POL00447936
POL00447936
CF
GROUP POLICY
Cooperation with Law Enforcement
Agencies and Addressing Suspected
Criminal Misconduct
Version —- V1.0
POL00447936
POL00447936
1. Overview
1.1. Introduction by the Policy Sponsor.
1.2. Purpose
1.3. Core Principles
1.4. Application...
1.5. The Risk
1.6. Legislation
1.7. Industry Guidance....
2. Risk Appetite and Minimum Control Standards
3.
3.1. Tools.
3.2. Definitions..
4. Where to go for help.......
4.1. Additional Policies
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
9
This Policy is one of a set of policies. The full set of policies can be found at:.9
9
9
4.2. How to raise a concern
4.3. Who to contact for more information
5. Governance.
5.1. Governance Responsibilities
6. Control...
6.1. Policy Version...
POL00447936
POL00447936
@
1. Overview
1.1. Introduction by the Policy Sponsor
The General Counsel has overall accountability to the Board of Directors for the design and
implementation of controls relating to cooperation with Law Enforcement Agencies and the manner in
which Post Office addresses suspected criminal misconduct. Cooperation with Law Enforcement Agencies
and addressing criminal misconduct is an agenda item for the Audit and Risk Committee and the Post
Office Board is updated as required.
1.2. Purpose
Post Office receives a large number of requests to assist Law Enforcement Agencies in the prevention,
detection, investigation and potential prosecution of alleged offences. It also has legal obligations to
provide information to Law Enforcement Agencies (e.g. through suspicious activity reports) and may also
wish voluntarily to notify Law Enforcement Agencies if it suspects that it, its Employees, Operators or
Customers have been the victim of crime.
This Policy has been established to set the minimum operating standards relating to cooperation with
Law Enforcement Agencies and the manner in which Post Office will address suspected criminal
misconduct.! It is one of a set of policies which provide a clear risk and governance framework and an
effective system of internal control for the management of risk across the Post Office. Compliance with
these policies supports the Post Office in meeting its business objectives and to balance the needs of
shareholders, employees? and other stakeholders.
1.3. Core Principles
Post Office’s approach to cooperating with Law Enforcement Agencies is based upon the following core
principles:
e Post Office is committed to supporting Law Enforcement Agencies in the prevention, detection,
investigation and potential prosecution of alleged offences;
e Post Office will as far as possible cooperate with Law Enforcement Agencies and voluntarily provide
information and evidence in response to a request or proactively in order to assist an investigation
following a report by Post Office;
e Post Office is committed to ensuring that prosecutions are fair and that Prosecution Teams are
made aware of, and provided with, Disclosable Material in Post Office’s possession;
e Post Office will manage the risks associated with providing such cooperation, by ensuring that
appropriate controls are in place in relation to the provision of information.
In accordance with these principles, and subject to the controls described in section 2.4 below, Post
Office:
e will make a Victim Crime Report to the police where suspected criminal misconduct is identified
in its business operations and will provide such further information and assistance as appropriate ;
e will not conduct private prosecutions (Post Office’s shareholder must be consulted and approval
obtained from the Post Office Board if any deviation from this is contemplated);
e will provide information to Law Enforcement Agencies to assist the prevention, detection,
investigation and potential prosecution of crime:
1In this Policy “Post Office” and “Group” means Post Office Limited, Post Office Management Services Limited and Payzone Bill
Payments Limited.
2In this Policy “employee” means permanent staff, temporary including agency staff, contractors, consultants and anyone else
working for or on behalf of Post Office.
POL00447936
POL00447936
@
o voluntarily for intelligence purposes, accompanied by an Advisory Notice if required to
describe any known issue/s which might affect the reliability of the information;
o voluntarily for use as evidence, where it is classified by Legal and Compliance as ‘low risk
data’ for the purpose of this Policy (see Appendix 1);
o voluntarily for use as evidence, if approved by Post Office Legal or any Nominated Criminal
Law Advisors acting for Post Office; or
o as required by a Mandatory Order or otherwise approved by the Post Office Board.
