A report into the effectiveness of vetting and counter-corruption arrangements in British Transport Police
About us
His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) independently assesses the effectiveness and efficiency of police forces and fire and rescue services, in the public interest. In preparing our reports, we ask the questions the public would ask, and publish the answers in accessible form. We use our expertise to interpret the evidence and make recommendations for improvement.
1. Introduction
In September 2021, we changed the way we report on how effectively forces manage vetting and counter-corruption.
Previously, we inspected these areas as part of our police effectiveness, efficiency and legitimacy (PEEL) programme and provided our findings in the inspection report.
The new arrangements mean we will inspect each force separately to PEEL, although we will continue to use the same methods and produce a report containing our findings, graded judgments and any areas for improvement or causes of concern. The report will be accessible via a web link from the most recent force report.
British Transport Police is inadequate at vetting, IT monitoring and counter-corruption.
In October 2022, we inspected British Transport Police (BTP) to examine the effectiveness of the force’s vetting, IT monitoring and counter-corruption arrangements. We briefed senior personnel in the force at the end of the inspection. It should be noted that we didn’t gather evidence during our inspection in relation to the wider culture of the workforce. We didn’t assess the overall leadership of the executive team and senior managers in setting expectations and standards across the organisation.
This report sets out our findings. It includes a cause of concern and some areas for improvement identified at the time of the inspection. We are aware that the force has already addressed some of our inspection findings.
2. How effectively does the force vet its officers and staff?
Vetting authorised professional practice
In 2021, the College of Policing published the authorised professional practice (APP) on vetting. The APP explains the role of vetting in assessing the suitability of people to serve in the police service, as a police officer, special constable or member of staff. It sets out the minimum standards that should be applied for each clearance level. It also lists the minimum vetting checks that should be undertaken on the applicant, their family and associates. The APP has a large section providing guidance on assessing threat and risk in relation to vetting decisions.
The vetting APP applies to the police forces maintained for the police areas of England and Wales as defined in section 1 of the Police Act 1996. It is also available for adoption by other police forces or agencies, such as BTP.
In April 2022, BTP successfully applied for accreditation from the International Organization for Standardization for the management of its vetting arrangements. As part of the process of retaining accreditation, the force agreed to work towards a several objectives. One was to establish formal procedures to ensure it carries out vetting in line with APP by August 2022. However, our inspection found several aspects of vetting did not comply with APP, so the force had not achieved this objective.
Force vetting IT system
In April 2021, BTP introduced a new vetting IT system, which it shares with the City of London Police.
The force vetting unit (FVU) transferred the data from its previous IT system to the new system without completing a data-cleansing exercise. This was a conscious decision to ensure the overall integrity and accuracy of the data. The force acknowledges that as a result the data isn’t accurate. At the time of our inspection, the FVU was conducting a data-cleansing exercise. Until the force is confident that records are updated correctly, it won’t see the full benefits of the new system.
The people and culture (P&C) department, which manages human resources, had recently started to provide the FVU with a series of spreadsheet reports each month. This helps the FVU keep track of internal moves, promotions and people leaving the force.
Current vetting of the workforce
BTP’s understanding of the vetting status of its workforce falls short of what we would expect.
The force told us that as of October 2022, it had a total of 5,171 police officers, special constables, police staff and police community support officers. It also had over 14,000 expired clearances on its vetting IT system.
The force believed that some expired clearances related to people who had left. But at the time of our inspection, the FVU hadn’t analysed its data to understand exactly how many fell into this category. New staff in the FVU were working through the expired vetting cases to remove people who no longer worked for the force.
Until the FVU has reviewed and cleared these expired vetting cases, it can’t say with confidence how many members of the workforce have current vetting. This is a systemic failing of the force’s vetting arrangements. This could place the public, particularly any vulnerable people, at unnecessary risk.
We would expect this situation to be recorded on the risk register managed by the professional standards department (PSD) but found no evidence of this. Although the force is taking steps to address the risk, it doesn’t have a formal action plan.
