address conformity assessment for ISMS and provide terms and definitions for the international standard.

Published 01/01/2020
Authoring body: International Organisation Standardisation (ISO)
ACPO/ACPOS National Information Risk Appetite Statement (Version 1.3)

The purpose of this document is to inform force/agency Senior Information Risk Owners (SIRO), National Information Asset Owners, National and force/agency Accreditors/Projects/programmes and other interested parties of the National Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite and for further detail the Association of Chief Police Officers (ACPO)/ Association of Chief Police Officers in Scotland (ACPOS) Information Risk Appetite and Risk Escalation Case Guidance document.

This document helps provide a baseline for defining and managing risk for all National information systems and National Police Infrastructure used within the Police services such as as Police National Database, Police National Computer, ViSOR.

The document also helps form part of the national IA governance for information risk management and focuses on national Information Systems risk management and governance 
and force/agency risk management and governance.

The National Information Risk Appetite echoes the need for the police service to protect and manage risk with regards to information handling, as INFORMATION mismanagement can compromise confidentiality and integrity, have an adverse impact on police operations and damage police public image and increase risks to the compliance or legal standing of the police force.

Intended audience readers are for police force SIROs, Information Asset Owners, police for e Accreditors, programme and project managers as well as other interested parties in National Information risk management.

Published 01/01/2012
Authoring body: National Policing Improvement Agency (NPIA)
POLE Standards

*** POLE standards under development. Publication date 7th May 2021. Use the “Contact us” tab if you need more information. ***

The intended purpose of this standard is to promote interoperability of systems by converging on a common set of POLE data definitions used within Policing. POLE data definitions describe how People, Objects, Locations and Events should be formatted.

There are 44 POLE entities described in this standard including:

  • 20 person entities
  • 13 object entities
  • 5 location entities
  • 6 event entities

The standard also defines the attributes (field size, format, type) used to create the entities and contains and “entity x attribute map”.

Published 07/05/2021
Authoring body: Police Digital Service (PDS)
National Policing Community Security Policy (Version 4.3)

Police information, systems and networks must be safeguarded and protected to ensure the Police Service can meet their statutory and regulatory responsibilities. The Police Service meets these responsibilities by the implementation of this Community Security Policy (CSP) which encompasses appropriate Information Assurance (IA) policies and guidance.

The Police Service also support the need for appropriate safeguards and the effective management of all information processes, and are committed to helping protect all community member information assets from identifiable threats, internal or external, deliberate or accidental.


The CSP have strategic aims that: 

1. Enable the delivery of policing by providing appropriate and consistent protection for the information assets

2. Comply with statutory requirements and meet the expectations of the Police Service to manage information securely

3. enable forces, agencies and relevant organisations to understand the need to implement the IA policies identified herein, so the Police Service is able to meet its legal, statutory and regulatory requirements. 

Published 01/01/2014
Authoring body: National Police Information Risk Management Team (NPIRMT)
10 Steps to Cyber Security

This guidance is designed to help organisations protect themselves in cyberspace and best practises for cyberspace security. It relays the task of defending your networks, systems and information into its essential components.

It is important to note, when dealing cyberspace protection, the organisation knows the kinds of cyber attacks it expects to understand what protection would be needed.

Published 01/01/2018
Authoring body: National Cyber Security Centre (NCSC)
End user device (EUD) Security Guidance Windows 10 1809

This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

  • Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.

  • Applications should be authorised by an administrator and deployed via a trusted mechanism.

  • Most users should have accounts with no administrative privileges.  Administrator accounts should have a unique strong password per device.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.

Published 01/01/2020
Authoring body: National Cyber Security Centre (NCSC)