1.4. Application
This Policy is applicable to all areas within the Post Office and defines the minimum standards to control
financial loss, customer impact, regulatory breaches and reputational damage in line with Post Office’s
Risk Appetite.
In exceptional circumstances, where risk sits outside of Post Office’s accepted Risk Appetite a Risk
Exception can be granted. For further information in relation to the risk exception process please contact
the Central Risk team.
For definitions please see section 3.1.
The risk to Post Office in relation to cooperation with Law Enforcement Agencies and the manner in which
it addresses suspected criminal misconduct is reviewed by the Board annually.
1.5. The Risks
Post Office is frequently asked to provide data and other information to support Law Enforcement
Agencies and prosecutors in Criminal Investigations and prosecutions. This may arise either when Post
Office is a victim of crime or when it holds data which is relevant to other suspected criminal misconduct.
Post Office also has legal obligations to provide data in some circumstances, for example suspicious
activity reports.
Provision of appropriate and reliable information to Law Enforcement Agencies promotes the
administration of justice. Compliance with this Policy will ensure:
e Suspected criminal misconduct is subject to proper review before it is reported to a Law
Enforcement Agency;
e Proper consideration is given to information that may be provided to Law Enforcement Agencies
and Prosecution Teams, to assist them in complying with their duties of disclosure;
e Issues with the reliability of provided information are identified and dealt with appropriately;
« Post Office is able to identify and verify information provided to Law Enforcement Agencies at a
later date.
1.6. Legislation
There are a number of relevant legal and regulatory requirements which are applicable, including (but
not limited to):
e Criminal Procedure and Investigations Act 1996
Proceeds of Crime Act 2002
Terrorism Act 2000
The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017
Crime and Courts Act 2013
In addition, Post Office can be legally required to provide information if it is served with a compulsory
order from a Court or Law Enforcement Agency (e.g. under Schedule 1 of the Police and Criminal Evidence
Act 1984, or section 2 of the Criminal Procedure (Attendance of Witnesses) Act 1965).
POL00447936
POL00447936
@
2. Risk Appetite and Minimum Control Standards
2.1. Risk Appetite
A Risk Appetite is the extent to which the Group will accept that a risk might happen in pursuit of day to
day business transactions. It therefore defines the boundaries of activity and levels of exposure that the
Group is willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has?:
e Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances where there
are significant conflicting imperatives between conformance and commercial practicality.
e Averse risk appetite for litigation in relation to high profile cases/issues.
e Averse risk appetite for litigation in relation to Financial Services matters.
e Averse risk appetite for not complying with law and regulations or deviation from business
conduct standards for financial crime to occur within any part of the organisation.
e Averse risk appetite in relation to unethical behaviour by our staff.
The Group acknowledges however, that in certain scenarios even after extensive controls have been
implemented, a matter may still sit outside the agreed Risk Appetite. In this situation, a risk exception
waiver will be required (for further information please contact the Central Risk team - per section 1.4).
2.2. Policy Framework
Post Office has established a suite of financial crime policies and procedures, on a risk sensitive approach
which are subject to an annual review and which are relevant to this Policy. This suite of policies is
designed to combat money laundering, terrorist financing, bribery, corruption and fraud and ensure
adherence to relevant sanctions regimes.
2.3 Who must comply?
Compliance with this Policy is mandatory for all Post Office employees.
Where non-compliance is identified, the matter must be referred to the Policy Owner. Where it is
identified that an instance of non-compliance is caused through wilful disregard or negligence, this will
be treated as a disciplinary offence.
