POL00448353
POL00448353
DRAFT
GROUP POLICIES
Group Investigations & Co-operation with
Law Enforcement Policy
— Draft for Comment
Version — 2.2
Chief Executive's Endorsement
The Post Office Group is committed to doing things correctly. Our Values and
Behaviours represent the conduct we expect. This Policy supports these to help us
ensure the highest standards of integrity, proper behaviour, crime prevention,
detection and management are maintained.
Page 1 of 17
POL00448353
POL00448353
DRAFT
1.0 Overview
1.1 Introduction by the Policy Sponsor
The Group General Counsel has overall accountability to the Board of Directors for the design and
implementation of controls in relation to internal investigations and the reporting and sharing of information
with Law Enforcement Agencies (LEAs). Post Office Ltd.'s (POL) Board of Directors have overall responsibility for
ensuring that Post Office has a framework to ensure compliance with legal, regulatory, and contractual
requirements.
1.2 Purpose
This Policy has been established to formalise POL’s approach to 1) the conduct of internal investigations
throughout the Group; 2) reporting suspected criminal incidents to LEAs and proactively providing them with
evidence, and 3) responding to requests for information and evidence from LEAs.
The Director of Assurance & Complex Investigations (DA&CI) is accountable for the conduct of internal
investigative activity. This Policy lays out POL’s commitment to evidenced-based investigation, the limiting to
specific teams the responsibility of conducting particular investigative activity, the governance of investigations,
and mandatory elements which are required to be followed by those conducting investigations in order to
produce fair outcomes. It also stipulates POL’s approach to reporting matters to LEAs and the proactive and
reactive sharing of information with them. Compliance with this Policy supports the Group in meeting its
business objectives, including the proper management of risk and public money, and its commitment to act
professionally, proportionately, fairly and with integrity.
The separate /nvestigator's Manual provides support to this Policy and lays out the key guidance on how
investigations should be conducted, including some mandatory steps, and how data should be treated and
shared with LEAs.
1.3 Core Principles
POL takes its responsibilities for complying with law and regulations seriously and accordingly has a low-risk
appetite set at Averse. It expects Staff and Postmasters (and their staff) to adhere to Policies and procedures,
operate with honesty and integrity within the law, and to not bring POL into disrepute.
When faced with concerns or allegations of impropriety of any kind, including illegality, breach and failure of
policies, controls or regulation, or wrongdoing regardless of the source, it is essential for POL to take, and be
able to demonstrate, prompt and appropriate action to determine:
Whether the concerns or allegations have any factual basis
The scope and cause of any impropriety
The impact of the issue at hand
Whether, and to whom, to report issues to, particularly where reporting is a regulatory requirement,
or where the issues are material or reveal systemic shortcomings in practice or culture
© Possible subsequent corrective actions by POL
eo eee
Page 2 of 17
POL00448353
POL00448353
DRAFT
POL does not conduct private prosecutions’. Any reference in this Policy to criminal proceedings is to those
brought by LEAs and public prosecutors.
POL, through this Policy and is committed to undertake ethically executed, evidence-led, transparent
investigations which can withstand internal and external scrutiny by applying best practice from peer
organisations, industry best practice, applicable laws, and guidance produced by government agencies.
Part of this commitment is that experienced and trained professional investigators conduct investigations into
matters presenting the most risk to POL (such as suspected criminality or serious policy or process failings) and
for investigative standards to be set and assured by Assurance & Complex Investigation (A&CI). A&CI will support
other investigative activities within POL by providing coaching and conducting quality assurance on lower-risk
investigative activities conducted by business-based teams. POL recognises that it is not practical for the DA&CI
and their team of specialist and ring-fenced investigators to conduct all investigative activities and that within
appropriate parameters, and with suitable support, the business can conduct quality investigations that meet
the requirements of this Policy for lower risk investigations.
POL is committed, as a matter of policy, to provide information to LEAs to assist in the prevention, detection,
investigation and potential prosecution of crime. This includes:
© voluntarily for intelligence purposes
* voluntarily for use as evidence as part of, or following, a crime reporting process instigated by
A&CI on behalf of POL
© as required by a Mandatory Order
© as requested (including where Postmasters have reported matters to the police in their own
right), where POL is satisfied that sharing information satisfies the requirements of Data
Protection law
1.4 Glossary
“Employee” and “Staff” means an individual who has entered into or works under (or, where the employment
has ceased, worked under) a contract of employment or any other relevant contract, as defined in sections
230(2) and (3) of the Employment Rights Act 1996, with POL or the Group or is defined as a “worker” under
section 43K Employment Rights Act 1996. This includes staff within Directly Managed Branches.
“Postmaster”, “Agents” and “Postmaster Staff” means individuals who operate, manage and/or work in post
offices other than Directly Managed Branches.