Since our inspection, the force told us it has completed analysing this list. But in February 2023, it still had 334 individuals with expired vetting.
Demand and workload
The Police Uplift Programme only applies to Home Office forces. BTP has noted an increase in the number of officers seeking to transfer to other forces. This increases demand in the FVU as these officers need to be replaced through recruitment.
The force vetting manager (FVM) and head of PSD closely monitor staff workloads and performance targets. The force consistently achieves its targets to complete recruitment vetting applications in 30 working days and management vetting (MV) applications in 35 days. The FVU team has increased in size over recent years and the demand from new applications is manageable. Until the force clears the vetting records of people who have left the organisation, it can’t fully assess its workload. For example, it can’t forecast how many vetting renewals it needs to complete.
Due to the force’s operating context, it doesn’t use the national contractor vetting service hosted by Warwickshire Police to vet its non-police personnel, such as contractors, volunteers and people who work for organisations that share police premises.
The force told us that as of October 2022, it had 484 non-police personnel, who all have current non-police personnel vetting (NPPV). However, many of the large number of expired vetting cases are NPPV. We were not confident that the force was maintaining accurate NPPV records.
We also found that FVU isn’t being notified when contracts end, or individuals leave contracted companies. This means people may still have vetting clearance when it should have been removed. FVU staff are currently working through the list of expired cases to address this.
Designated posts
Some police roles have access to more sensitive information and require a higher level of vetting known as management vetting (MV). The extent to which the role requires working with vulnerable people is also a factor for forces to consider when deciding if a role requires MV. The vetting APP states that forces should keep a record of all MV roles on a designated posts list.
Regrettably, BTP is not managing its MV process effectively.
The FVU has started to compile a list of designated posts. The force told us it contained 1,870 police staff posts. The force hadn’t identified who held the posts or confirmed their current vetting status.
The force hasn’t recorded which police officer posts it has designated as requiring MV. This means the FVU currently has no means of checking whether police officers in sensitive posts have the required level of clearance. The vetting IT system shows a very large number of expired vetting cases, but the force can’t identify how many relate to people who hold a designated post.
Senior managers acknowledge that changes are needed, and work has begun to bring about improvement. For example, the FVU has introduced processes designed to help them manage the designated post list and MV renewals. These changes are encouraging but it is too early to assess how effective they may be.
We examined a selection of MV files. In most cases the FVU had completed all the minimum checks required by the APP. However, we found some examples where the FVU hadn’t asked for line manager endorsement as required. Previous managers had instructed the FVU only to ask for endorsements for certain MV posts. The force hasn’t provided any rationale for its decision.
Transferees
Vetting APP allows forces to accept vetting clearance from another force if it is no more than one year old. But many forces choose to vet officers and staff new to their organisation, even if they are transferring from another force with a current vetting clearance.
BTP has chosen to vet all transferees and those who have left the service and applied to rejoin. The FVU requests a PSD complaint and conduct history, as well as any counter-corruption unit (CCU) intelligence, from all forces in which the individual has previously served.
Change of circumstances
The force has taken steps to improve the workforce’s awareness that they must report any changes of personal circumstances, for example, marital status, name changes or significant changes to personal finances. This includes a force-wide bulletin, PSD newsletter and a question-and-answer session with the chief constable. In addition, the FVM has provided guidance using the force’s internal communication platform. The force reminds officers and staff of their responsibility to inform the FVU of changes in circumstances when it notifies them of their vetting decision or they move role.
Generally, the workforce has a good understanding of when to report changes in circumstances and the FVU receives around 65 notifications per month. The FVU conducts vetting enquiries to identify risks and to decide if the person’s vetting status is affected.
Forces should review a person’s vetting status following any misconduct proceedings resulting in a written warning or final written warning. Senior managers in BTP’s PSD told us they notify the FVU of the outcome of all gross misconduct hearings. Depending on the outcome, the FVU reviews the person’s vetting status. If a person receives a written warning following a misconduct meeting, their vetting status should also be reviewed. We found this was not happening.