3 The Risk appetite was agreed by the Group's Board January 2015
2.4 Minimum Control Standards
@
POL00447936
POL00447936
A minimum control standard is an activity which must be in place in order to manage the risks, so they remain within the defined Risk
Appetite statements. There must be mechanisms in place within each business unit to demonstrate compliance. The minimum control
standards can cover a range of control types, i.e. directive, detective, corrective and preventive which are required to ensure risks are
managed to an acceptable level and within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated
risk appetite. The subsequent pages define the terms used in greater detail:
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
Making a Victim
Crime Report
and voluntary
assistance
Post Office does not have
appropriate oversight over
any Victim Crime Report
made or voluntary
assistance provided to LEAs
by Post Office or its
employee/s.
Preventative Control:
Where Post Office suspects that it, its
Employees, Operators or Customers may
have been the victim of crime, Post Office
Legal must assess whether a Victim Crime
Report should be made. The Policy Owner
shall make the final decision on whether to
make a Victim Crime Report.
When Post Office makes a Victim Crime
Report, it will be for third party Law
Enforcement Agencies and Prosecution
Teams to consider whether further action
(e.g. a prosecution) should be taken.
Once a Victim Crime Report has been made,
Post Office Security, with the express
agreement of Post Office Legal, may
proactively provide such voluntary assistance
to the ongoing LEA investigation as they
consider appropriate. The Policy Owner shall
Policy Owner
Ongoing
@
POL00447936
POL00447936
make the final decision on whether proactive
voluntary assistance should be provided.
Conduct of All duties as a private Directive Control:
Private prosecutor are not Post Office shall not conduct Private The Department for Ongoing
Prosecutions discharged. Prosecutions or Criminal Investigations with Business Energy &
a view to bringing Private Prosecutions. Post I Industrial Strategy
Office must consult with its shareholder if and the Post Office
any deviation from this is contemplated. Board.
Provision of The provision or withholding I Preventative Control:
information to of information to Law Any material to be provided which is not Low I Recipient of request Ongoing
Law Enforcement Agencies Risk Data as classified by this Policy will be for information &
Enforcement conflicts with other legal submitted for review by Post Office Legal (or I Policy Owner
Agencies obligations or rights. by any Nominated Criminal Law Advisors
acting on their behalf) prior to it being
provided. Post Office Legal will make the
final decision on what material shall be
provided and on what basis.
Nothing in this Policy shall permit the
voluntary provision of information where that
would result in non-compliance with other
legal obligations (e.g. the Data Protection Act
2018 or General Data Protection Regulation).
All policies and processes which support this
Policy shall expressly state that nothing in
the Policy or associated documents shall
prevent Post Office or its employees from
complying with legal obligations and/or the
requirement to protect, to the fullest extent
possible, the identity of whistle-blowers.
@
POL00447936
POL00447936
Mandatory Orders must be sought if
necessary to ensure the lawful provision of
information, unless the provision of the
information is otherwise approved by the
Policy Owner.
Provision of
information to
Law
Enforcement
Agencies
If Post Office does not deal
and continue to deal
appropriately with any
issues concerning the
reliability of information it
has provided to Law
Enforcement Agencies, this
could result in improper
reliance on that information
and/or unsafe convictions.
Preventative Control:
Where any Post Office employee receives a
request to provide information to a Law
Enforcement Agency, they must direct that
request to Legal, Compliance or Security to
manage.
Preventative Control:
Where such a request is received by or
escalated to Legal, Compliance or Security
and relates to the provision of information
for intelligence purposes, Legal, Compliance
or Security shall comply with the “Flowchart:
Provision of Data to Law Enforcement for
Intelligence Purposes” tool (Tool 1) in
determining whether/how to respond. Tool 1
provides that additional controls must be
complied with in respect of data listed in
Appendix 2.
Directive Control:
Where Post Office or its employees are asked
or compelled to provide witness statements
relating to any information that is not Low
Risk Data, the request must be escalated to
Post Office Legal.
Preventative Control:
Post Office Legal (or any Nominated Criminal
Law Advisors acting on their behalf) will
assess the risks in providing that data and
All Employees
Policy Owner/
Group Operations
Director
All Employees
Policy Owner
Ongoing
@
POL00447936
POL00447936
determine whether the evidence can be
provided on a voluntary basis, whether a
Mandatory Order or Board approval is
required, whether any information so
provided should be accompanied by an
Advisory Notice, and/or whether any other
risk mitigation action is appropriate.