“Post Office” and “Group” and “POL” mean Post Office Limited and any wholly owned subsidiary that formally
adopts this Policy.
“Business-based Investigation Team” refers to teams or departments in POL who conduct investigative activity
as part of their role e.g., Network Monitoring and Network Resolution, but who otherwise would not describe
themselves as ring-fenced investigators
“Assurance & Complex Investigations” (A&Cl) refers to the separate unit reporting to the Group Legal Director
consisting of professional full-time investigators and their supporting colleagues who oversee and conduct
investigations which form the highest risk to POL or are the most complex investigations. They also provide
advice to other teams and staff conducting investigative activities and conduct quality assurance reviews of
1 Post Office’s shareholder must be consulted and approval obtained from the Post Office Board if any
deviation from this is contemplated.
Page 3 of 17
POL00448353
POL00448353
DRAFT
these activities. A&CI also conducts all criminal investigations within POL. A&CI sets investigative standards for
POL.
“Investigation” is defined at Post Office for the purposes of this Policy as:
The structured, transparent, objective, fair, and evidence-based collection and assessment of
information with the intent to understand a chain of events or causation of a chain of events, that has
or could affect Postmasters, Postmasters’ staff, customers, POL colleagues, POL’s business partners, or
members of the public.
“Law Enforcement Agencies” (LEAs) refers to competent authorities and includes all Home Office and non-Home
Office police forces, regulatory bodies, government departments, arms-length bodies or any other entity which
is enabled or required by statute or other lawful means to investigate criminal offences and/or to prosecute
suspected criminal offences via the criminal justice system in the UK or overseas. The Financial Conduct
Authority, His Majesty’s Revenue & Customs, Trading Standards, and the National Crime Agency are other
examples of a competent authority falling within this definition. Entities that can bring private prosecutions may
fall within this definition (such as The Pensions Regulator) if they are competent authorities unless they are a
Public Limited Company such as Royal Mail Group which falls outside this Policy.
“Speak Up” refers to the act and process of a person (the “Reporter” making a disclosure that the Reporter
reasonably believes is (a) in the public interest, and (b) regarding past, present or likely future wrongdoing that
falls into one or more of the following categories:
criminal offences (this may include types of financial impropriety such as fraud)
failure to comply with an obligation set out in law (including regulatory breaches)
© miscarriages of justice
endangering of someone’s health and safety
@ damage to the environment
* covering up wrongdoing in the above categories
© abreach of the Post Office’s policies and procedures
¢ behaviour that harms or is likely to harm the reputation or financial well-being of the Post Office
2.0 Application
This Policy applies to all situations and teams within POL when engagement with LEAs is contemplated or
entered into which involves the passing of material in POL’s possession as evidence to those agencies.
This Policy applies to any fact-finding into staff conduct or evaluation of a process that does not fall within any
other policy, guidance or law (such as Suspicious Activity Reporting or the work of Internal Audit) but does fall
within the definition of an investigation.
This Policy does not apply to the conduct investigation activities of the People team which is governed by existing
People Policies. These contain specific procedures that have been agreed with our trade unions. In such cases,
those responsible for conducting investigations under the local policy and/or specific trade union-agreed
procedures, whilst always having regard to the overarching principals of this Policy, must follow any prescriptive
procedural requirements.
Where issues arising from Speak Up reports are investigated, the Policy governing the allocated investigation
team’s activities will apply. For example, when an issue that is reported via Speak Up is passed, due to its nature,
Page 4 of 17
POL00448353
POL00448353
DRAFT
to the Employee Relations team for investigation, the People team’s policies will apply. Where the investigation
of concerns raised via Speak Up are investigated by A&C! staff, this Policy will be applicable. This Policy does not
remove or alter confidentiality undertakings relating to Speak Up reporters which will remain the function of
the Speak Up team to manage.
3.0 Roles & Responsibilities
Key individuals and their specific responsibilities in relation to this Policy are:
© The Post Office Board has overall responsibility for ensuring that POL has a framework to ensure
compliance with legal, regulatory, and contractual requirements. The Board is kept abreast of relevant
matters relating to the management of investigations by reports from its committees including its Audit
and Risk Committee (ARC).
* The Group General Counsel for POL is the Policy Sponsor, accountable to the Post Office Board.
¢ The Non-Executive Director Investigations Champion is the responsible non-executive Board member
for the engagement with and oversight of the A&C! within POL.
e The Director A&CI is the Policy Owner responsible for the day-to-day implementation of and
compliance with this Policy, for maintaining a dashboard of appropriate Management Information (MI)
and for reporting that MI on a ‘need to know’ basis, including to Audit & Risk Committee on a quarterly
basis.
* The Group Policy Owner will receive monthly Ml on the investigative activities of A&C.