Vetting decisions
Vetting officers in the FVU conduct all relevant vetting checks and record the results on the IT system. They add their recommendation for refusal or clearance and a supporting rationale. A supervisor makes the final decision and records their rationale. In straightforward cases, where no adverse information is found, vetting officers can grant clearance. The supervisor reviews a sample of these cases.
The FVU regularly conducts interviews to clarify written responses in vetting applications.
Risk mitigation measures
FVU staff told us they use risk mitigation measures to support vetting decisions. This includes continued reviews of applicants’ management of their finances and follow-up social media checks. The FVU doesn’t apply restrictions on where applicants can be posted due to the nature of the force’s role in policing the rail network across Great Britain. In some cases, the FVU consults with the CCU to consider auditing the applicant’s use of the force’s IT systems. However, during our file review, we found a small number of cases where potential risk mitigations were overlooked.
The force produces a counter-corruption strategic threat assessment (STA) annually. This outlines the current threats facing the force. There is no established process for the CCU to share the STA with the FVU. We encourage the force to make sure vetting decision-makers are fully aware of the current corruption threats.
Appeals and quality assurance
The head of PSD handles vetting appeals. In these cases, the FVM reviews the file, makes a recommendation and records a supporting rationale. If the head of PSD agrees with the FVM, they record a brief rationale. If they disagree, they set out their rationale in more detail. The head of PSD makes the final appeal decision.
Except for appeals, there is no process to quality assure final decisions where vetting has revealed adverse information about the applicant or their family and friends. We encourage the force to address this, particularly where clearance has been granted.
Disproportionality
The APP states there is a risk that vetting has a disproportionate impact on underrepresented groups. Furthermore, it requires forces to monitor vetting applications, at all levels, against protected characteristics to understand whether there is any disproportionate impact on particular groups. Where disproportionality is identified, forces must take positive steps to address this.
BTP gives some consideration to disproportionality in its vetting decisions, but this is restricted to ethnicity. It doesn’t monitor data for other protected characteristics.
The force collects data on vetting refusals and appeal success rates for people from different ethnic minority groups. This data is limited. We found little evidence of the force analysing this data to understand the reasons for any disproportionality or taking any action to address it.
Vetting file review
We reviewed 40 vetting clearance decisions from the preceding 3 years with a vetting specialist from another force. These files related to police officers and staff who had previously committed criminal offences or those that the force had other concerns about. They included transferee and recruitment vetting.
We agreed with most of the force’s decisions. But in three cases, we disagreed with the decision as the recorded rationale didn’t consider all relevant risk factors or appropriate risk mitigation measures.
Generally, the force uses the APP to guide its vetting decisions. But rationales would benefit from more detail including specific reference to the APP and the national decision model. This would help the force to take account of all identified risks when considering whether to grant clearance, and any potential mitigation.
Cause of concern
The force’s vetting arrangements are inadequate.
Recommendations
By October 2023, British Transport Police must ensure:
- it has a clear understanding of the level of vetting required for all posts and that all personnel have been vetted to a high enough level for the posts they hold;
- it has a clear understanding of the vetting required for all non-police personnel and that all non-police personnel have been vetted to a high enough level for their role;
- when concerning adverse information has been identified during the vetting process, all vetting decisions (refusals, clearances and appeals) are supported with a sufficiently detailed written rationale;
- when granting vetting clearance to applicants with concerning adverse information, the force vetting unit creates and implements effective risk mitigation strategies, with clearly defined responsibilities and robust oversight; and
- it analyses vetting data to identify, understand and respond to any disproportionality.
3. How effectively does the force protect the information and data it holds?
Lawful business and IT monitoring capability
At the time of our inspection, the force was transitioning to a new comprehensive IT monitoring system. As a result, the CCU could reactively audit some of the databases. The force anticipated completing its implementation by November 2022, but hadn’t assessed the resulting likely increase in workload for the CCU.