Preventative Control:
Post Office Employees must notify Post Office
Legal if they become aware of any issues
which may undermine the reliability of any
information provided to Law Enforcement
Agencies, and/or if any additional types of
information not presently recorded in
Appendix 3 are provided to Law Enforcement
Agencies.
Post Office Legal must review this Policy, its
Appendices and any Advisory Notices and
apply and/or revise them as appropriate if it
becomes aware of any issues that may
undermine the reliability or accuracy of any
information provided to Law Enforcement
Agencies.
All Employees
All Employees and
Policy Owner
Provision of
information to
Law
Enforcement
Agencies
Information provided to a
Law Enforcement Agency is
not retained such that Post
Office cannot subsequently
identify and/or verify the
information provided.
Preventative Control:
Centralised records shall be maintained for
the longer of 6 years or until the end of any
criminal proceedings:
1. of any Victim Crime Report made by
Post Office to the police;
2. of any known ongoing Criminal
Investigation or prosecution arising
from a Victim Crime Report or where
Post Office has been asked to provide
assistance;
Policy Owner/
Group Operations
Director
Ongoing
@
POL00447936
POL00447936
3. of any information, data, material or
evidence (witness statements or
exhibits) provided to Law
Enforcement Agencies.
Provision of If Post Office does not Preventative Control:
information to monitor ongoing Post Office shall maintain a list of known Group Operations Ongoing
Law investigations and ongoing Criminal Investigations where Post Director
Enforcement prosecutions by Law Office or its Employees or Operators are the
Agencies Enforcement Agencies, Post I victim and any Public Prosecutions of which it
Office may not be aware of is aware, updated with developments and
issues arising in such cases reported regularly to the Policy Owner.
and/or may fail to identify
material in its possession Preventative Control:
which satisfies the Post Office shall make regular contact with Group Operations
Disclosure Test. the Prosecution Team to request an update Director
in relation to any developments in the case,
so that Post Office can identify and if
appropriate provide any further Disclosable
Material in the case.
Preventative Control:
Any additional material to be disclosed will Policy Owner/
be submitted to Post Office Legal for review Group Operations
by them or Nominated Criminal Law Advisors I Director
prior to its disclosure.
Training Breaches of the Policy occur I Preventative Control:
as a result of inadequate
training
Training shall be provided to ensure that
those to whom the Policy applies understand
their obligations and how to fulfil them.
Policy Owner/
Compliance Director
POL00447936
POL00447936
@
3. Tool & Definitions
3.1. Tool
1. Flowchart: Provision of Data to Law Enforcement for Intelligence Purposes
The Provision of Data to Law Enforcement for Intelligence Purposes flowchart has been designed to
determine the level of risk exposure and escalation required when providing data to external Law
Enforcement Agencies for intelligence purposes. It sets out the process which must be followed in all
cases where Post Office employees or associates are asked or compelled to provide information to
Law Enforcement Agencies (see below).
3.2 Definitions
“Advisory Notice” - refers to the Notice which must be sent to any Law Enforcement Agency where required by
Tool 1 or Appendix 2.
“Criminal Investigation” - refers to an investigation conducted to the criminal standard, for the primary purpose
of ascertaining whether a person should be charged with a criminal offence.
“Disclosable Material” — refers to material which satisfies the Disclosure Test.
“Disclosure Test” — refers to the test set out in s.3 Criminal Procedure and Investigations Act 1996. Material is said
to satisfy the disclosure test if it might reasonably be considered capable of undermining the case for the prosecution
or of assisting the case for the accused.
“Evidence” - refers to information, data or documents formally produced, for example, in the form of a witness
statement, production statement, affidavit or exhibit for use in court proceedings.
“Intelligence” - refers to information, data or documents provided to assist Law Enforcement Agencies with the
exercise of their functions which is not provided as evidence.