* The Director of Assurance & Complex Investigations (DA&CI) is responsible for setting the standards
for the conduct of investigations within POL and the minimum requirements laid out in this Policy. They
are also responsible for reviewing this Policy annually to ensure it reflects current best practice and
incorporates key learnings from the various assurance work across POL.
* The Triage Team collates details relating to matters for potential investigation across POL; it assesses
the appropriateness of who conducts the investigations; allocates or re-allocates investigations to
business-based teams, and refers potential cases to A&CI for investigation or LEA liaison based on
agreed thresholds, criteria, capability and risk profiles. This team also disseminates intelligence and
makes reports of suspected crimes to LEAs.
The Investigator is responsible for carrying out investigative activity and for any other tasks such as
reporting and liaising with stakeholders on a ‘need to know’ basis as set out in this Policy.
* The Assurance & Complex Investigations team, as part of its standard-setting, coaching, and mentoring
role, will conduct at least every two months dip-sampling of key teams’ investigative activity across POL
and provide regular reports to senior leaders. The list of key teams will include but not be limited to
those that resolve shortfall issues with Postmasters.
Page 5 of 17
POL00448353
POL00448353
DRAFT
4.0 Identifying a potential investigation falling under this
Policy
What should be reported and considered for investigation?
POL is a large and diverse business. Issues and concerns may arise anywhere and in many ways. Some key
examples of how concerns might arise are:
Reports by Staff or Postmasters: Individuals may report concerns directly to their line managers, key
contacts, Area Managers, or through POL’s Speak Up channels.
Through our day-to-day work: Concerns will become apparent in the ordinary course of work, either
directly by Staff, Postmasters, their staff, or from strategic partners.
© From external agencies: Reports of concerns can come from external sources, such as the police, the
National Crime Agency, Regulators, or though formal reports such as Suspicious Activity Reports.
¢ Courts, Tribunals or Inquiries: Evidence provided to, or findings made, in judicial or quasi-judicial
processes could reveal concerns about the way that POL does business.
It is impossible to be entirely prescriptive as to what matters may require an investigation falling under this
Policy. However, if staff encounter a situation which falls into the non-exhaustive list of broad categories below,
then they should inform their managers, make a Speak Up report, and/or refer the matter to the Triage Team
for discussion. POL encourages reporting of issues where Staff have concerns as doing the right thing, even if
those concerns turn out to be unfounded.
Categories of matters for potential investigation:
Suspected breach or failure of the POL’s codes of behaviour
Suspected breach of POL’s policies and procedures
© Suspected failure to comply with an obligation set out in law (including regulatory breaches)
Suspected criminal offences (this may include types of financial impropriety such as fraud)
© Suspected miscarriages of justice
Suspected endangering of someone’s health and safety
Suspected covering up of wrongdoing
4.1 Grounds for considering a matter for internal investigation
Not every concern, suspicion or issue that is reported, identified or otherwise arises will require formal
investigation under this Policy. In some cases, a formal investigation may be disproportionate to the matter
arising. Dependent on the nature of the concern, suspicion or issue, it might be appropriate to manage it
informally. Where the decision is taken by any accountable manager e.g. DA&CI, A&C! Triage Manager, Network
Monitoring managers, or Network Resolution managers, to not undertake a full formal investigation, this fact
and the reasons for the decision will, as a matter of policy, be recorded by the decision maker in the relevant
record.
Specific facts or circumstances, however, make conducting an internal investigation a mandatory requirement.
They are:
Speak Up concerns (as set out in the definition of “Speak Up” in this Policy) - the Speak Up Policy states
that all Speak Up disclosures will be appropriately investigated.
© Anexpress requirement under a third-party contract to investigate certain suspicions, allegations or
circumstances, such as concerns about modern slavery in a supply chain.
Page 6 of 17
POL00448353
POL00448353
DRAFT
Further information regarding how cases are selected, and the processes involved, is detailed in the
Investigator’s Manual. However, where there is doubt as to whether a matter should be referred for
investigation, the potential referrer should discuss the situation with their line managers if appropriate. If in any
doubt, the matter should be escalated for consideration by the Triage Team.
4.2 Triage
All POL staff who receive information that could result in an internal investigation which falls within the
definition of an investigation should inform the A&CI Triage Team by submitting information to
Where a business team has a triage function in their own process, this should be used
unless the matter is being referred to A&CI for consideration.
The Triage Team will assess the information provided and, where appropriate, discuss it with the
reporter/referrer. The Triage Team will decide whether the reporter, or a business-based team is best placed to
pursue the investigative activity or whether the matter should be referred to either the Speak Up Team or A&CI.
Further information relating to the function and procedures of the A&CI Triage Team can be found in the
Investigator’s Manual.
4.3 Role of the Commissioning Manager
For accountability, consistency and oversight purposes, POL operates a Commissioning Manager model for the
initiation and management of investigations.