Since our inspection, BTP has told us the new monitoring system is installed on a limited number of devices and is still being tested. This is encouraging progress and we urge the force to develop its use of the software to allow it to monitor IT proactively.
The force doesn’t have a consistent process for the IT department to consult with PSD and CCU during the design and implementation of new IT systems. This means the systems may not include suitable auditing functions or other measures designed to prevent and detect misuse. This is a missed opportunity.
IT monitoring policy
The force has a policy regarding the use of lawful business monitoring for monitoring and recording staff communications. Currently, the CCU can only audit mobile devices manually, which is labour-intensive. It is anticipated that this process will be automated once the new IT monitoring software is implemented.
Digital device management
The force can attribute all mobile phones issued to individuals across the workforce. Each device has a warning screen that the user must acknowledge every time they switch the device on. This warning includes a reminder of the force’s lawful business monitoring policy. The force advises police personnel not to have any expectation of privacy if they use work mobile phones for personal use.
Information security – encrypted apps
The force has a comprehensive social media policy and detailed guidance. Both documents have been circulated to the workforce. Encrypted apps aren’t permitted on force devices.
Area for improvement
The force should improve its IT monitoring arrangements to ensure that it can monitor all use of its IT systems to support counter-corruption investigations and gather intelligence.
4. How well does the force tackle potential corruption?
Intelligence
Sources of corruption-related intelligence
The force operates an effective confidential reporting line. Between 1 January 2020 and October 2022, it received 416 reports:
- 112 reports in 2020;
- 131 in 2021; and
- 173 in 2022.
We examined 60 corruption intelligence files. We found the confidential reporting line was the force’s most frequent source of corruption-related intelligence. We also saw intelligence from other PSDs and the National Crime Agency.
Police corruption categorisation
The force correctly categorises intelligence in line with the counter-corruption APP.
Partnership working to identify potential corruption
The CCU has taken limited steps to develop working relationships specifically with agencies and organisations that support vulnerable people. The force relies upon relationships developed by local police forces. The force acknowledges that it hasn’t considered engaging with organisations associated with the transport network in order to gather intelligence about abuse of position for a sexual purpose (AoPSP). This could include, for example, businesses using the rail network and UK rail operators.
Identifying corruption threats
Counter-corruption strategic threat assessment
BTP has a comprehensive counter-corruption STA. The STA has been expanded to include specific threats relating to the force, such as its officers and staff misusing the transport system.
The force briefs divisional commanders on local threats based on an analysis of hotspots. However, it doesn’t communicate the threats identified in the STA to the wider workforce. This reduces the effectiveness of the STA and we encourage the force to share the assessment more widely.
Counter-corruption control strategy
Forces should produce a control strategy to describe its intelligence, prevention, enforcement, communication and engagement priorities for the next year.
BTP’s control strategy is not fit for purpose. It merely repeats the identified risks highlighted in the STA.
Implementation plan
The CCU doesn’t have a plan to introduce measures to address the threats identified in the STA. Without this, there is no clear understanding of who is responsible for addressing the risks identified or timescales for when the work needs to be completed.
Managing corruption threats
Intelligence development
We reviewed 60 corruption intelligence files. In most cases the CCU responded effectively.
We saw examples of the force using a variety of reactive techniques to develop and investigate corruption-related intelligence. We found the CCU produced a plan for all counter-corruption investigations. There were a small number of cases where the force’s limited auditing capability meant it didn’t fully progress some investigations. These are missed opportunities.
We found only one case of proactive intelligence collection. The force had identified intelligence relating to AoPSP by checking text messages on a mobile phone.
Identification of those who pose a corruption risk
The force doesn’t have an established people intelligence meeting where different departments can share information about the workforce. The CCU analyst collects information from a range of departments including finance and the P&C. The CCU tasking meeting reviews information about individuals of concern.