“Law Enforcement Agencies” - refers to any agency which is responsible for law enforcement in the United
Kingdom, including (but not limited to): police forces, the National Crime Agency, Her Majesty’s Revenue and
Customs, Immigration Enforcement and Border Force, the Financial Conduct Authority, the Information
Commissioner's Office, the Prudential Regulation Authority, and the Office of Communications (commonly known as
OfCom). Where a Law Enforcement Agency also conducts regulatory (or other functions), this Policy apples to
circumstances in which the body is exercising criminal law or regulatory investigation or enforcement functions.
“Low Risk Data” - refers to the categories of data which have been identified in Appendix 1 as being “low-risk”.
“Mandatory Order” - refers to an order or notice that Post Office is legally required to comply with (including, but
not limited to: a witness summons or a production order).
“Nominated Criminal Law Advisors” - refers to external criminal legal advisors that may from time to time be
appointed by Post Office Limited.
“Operator” - refers to Franchisees and Agents of Limited Companies who operate Post Office Limited Branches.
“Private Prosecution” - a prosecution brought by, or on behalf of, Post Office Limited, rather than by a Law
Enforcement Agency or public prosecutor.
“Prosecution Team” - refers to the individuals who are responsible for the investigation and prosecution of a
criminal case. This will most commonly be the police officer in charge of the investigation and the Crown Prosecution
Service reviewing lawyer who has conduct of the case, but extends to any external law enforcement investigator
and reviewing lawyer.
POL00447936
POL00447936
@
“Public Prosecution” - refers to a prosecution brought by a Law Enforcement Agency or public prosecutor (such
as the Crown Prosecution Service).
“Victim Crime Report” - refers to a report made by Post Office to the police when Post Office suspects that it or
its Operators or customers may have been the victim of criminal misconduct connected with the Post Office.
POL00447936
POL00447936
@
4. Where to go for help
4.1. Additional Policies
This Policy is one of a set of policies. The full set of policies can be found on the SharePoint Hub under
Policies.
4.2. How to raise a concern
Any Post Office employee who suspects that there is a breach of this Policy should report it without any
undue delay.
Post Office employees can raise concerns via:
e Your line manager
« Asenior member of the HR Team
e Contacting the “Speak Up” line, a confidential reporting service which is run by an independent
company, Convercent:
o Telephone Number:
o http://speakup.postoffice.co.uk/ which is a secure on-line web portal
e Direct to the Whistleblowing Manager
Who to contact for more information
If you need further information about this Policy or wish to report an issue in rel
please contact the Post Office Legal team or contact Legal.Law.Enforcement.Queriesi
POL00447936
POL00447936
@
5. Governance
5.1. Governance Responsibilities
The Policy Sponsor, responsible for overseeing this Policy is the General Counsel of Post Office Limited.
The Policy Owner is the Group Legal Director who is responsible for ensuring that the Compliance Director
conducts an annual review of this Policy and tests compliance across the Post Office. Additionally, the
Group Legal Director and the Compliance Director are responsible for providing appropriate and timely
reporting to the Risk and Compliance Committee and the Audit and Risk Committee.
The Audit and Risk Committee are responsible for approving the Policy and overseeing compliance.
The Board is responsible for setting Post Office’s risk appetite.
@
POL00447936
POL00447936
6. Control
Date Version Updated by Change Details
25 July 2020 0.1
1 March 2021 0.4 Peters & Peters I Changes of ownership (from Policy
Solicitors LLP Sponsor to Policy Owner in respect of
the minimum control standards table)
and correcting spelling
28 September I 1.0 Peters & Peters I Changes requested by Data
2021
Solicitors LLP
Protection to Tool 1/Appendix 1.