The Commissioning Manager will be one of:
¢ The Group General Counsel or
The Group Legal Director or
e =DA&CI or
@ The Speak Up team manager or
© Business-based leaders or their delegates of functions that conduct investigative activity as part of their
business-as-usual function
The Non-Executive Director Investigation Champion
© The Non-Executive Director Speak Up Champion (for matters relating to potential detriment to a Speak
Up Reporter)
It is policy that:
@ The Commissioning Manager should never be connected evidentially to the matter being investigated.
If a Commissioning Manager finds that they are conflicted they must declare and record the conflict in
the appropriate case or Triage decision record and refer the matter to the Group Policy Owner, or
where the Group Policy Owner is themself conflicted, to the Investigation Champion and a new
Commissioning Manager should be assigned.
The Commissioning Manager shall have overall responsibility for the investigation. Further information relating
to the role of the Commissioning Manager can be found in the Investigator's Manual.
4.4 Appointing an Investigator and other staff
This Policy requires that the investigator must not be evidentially connected with the matter being investigated.
Where individual employees are named or identified in the issue being raised, the investigator must not be one
Page 7 of 17
POL00448353
POL00448353
DRAFT
of the named individual's subordinates unless additional reporting and oversight measures are put in place i.e.
the investigator reports to the Investigation Champion for that particular case.
This Policy requires that an investigator must ensure that internal conflicts within the business are mapped out
and recorded from the outset and properly managed following a risk analysis, particularly if it is not possible to
ensure the complete independence of the parties involved in the investigation. For instance, passing information
outside of the investigation team to a subject matter expert for advice should only happen on a ‘need to know’
basis and should be recorded together with the rationale for this widening of the circle of knowledge.
The independence of the investigation team is key in all investigations. It may be preferable in some
circumstances to appoint an investigator from a different area of the business or from A&CI or from an external
service provider.
5.0 Mandatory investigative actions and approaches
All investigative activity must be transparent, objective, and fair. It is policy that staff conducting investigative
activity must record, retain, and be prepared to reveal any material relating to the investigative activity or
generated during its course. This does not only apply to criminal investigations — it is an issue of professionalism,
transparency, and fairness to all parties involved and so disclosure may be required to a Postmaster as part of a
contract discussion or to an internal or external team conducting assurance or auditing functions.
Staff conducting investigative activity must ensure that any requirements identified by the Commissioning
Manager or their delegates are adhered to. These may include confidentiality, data protection and privacy
principles, Speak Up safeguards, and any timeframes.
Staff should call on advice and support from the business, People, Group Legal or Compliance Teams as
necessary and restrict information shared to a ‘need to know’ basis. The Investigator’s Manual provides detailed
information, guidance, and templates for Investigators.
It will be for those carrying out the investigative activity, in discussion with the Commissioning Manager or their
delegates and having regard to the requirements of any law, regulation or other applicable Policies, to determine
the steps needed to investigate any issues. However, there are some mandatory elements in the conduct of an
investigation that this Policy requires to be applied in all investigative activities.
5.1 Record keeping and evidence
Further guidance and information relating to the individual elements of this section can be found in the
Investigator’s Manual.
Record keeping — data retention
It is policy that:
Material collated and generated during an investigation will be retained in line with POL’s Document Retention
and Disposal Policy. Attention must be given to the nature of the investigation and to the nature of the material
generated and so the Criminal Procedures and Investigations Act 1996 and the Civil Procedure Rules must be
applied.
Record keeping — investigative strategy
Page 8 of 17
POL00448353
POL00448353
DRAFT
All investigative activity must be properly and securely documented to aid decision making, review, assurance,
and oversight within POL. This also assists in transparent examination of investigations by internal and external
parties when necessary and is a point of fairness for those connected to the investigative activity.
It is policy to:
Have a recorded aim or purpose, a strategy, objectives, an explanatory background, and for complex cases be
linked to sub-strategies including communications, intelligence, legal, data review, interviews, witness,
respondent, and disclosure.
Record keeping — decisions and actions
The conduct of investigative activity requires the formulation of reasonable lines of enquiry and the making of
many small and large decisions as to the direction the case takes.
It is policy that:
The Commissioning Manager or their delegates, and/or the person leading or conducting the investigative
activity will record on the case file all decisions made to do or not do something related to the case together
with a full rationale. This must include, but is not limited to, the factors considered when reaching the decision,
what alternatives there were and why they were not taken, the necessity to do or not do something, and the
proportionality of the steps taken.
It is policy to:
Record on the case file all actions taken during the investigation, detailing the date the action started and
finished, what was done, by whom, and what the outcome was. Actions must also be linked to recorded
decisions.
Evidence - Identify and preserve
One of the initial stages of an investigation is to focus on evidence preservation and collection. This is not limited
to documents such as policies and procedural directions and could also include emails, CCTV, SMS, building entry
logs etc.