At the time of the inspection, CCU had started work with Cambridge University to use an algorithm to analyse P&C and PSD data to identify officers and staff at risk of corruption. It is too early to assess how beneficial this will be.
The force has created two risk registers. Operation Truth manages officers and staff previously suspected of sexual misconduct. Operation Alive monitors other types of corruption risk. The CCU uses a risk matrix to categorise each case as low, moderate, or high risk.
We reviewed the registers and risk assessments and found they were up to date. However, the force doesn’t proactively gather intelligence about these people.
Capacity and capability to investigate corruption
The CCU is a small team comprising well-trained, experienced detectives supported by a crime analyst. The current structure helps the CCU to investigate corruption intelligence. The CCU passes cases to the PSD if a misconduct investigation is required.
CCU leaders recognise that current staffing levels aren’t sufficient to develop intelligence beyond the original allegation. This means the CCU is missing opportunities to identify and exploit further corruption-related intelligence.
The CCU analyst produces a quarterly profile that identifies locations for potential corruption in the force. This is a comprehensive document. It provides senior managers with information that could help the CCU prevent and detect corruption. However, we found this information isn’t always being acted upon. The force told us this was due to staffing levels in the CCU.
The CCU told us it had submitted a business case to chief officers for additional staff. In the meantime, two additional members of staff were being seconded to the unit.
Specialist resources
The CCU can access covert resources through its tasking and co-ordination process. And it can request specialist resources from other forces. However, we found very limited evidence of the CCU using covert tactics.
Policies designed to prevent corruption
Clear and concise corruption prevention policies help to guard against corrupt activity, but can’t guarantee to prevent corruption, or in themselves stop corrupt practice. They provide guidance on how police officers and staff should behave. They should clearly state what is expected of members of the workforce and what actions they should take to protect themselves and the organisation from corruption.
The counter-corruption (prevention) APP sets out what policies forces should have and gives guidance on their content. Our inspectors examine their policies in these areas:
- Notifiable associations: policies should cover how the force should manage the risks related to officers and staff who may associate with, for example, criminals, private investigators, or members of extremist groups. They should require the disclosure by officers and staff of such associations.
- Business interests: policies should state when the force should allow or deny officers and staff the opportunity to hold other jobs. They should explain how the force will manage the risks that arise when officers and staff are allowed to hold them.
- Gifts and hospitality: policies should cover the circumstances in which police officers and staff should accept or reject offers of gifts and/or hospitality.
Generally, BTP’s policies are comprehensive and reflect APP. Members of the workforce report notifiable associations, business interests and gifts and hospitality through an online form that the PSD retains in a register. However, the business interest policy doesn’t cover all activities that would normally constitute paid or unpaid secondary employment. For example, it doesn’t cover when a member of the workforce has a paying lodger in their home or works as a volunteer. We encourage the force to change its business interest policy to reflect the APP guidance.
Generally, there is good oversight of the registers associated with these policies, but we found some outstanding reviews in the business interest register. This should be addressed.
Sexual misconduct
The force recognises AoPSP as serious corruption. It records cases appropriately and refers them to the Independent Office for Police Conduct. At the time of our inspection, we found 5,135 officers (94 percent) had completed College of Policing training for AoPSP. The force supports this training with poster campaigns and intranet articles publishing the outcome of misconduct hearings.
However, the force doesn’t provide any additional training or support for supervisors or managers to help them identify the warning signs for AoPSP. We strongly urge the force to do so.
Area for improvement
The force should improve how it collects, assesses, develops, and investigates counter-corruption intelligence by ensuring that:
- it produces a comprehensive annual counter-corruption strategic threat assessment, control strategy and implementation plan with accountable action owners, and uses them to identify and manage corruption threats effectively;
- its counter-corruption unit has sufficient resources and suitably trained staff to meet demand and allow for proactive intelligence collection; and
- it maintains effective working relationships with external agencies and organisations who support vulnerable people to encourage reporting and to safeguard potential victims.