Changes, following annual review, to
1.2 (Core Principles); 2.4 (Minimum
Control Standards); 3.2
(Definitions); 4.2 (How to raise a
concern); Tool 1/Appendix 1; and
Appendix 2
6.1. Policy Approval
Committee Date Approved
GE
Post Office
Board
POL ARC 28.09.2021
Oversight Committee:
Policy Sponsor:
Policy Owner:
Policy Author:
Next review:
Ben Foat
Sarah Gray
Rodric Williams
September 2022
Risk and Compliance Committee, Audit and Risk Committee, and Post
Office Board
POL00447936
POL00447936
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718
respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its Information
Commissioners Office registration number is ZA090585.
Post Office Limited is authorised and regulated by Her Majesty’s Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners Office
registration number is 24866081
POL00447936
POL00447936
@
Tool 1: Flowchart: Provision of Information to Law Enforcement for Intelligence Purposes
1. This Tool is to be used when Post Office receives a request to provide data to law
enforcement agencies for intelligence purposes only. If at any stage, a request is made
for a witness statement, or for data to be exhibited for use in evidence, please seek advice
from Post Office Legal, unless the data is ‘low risk’, as set out in Appendix 1.
“==
The information can be provided but the
additional controls identified in Appendix 2
must be complied with.
2. Nothing in this Tool shall be interpreted as permitting the voluntary disclosure of data where such
provision would result in non-compliance with other legal obligations (for example, but not limited
to, the Data Protection Act 2018 or the General Data Protection Regulation). Mandatory Orders
must be sought if necessary, to ensure the lawful provision of data.
*Note that checks should still be made with the Data Protection Team in relation to
personal/sensitive data; Legal in relation to legal sensitivities; and
Commercial/Communications in relation to commercial sensitivities.
POL00447936
POL00447936
POL00447936
POL00447936
@
Cooperation with Law Enforcement Agencies and Addressing Suspected Criminal
Misconduct
Appendix 1
1. Although the following categories of data contain personal data (as defined by the Data Protection
Act 2018), they have been classified by Legal and Compliance as ‘low risk data’ for the purpose
of this policy. Such data can be supplied to Law Enforcement Agencies without referral to Post
Office Legal (but note that checks should still be made with the Data Protection Team in relation
to personal/sensitive data; Legal in relation to legal sensitivities; and
Commercial/Communications in relation to commercial sensitivities) :*
i. CCTV;
ii. Audio recordings;
iii. Details of a customer/third party transaction and/or method of payment made using a
particular bank card;
iv. HR records;
v. Data derived from the Brands Database;
vi. The name / address / phone number / driving licence number / passport number
provided by a customer during a transaction;
vii. I Safe opening and closing times;
viii. I Details of calls made using a particular phone number.
2. The business can apply to Legal and Compliance to add/remove items to/from this list. Such
requests should be sent to Post Office Legal.
“In the event that the reader has doubt about whether data can be supplied to a Law Enforcement Agency, they should contact
the Data Protection Team for clarification!
POL00447936
POL00447936
@
Cooperation with Law Enforcement Agencies and Addressing Suspected Criminal
Misconduct
Appendix 2
1. The following categories of data have been identified as requiring additional controls before
the data can be provided to a law enforcement agency:
Type of data
Additional controls required when providing data for
intelligence purposes
Data deriving from
Legacy Horizon or
HNG-X
The following Advisory Notice must be provided:
“Post Office Limited wishes to assist law enforcement
agencies wherever possible. However, please note that the
information provided derives in whole or in part from a
historical version of the Horizon computer system used by
Post Office. The accuracy and reliability of data deriving
from this version of Horizon was the subject of the High
Court case of Bates & Ors v Post Office Ltd (No 6: Horizon
Issues) [2019] EWHC 3408. Furthermore, in 2020 the
Criminal Cases Review Commission referred the convictions
of several individuals whose cases featured evidence derived
from the Legacy Horizon and HNG-X systems to the Court of
Appeal.