Itis policy that:
Relevant or potentially relevant material that may support or undermine the working case theory throughout
the investigation must be identified so that it may be preserved and retained. Consider the scope of the
investigation in order to determine what evidence needs to be identified, preserved, and retained.
Evidence - Review all potentially relevant material
It is policy that:
All potentially relevant material identified in following reasonable lines of enquiry must be collected, reviewed
and assessed, especially if it may be counter to the working case theory — this is a matter of fairness,
professionalism, and best practice as well as, in some circumstances, law. An investigation is an objective seeking
of fact, whatever the outcome may be, and will not be steered towards a preferred outcome.
5.2 Interviews
Page 9 of 17
POL00448353
POL00448353
DRAFT
Further guidance and information relating to the individual elements of this section can be found in the
Investigator’s Manual.
An interview is a deliberate conversation to elicit information to inform one’s understanding of what has
happened, the root cause of an event, or to understand the impact of an event. These conversations occur in
the business frequently. Where the interview is connected to a possible outcome for a Postmaster, their staff, a
member of POL's staff, or a process failing or breach, the following must be adhered to:
Interviews — Fact-find or conduct cases
Itis policy that:
When interviewing witnesses relating to fact finding and conduct investigations falling within this Policy, a
written record of the interview will be made as near contemporaneously as possible. Consideration should be
given to audio recording the interview if all parties agree and where this is not contrary to any applicable People
Policies. A copy of the contemporaneous note must be agreed with the interviewee as soon after the interview
as possible. It will be for the Investigator working together with the Commissioning Manager, and drawing on
any necessary advice, to establish whether any special steps are required and to apply them e.g. ensuring easy
access for people with mobility issues or to facilitate the attendance of a representative of a union or the
National Federation of Sub Postmasters.
Itis policy that:
No-notice interviews, where this is justified and is necessary, may be conducted. Investigators should refer to
guidance in the Investigator’s Manual. However, it is default policy to formally invite the witness to investigative
meetings/interviews on reasonable notice. Investigators must apply any relevant People Policies when
considering whether witnesses should be permitted to be accompanied to any interview by a companion,
normally being a fellow Employee or trade union representative.
The Investigator must apply the requirements of the Conduct Code Policy if it is clear to the Investigator that a
possible outcome of the investigation might be to recommend a formal disciplinary procedure in respect of the
interviewee or other Employee.
Interviews — Criminal Investigations
This Policy prohibits POL staff from taking part as an interviewer in interviews after caution either conducted
solely by POL staff or in conjunction with LEAs where POL is the believed victim of the suspected crime under
investigation. Where a LEA requests POL’s support in an interview after caution for an offence which is not one
where POL is the suspected victim, this may be conducted by suitably trained and experienced A&CI staff with
prior permission from DA&CI. An example of this is where a LEA is investigating a money laundering offence (the
public is the victim of these offence-types) and that the LEA considers the technical expertise of an A&CI
investigator would be useful as a second interviewer. If the interviewee is a Postmaster or one of their staff then
the Group Legal Director must agree to A&CI participation in the interview prior to it taking place.
5.3 Investigation reports
In all cases it will be policy that at the conclusion of an investigation the investigator to produce a written account
of the investigation, what actions were taken where useful, findings, any legal advice, evidence gaps or
weaknesses in evidence, and any recommendations. This will take the format of either an Investigation Summary
or an Investigation Report in A&CI. Business-based teams have their own reporting formats.
Page 10 of 17
POL00448353
POL00448353
DRAFT
The Investigator’s Manual contains guidance and templates for completing an Investigation Summary and
Investigation Report.
6.0 POL’s Criminal Investigations
POL no longer prosecutes suspected criminal acts carried out against POL. However, in order to safeguard public
funds and in the interest of justice, POL will seek to identify and understand suspected harm caused by possible
criminal acts and report them appropriately to LEAs for them to consider further investigation and potential
prosecutions. To ensure that the reports made to LEAs are proportionate and considered, POL will carry out
investigative activity to assure itself that it has reasonable grounds to suspect? that a criminal act may have
occurred, and that harm to POL may have resulted. This activity is known in shorthand as a “POL criminal
investigation" but this is not an end-to-end investigation. It is for LEAs to conduct these following POL’s report
of a suspected offence. A full investigation and “proof” need not be achieved before reporting a matter.
For the purposes of this Policy, a POL criminal investigation is one:
* Whichis led by suitably trained, experienced, and authorised A&CI staff;
Which identifies, collects, and assesses potential evidence to a standard, and in an appropriate format,
which may be submitted to LEAs or prosecutors in the three UK jurisdictions should it be required;
Which forms an evidence-based and objective view as to whether:
© Acriminal offence may have occurred as a consequence of POL’s business activities,
© Howit was potentially carried out; and
o Who may have been involved
Which establishes as far as possible the monetary or other harm caused by the events under
investigation; and
Whether it is therefore reasonable to report the matter to the relevant LEA.
