2022-2023: Requirements and compliance framework
Working with introducing a new key supporting technology to most investigations across the UK, we captured all regulatory requirements and built a design for operation. Our work identified the need for legislation change since passed by parliament.
Challenge
Assurance of compliant operations was required in support of national roll out of a digital investigations capability
International agreements, existing policing law, new domestic legislation and national police policy set by NPCC needed to be combined in a way that worked practically for police forces that were to use a new collection capability. Hundreds of pages of legal and government policy documentation needed to be adhered to.
Managing potential breaches of compliance was deemed critical to ensure the capability remained credible in UK Courts and to maintain international relationships and trust around data sharing agreements
Approach
We wanted to provide a compliance regime with tool support for ease of maintenance. We wanted to use applications/tools already available to the client team, and so with a small plug-in request for Atlassian Confluence we built a requirements traceability and compliance framework that included:
Source documentation broken to atomic compliance requirements.
A common set of master compliance requirements addressing any overlap or conflict with individual source requirements
Full traceability both ways to quickly determine why a compliance requirement was in place (what document, page, section, line), or how a source document was being complied with.
Traceability to design or implementation activities showing where compliance requirements were addressed
Tooling to allow for ongoing tracked audit of compliance with compliance questions and checklist against compliance requirements
Impact
Our work gave the client a complete compliance regime with tool support. We could demonstrate overall compliance by design, with a toolkit available to perform ongoing compliance by implementation once the capability was fully operational
Our tool-based approach was the most cost effective solution to maintain design against a complex set of source documentation and gave the following critical long-term benefits:
Clearer accountability for both compliant design and compliant operation
Later, when memories fade, a record of design decisions and design for compliance remains, ensuring the ongoing capability remains compliant
Both design updates and compliance source document updates can be handled with minimal rework
Operational police and individual forces wishing to understand aspects of their obligations can be supported quickly
Our work also identified a conflict between source materials and the ability of police officers to adhere to some of the compliance requirements. This led to legislation amendments being brought to parliament.