Furthermore, in March 2021, 42 appeals were heard by the
Court of Appeal Criminal Division (“the CACD”) relating to
convictions which were based upon evidence derived from
historical versions of the Horizon system (Hamilton & Others
[2021] EWCA Crim 577). Of the 42 appeals, 39 were
conceded by Post Office and 3 were opposed. The CACD
allowed the 39 conceded appeals but upheld the 3
convictions in cases in which Horizon reliability was deemed
not to be essential due to corroborating evidence. Further
cases have subsequently been determined by the CACD
applying the principles in Hamilton & Others.”
POL00447936
POL00447936
@
[Add further data
types as
necessary]
[Draft Advisory Notice as appropriate, drawing attention to
any potential issue identified]
Cooperation with Law Enforcement Agencies and Addressing Suspected Criminal Misconduct
Appendix 3
Categories of data which Post Office provides to Law Enforcement Agencies®
Activity Reports
(“SARs”)
National Crime
Agency (“NCA”)
required under
the Money
Laundering
Regulations
making Bureau de Change transactions / make large
Foreign Exchange cash transactions;
2) Details of POL staff members who regularly split
Bureau transactions so that they are under the ID
threshold;
3) Names of branches processing unusually large
amounts of cash;
4) The identity of a card used in a particular
transaction and details of other branches in which
that card was used, for example, details of banking
deposits made through Link;
5) CCTV.
AML Credence.
2) Horizon,
Credence and
AML Credence.
3) Credence
and Branch
Finder.
4) TESQA.
5) CCTV
system.
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
Raising Suspicious I Reports to Compliance 1) Details of customers who travel branch to branch 1) Horizon and I 1) Horizon data
and Credence
data is held by
POL.
2) Horizon data
and Credence
data is held by
POL.
3) Credence
and Branch
Finder data are
held by POL.
4) TESQA data
is held by POL.
POL00447936
POL00447936
5This table has been prepared using information provided by the business as of May 2020. It is possible therefore that this table is not a comprehensive list of all
types of data which POL provides to Law Enforcement Agencies. It will be updated as the Policy Owner is made aware of additional types of data which POL
provides to Law Enforcement Agencies not already captured within the table; or when new requests, for types of data not previously requested by Law
Enforcement Agencies are made.
21
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
5) CCTV data is
held by POL
and agents.
Responding to NCA / regulator I Compliance As above. As above. As above.
requests from the
NCA / regulator
etc for further
details relating to
SARs which have
been raised by
POL
SAR disclosures NCA Compliance 1) Details relating to the subject of the SAR (e.g. 1) HR records. 1) HR data is
(when POL is confirmation that the individual works for POL and held by POL.
asked to provide which branch they work in);
data in response 2) Details of Horizon User that processed transactions I 2) Credence. 2) Credence
to a SAR raised by reported in the SAR Disclosure (e.g. confirmation the data is held by
another agency transactions were processed by the subject). POL.
where the SAR
names an
individual linked
to POL)
Responding to HMRC / Compliance 1) Subject information captured on Brands - Details 1) Horizon / 1) Horizon data
JMLIT requests Financial relating to a particular subject’s footprint (email Brands is held by POL
pursuant to s.7 Conduct address, phone number, address, dob, products database. Brands data is
Crime and Courts I Authority / and services used); held by POL.
Act 2013 NCA / Serious 2) Branch bureau de Change transaction and 2) AML 2) Credence
© Normal s.7 Fraud Office / customer information; Credence. data is held by
requests (6
Home Office /
police / banks
3) Reports received by Grapevine;
POL.
POL00447936
POL00447936
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
week 4) SAR database recording details of all SARs received I 3) King’s 3) King’s
turnaround) and reported to the NCA. Security Security
© Expedited s.7 systems. systems.
requests
(response 4) Excel 4) Excel
asap, but spreadsheet spreadsheet in
normal office held in secure held by POL.
times) AML drive.
e Terrorist
Incident s.7 5) TESQA - if 5) TESQA data
requests full card is held by POL.
(24/7/365 numbers are
response listed.
required
immediately)
© Threat to life
incident s.7
request
(24/7/365
response
required
immediately)
Responding to HMRC Compliance Transactional data for audit purposes. Horizon Horizon data
requests from
regulatory bodies
AML Credence.
and Credence
data is held by
POL.