Adopting a criminal case
POL will consider conducting investigations to a criminal standard of proof when there are allegations or reports
made to the A&CI Triage Team which indicate that the victim of that suspected offending is POL, our subsidiaries,
Postmasters, or suppliers.
It is policy that:
Only A&C! staff will lead criminal investigations within POL. Staff in other parts of POL may assist or conduct
investigative activity with the agreement and oversight of A&CI e.g. this will be necessary for the analysis of
transaction data (not in an evidential format at this stage) to be completed before referral to A&C! Triage.
Where the Triage Team, consulting with Group Legal and/or DA&CI where appropriate, decide that a criminal
investigation by POL is not appropriate, the Triage Team may arrange for the matter to be reported to local
police or other competent authorities based on the suspected nature of the incident without any assistance
provided by A&CI investigators at that point. This decision may factor in elements such as value of loss, the
availability of A&C! resource, or prioritisation of other investigative demands.
It is policy that:
Any criminal investigation must be authorised by DA&CI, their deputy, or the Group Legal Director.
Itis policy that:
2 Reasonable grounds to suspect means more than a general suspicion but not amounting to certainty that an
act has occurred. It is a lesser threshold than reasonable grounds to believe. The general public and corporate
entities are not required to have reasonable grounds to believe before reporting a potential crime to the
police. In Hussein v Chong Fook Kam [1970] AC 942, Lord Devlin stated that “Suspicion in its normal meaning is
a state of conjecture or surmise where proof is lacking...Suspicion arises at or near the starting point of an
investigation of which obtaining prima facie proof is the end.”
Page 11 of 17
POL00448353
POL00448353
DRAFT
POL does not conduct private criminal prosecutions.
Investigators will assist LEAs as necessary once the report has been made or once an evidence bundle has been
passed over. A report to LEAs will be made and evidence passed to them in line with this Policy.
7.0 Engaging external legal advisors
Investigators should seek advice from the relevant specialist lawyer in Group Legal if they consider it necessary
to seek external legal advice. If external legal advisors are instructed, consideration should be given as to how
to retain privilege in certain documents when communicating with external advisors.
It is policy that:
Only qualified lawyers from Group Legal can engage external counsel to support investigations. Investigators
must contact the relevant specialist lawyer in Group Legal to discuss external counsel requirements.
8.0 Notifying Law Enforcement
This Policy sets out below POL’s approach in engaging with law enforcement and replaces the former
Cooperation with Law Enforcement Policy and the associated Legal Play Book.
Advice should be sought from Group Legal for possible notifications to insurers and regulators.
8.1 What should be reported to police?
Itis policy to report any suspicion of significant criminal activity impacting our operations to the appropriate LEA
where the POL considers itself to be the victim. This will typically relate to where POL property is believed to
have been misappropriated and includes any cash or goods belonging to POL. This includes situations when at
the time of the loss, the property is in the custody of a third party such as in a strategic partner-operated post
office or with a main network Postmaster.
“Significant” is hard to define as it is often determined by the situation at hand. Discretion and common sense
should be applied.
It is policy that:
All decisions to report or not to report matters to LEAs falling under this Policy will be recorded and a rationale
given.
Itis policy that:
The DA&CI (or their nominated deputy) or the Group Legal Director (or their nominated deputy) will determine
whether a matter is consequential and which LEA is the appropriate recipient of any report. This decision and
rationale will be recorded by the Triage team.
Where a Postmaster who operates a franchise post office considers that they are the victims of a criminal offence
(as distinct from where POL itself is the victim) as part of their operating a post office, the Postmaster may
choose to report the matter to police themselves e.g., an assault on a member of staff or theft from their retail
(non-Post Office) business. This is not a matter for POL to decide what should or should not be reported to LEAs.
Itis policy that all reports to LEAs of suspected criminal offences where POL considers itself to be the victim shall
be made by staff within A&CI. The only exception to this is where a Cash and Valuables In Transit (CViT) vehicle
is subject to an offence of, or similar to, a robbery or where a post office is burgled or robbed where time is
Page 12 of 17
POL00448353
POL00448353
DRAFT
critical in reporting the matter to police for an immediate response. In this type of event, POL or Postmaster
staff should report the matter to LEAs in accordance with the procedures set by POL’s Security team.
Where a Postmaster has reasonable suspicion that POL has been the victim of a crime i.e. they suspect that, for
example, one of their own staff or another party has misappropriated POL assets, then this Policy requires that
this matter should be reported by the Postmaster or their nominated member of staff via the normal dispute
process. It is not the Postmaster’s responsibility to report this sort of event to LEAs with the exception of a
burglary or robbery. After initial investigation within the dispute process, if the Network Support and Resolution
teams’ view is that the Postmaster’s suspicions are considered reasonable given the available or reasonably
discoverable evidence, then this matter should be referred to A&CI’s Triage team by the Network Support and
Resolution teams using the appropriate templates (found in the /nvestigator’s Manual) for consideration of
further investigation and potentially making a police report. This decision to further investigate is made by the
DA&CI (or their nominated deputy). The decision must be recorded by Triage. It may then be allocated to A&C!
for investigation.
Where there are statutory obligations to report specified matters to the appropriate LEA, e.g., submitting a
Suspicious Activity Report, these requirements are unaffected by this Policy and are governed by policy within
the relevant teams e.g. within the Financial Crime team.
8.4 Passing material to Law Enforcement
Reactive response to requests
LEAs will from time-to-time request information from POL that is related to matters that POL did not report to
LEAs but where POL has material which could assist LEAs. These may be requested via:
the provision of a “Data Protection Form” which allows POL to consider the provided justification by
the submitting LEAs as to why POL should set aside the normal duties under the Data Protection Act
and supply some or all of the requested information
© the serving of a Court-issued Production Order or other statutory tool
It is policy that all requests received by POL staff from LEAs other than the Data Protection or Financial Crime
teams will be passed to the A&CI’s Triage Team.
A Data Protection Act exemption form if properly completed is the preferred method but not the only permitted
format of a request. Any intended responses by POL must be approved by the Data Protection Team.
The POL Security team will likely receive requests for information, for evidence, and for witness statements.
These requests must not be acted upon by the Security team and must be passed to A&CI Triage who will assess
them and allocate to A&C! for action if appropriate. A&CI will engage with the requesting police team.
Legal advice from the in-house criminal counsel and the Data Protection Team is available to the Triage team at
their request.
The policies and procedures of the Financial Crime team govern how they respond to requests from LEAs or
proactively pass material and are outside of this Policy only in respect of passing of material for use as
intelligence. Where the Financial Crime team is asked to provide evidence (which will require a witness
statement) or wishes to do so proactively, it is mandatory that the Financial Crime team applies this Policy and
seeks assistance from A&Cl.
Page 13 of 17
POL00448353
POL00448353
DRAFT
The policies and procedures of the Data Protection team govern how they respond to requests from Law
Enforcement agencies and are outside of this Policy.
Where a mandatory order requiring provision of material is received, e.g., a Production Order authorised by a
court or a statute-enabled information notice such as a Serious Fraud Office Section 2 Notice or The Pension
Regulator’s Section 72 Pension Act 2004 notice, notice must be given the same working day to the in-house
criminal counsel, DA&CI, and Group Legal Director. It is policy that these mandatory notices will be fully complied
with in principle by POL as a government-funded body and full consideration given to the status of privileged
material.
Proactive supply of material
POL may wish to proactively pass information to LEAs in the following circumstances:
© as part of making a crime report, or
¢ in support of a subsequent LEA investigation or prosecution, or
anticipating that LEAs would have an interest as part of their role in the prevention and detection of
crime or in the interests of justice
In situations where POL wishes to proactively disclose material (both in evidential and non-evidential formats),
then this requires the approval of both the DARI and the in-house criminal counsel. The rationale for doing so,
or not doing so, must be recorded in the relevant file.
The Financial Crime team’s obligations relating to the proactive disclosure of material are outside of this Policy.
Witness statements
Where material provided by POL staff is in the form of witness statements, it is mandatory and policy that these
statements are reviewed by in-house criminal counsel or an engaged external criminal counsel prior to a final
signed version being passed to LEAs.
Wherever possible, A&CI staff will provide the witness statement but there are situations where the evidence
required by LEAs can only be produced by non-A&CI staff due to the nature of the witness’ evidence. A&C! will
assist other staff in this process whenever possible.
The A&CI Triage Team will include a summary report of proactive and reactive engagement with LEAs in the
regular management information report provided to senior staff by A&CI.
9.0 Categories of data, material, and evidence
Proactively and reactively supplied information will have differing profiles due to historic technology issues. The
version of Horizon that was considered at fault in the Horizon IT Scandal was replaced in October 2019. In 2020,
known errors and bugs identified in the Horizon Issues Judgement formed part of a review by KPMG of the
system and found to not to be prevalent in the system. From 2021, a new and collaborative approach was taken
to resolving reported Horizon issues in a dispute resolution process. Due to the effect of these developments,
the following approach to data sharing with LEAs is:
Page 14 of 17
POL00448353
POL00448353
DRAFT
Itis policy that:
Any information originating from Horizon after 1% January 2022 may be passed as either intelligence or evidence
to LEAs only after DA&CI (or their nominated deputy) and an in-house criminal lawyer both give approval. A
record of both DA&CI’s (or their nominated deputy’s) and the in-house criminal lawyer’s rationale and decision
must be recorded on the relevant case management file.