Sharing
intelligence / data
Regulator (if
regulatory
Difficult to quantify. Could be transactional
information from Horizon.
POL00447936
POL00447936
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
following a breach is
whistleblowing identified)
investigation /
sharing
intelligence with
regulators in the
event that a
regulatory breach
is identified
Providing Police Security Team / I Details of transactions made using a particular bank Horizon. Horizon data is
assistance Compliance card. held by POL.
following terrorist (this would be
incidents viaas.7
request)
Assisting missing Police Security Team Confirmation of whether a bank card has been used / I Horizon. Horizon data is
persons enquiries whether there has been other activity on the missing held by POL.
person’s account(s).
Providing Police / HMRC_ I Security Team 1) CCTV; 1) CCTV 1) CCTV data is
intelligence or / NCA / Bank 2) confirmation of a bank card number used ina system. held by POL
evidence in Fraud particular transaction; and agents.
relation to Department / 3) details of a payment made or transaction 2) Horizon.
incidents which SFO / undertaken using a particular bank card; 2) Horizon data
have occurred on I Immigration 4) requests for information about whether an 3) Credence. is held by POL.
the "public side of
the counter" e.g.
robbery in the
branch
individual's bank card has been used in the PO
network;
5) Branch alarm data;
6) Safe data (opening/closing times).
4) HoRice.
5) TEQSA.
6) Grapevine.
3) Credence
data is held by
POL.
4) HoRice data
is held by POL.
POL00447936
POL00447936
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
5) TESQA data
is held by POL.
6) Grapevine
and ARQ data
is POL data but
it is held
externally. ARQ
data is held by
Fujitsu.
Providing Police / NCA / Security Team 1) Branch trading statements; 1) Horizon. 1-3) Horizon
intelligence or HMRC 2) cash declarations; 2) Horizon. data is held by
evidence in 3) ARQ data; 3) Horizon. POL.
relation to 4) HR records; 4) HR records.
incidents 5) Calls made to Post Office helplines (e.g. NBSC 5) Puzzle 4) HR records
occurring on the helpline). Server. are held by
"post office side POL.
of the counter"
e.g. where a PO. 5) Helpline
staff member is recordings are
accused of theft held by POL on
from the branch. the puzzle
server.
Information HMRC/NCA/ I Financial Crime I 1) Customer and transactional details; 1) Horizon and I 1) Horizon
requested via a police / banks Team / Security I 2) Names of branches processing unusually large Credence data&
DPA request Team amounts of cash; (including AML I Credence data
Credence). is held by POL.
POL00447936
POL00447936
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
3) The identity of a card used in a particular
transaction and details of other branches in which 2) Credence 2) Credence
that card was used; details of banking deposits made I and Branch and Branch
through Link; Finder. Finder data is
4) CCTV. held by POL.
3) TESQA.
3) TESQA data
4) CCTV is held by POL.
system.
4) CCTV data is
held by POL
and Agents.
Ofcom Ofcom Compliance Various types Various sources I Various holders
information 1) Revenues and volumes of traffic customer numbers I 1) Most volume I 1) Fujitsu are
requests under
$135, $136 or
$137 of the
Comms Act 2003.
traffic usage;
2) Documents and correspondence such as emails and
letters with any party.
and network
data is
provided by
Fujitsu and is
extracted ona
bespoke basis
by them.
2) Emails are
held in the
email system
Mimecast.
3) Documents
held on
Sharepoint and
external
supplier and
hold
information on
behalf of POL.
2) Mimecast is
external.
3) Sharepoint
and Laptops
are POL
owned.
POL00447936
POL00447936
@
Type of Law Responsibility Type of data sought / provided Underlying Is the data
request/provision I Enforcement for responding system held by POL or
of data Agencies to request a third party
making (Security, (e.g. Fujitsu)
request Compliance
etc)
employee
laptops.
POL00447936
POL00447936