Where information is requested by LEAs that is Horizon data originating from pre-1* January 2022, the same
process must be followed. In addition, the wording included in the relevant section of the Investigator’s Manual
covering the passing of information to LEAs must be included in any witness statement for evidence or in an
accompanying email or letter to the LEA requesting the information in a non-evidential format.
Where information is intended to be passed to LEAs which is not Horizon data, the same process of DA&CI (or
designated deputy) and in-house criminal legal counsel must be followed, irrespective of the date the
information was created.
Best-evidence originating from Horizon sits with Fujitsu and so LEAs should be encouraged to request this
material direct from Fujitsu.
10.0 Policy Governance
10.1 Governance Responsibilities
The Policy Sponsor responsible for overseeing this Policy is the Group General Counsel of Post Office Ltd.
The Policy Owner is the DA&CI who is responsible for conducting an annual review of this Policy and for testing
compliance across the Group. The DA&CI is also responsible for providing appropriate and timely reporting to
the Audit and Risk Committee. The Audit and Risk Committee are responsible for approving the Policy and
overseeing compliance.
11.0 Investigation Governance
11.1 Fact-finding and Accountability Investigative Activity
Where these types of investigative activity are conducted across the business, other than by A&CI, local
procedures and policies will govern what governance measures are put in place. Where this activity is an integral
part of a team’s function, e.g. Dispute Resolution, then the Investigator’s Manual will include these measures in
the relevant section. These local policies and procedures must be regularly reviewed and updated.
A&CI will conduct assurance work in these teams and may make recommendations to the particular business
area's leadership and to Group Assurance for adjustments as necessary.
A&CI’s investigative activity in the investigative fact-finding and accountability areas will comply with the
relevant requirements laid out in the Investigator’s Manual. Group Assurance will also include the review of
A&CI's investigative practices at least twice a year. Internal Audit will also consider A&CI in their annual audit
plans.
By exception, particularly sensitive or business-impacting investigations conducted by A&CI or by external
specialists may be subject to an increased level of operational governance. The Strategic Executive Group (SEG),
either at their own initiative or upon consideration of a request by the General Counsel, the Group Legal
Director, or DA&CI, may stand up an Investigation Oversight Group (IOG). An OG is Chaired by a member of SEG
or a delegated Director from across POL who is supported by a number of other senior staff in overseeing the
Page 15 of 17
POL00448353
POL00448353
DRAFT
strategic direction of a particular investigation. The Terms of Reference for OG can be found in the /nvestigator’s
Manual. The IOG may, where considered by SEG as necessary, involve Board members in the most exceptional
circumstances. The IOG Chair will report to SEG and/or Board on the progress of the investigation and highlight
strategic issues as they arise. The OG, working with Group Assurance, will also be responsible for ensuring any
lessons-learned from the investigation are considered and implemented where appropriate.
11.2 A&C investigative activity in support of LEAs
When a suspected criminal event is reported to LEAs in compliance with the Policy, POL is not a decision-maker
in the investigation. This is deliberate and is a lesson learned from the Horizon IT Scandal. Therefore in most
circumstances an IOG will not be required.
12.0 Where to go for help
12.1 Additional Policies
This Policy is one of a set of Policies. The full set of Policies can be found at:
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
12.2 How to raise a concern
Any Post Office Employee or member of Staff who suspects that there is a breach of this Policy should raise a
concern without any undue delay.
If you feel unable to speak to your line manager, you can bring it to Post Office’s attention independently of
management and you can use the Speak Up channels for this purpose. You can raise your concerns anonymously,
although disclosing as much information as possible helps ensure Post Office can conduct a thorough
investigation.
For more details about how and where to raise your concerns, please refer to the current Whistleblowing Policy
which can be found on The Hub under Post Office Key Policies. 13. Control
13.1 Policy Version
Date Version Updated by Change Details
0.1 Draft Version
22.19.2020 1.2 Laurence O’Neill Version 1.2
07.03.2022 Draft 2 John Bartlett Developmental
29.11.2022 Draft 2.1 John Bartlett Developmental
Page 16 of 17
POL00448353
POL00448353
DRAFT
12.2 Policy Approval
Group Oversight Committee: Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
POL R&CC
POL ARC
POMS ARC
Policy Sponsor: Ben Foat
Policy Owner: John Bartlett
Policy Author: Laurence O'Neill
V2 John Bartlett
V3 John Bartlett
Next review: July 2025
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718 respectively
Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2¥ 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its Information Commissioners
Office registration number is ZA090588.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners Office registration
number is 24866081.
Page 17 of 17