List of active policies

Full policy

The following terms and conditions apply to the sale of goods and services provided by the Institute and its representatives to its clients.

Nomenclature

Hereafter:

"Provider" refers to IEIS, its subsidiary bodies, agents, staff and associates.

"Event" refers to any event, course or other activity organised by the provider on behalf of its clients.

"Applicant" refers to any individual or group who has applied for an event either for themselves or for others.

"Attendee" refers to any individual or group in attendance at an event or intending to attend.

Application

Applicants must request attendance via the website or by e-mail, providing evidence that minimum requirements for the event as set out in the eligibility criteria have been met. All attendees will be assessed against the eligibility criteria. Applications are not considered complete until all evidence has been received by the provider.

Rejection & Appeal

Applicants that are not accepted will receive a rejection e-mail citing the reason why the application was rejected and be given the right to appeal the decision to an executive authority.

Conditional Offers

If insufficient information was provided, the application will be considered on its existing merits. A request for further information may be issued together with an offer of attendance at the event. Such an offer will be made by e-mail and will be on condition that all remaining evidence is received by the provider no less than 28 days prior to the event start date.

Unconditional Offers

Applications that are accepted will result in the applicant receiving an unconditional offer of attendance at an event by e-mail.

Confirmed Offers

If the applicant and the attendee are the same person the offer is confirmed on issuance of remaining evidence and full settlement of fees. Otherwise, the attendee is required to confirm their acceptance of the offer. In cases of competitive entry, attendees with a confirmed offer are always admitted in place of those without.

Cancellation

In the event of any cancellation, the provider will first make every effort to negotiate a concession suitable to both the provider and the attendee (e.g. deferral, varying delivery methods, etc). In the event that no concession can be reached, the offer has not been confirmed and the applicant has provided more than 28 days notice from the start date, a full refund or transfer to an alternate event will be provided. Unavoidable expenses resulting from a cancellation and any administrative charges incurred in processing the application will always be deducted from the refund. Confirmed attendees and applicants providing less than 28 days notice of cancellation remain liable for the balance of all payments and fees.

Event Changes

The provider reserves the right to change the details of an event at any time and refuse anyone access to an event without notice. The provider may cancel or reschedule any event with 28 days notice to the applicant. If the provider cancels or reschedules an event with less than 28 days notice, the applicant is entitled to a full refund or transfer to an alternate event. Refunds pertain exclusively to fees. The provider is not liable for any other costs and expenses incurred by the applicant or attendee.

Unless otherwise stated, attendees will be automatically unenroled from an event 365 days after initial enrolment. Enrolment may be extended with the permission of the course director and the decision appealed to the head of training and directing staff.

Payment

Full payment of fees is required 28 days prior to the event start date. Fees must be paid in Euros (EUR) and settled by electronic transfer (e.g. credit card, bank transfer, paypal, etc.) unless otherwise agreed with the provider. Receipts, invoices and estimates will be provided upon request.

Late Booking Policy

The normal 28 day notice period for applications and payment may be reduced to 7 days if sufficient information is presented in the application to make a confirmed offer and a 20% late booking fee is accepted by the applicant. Automated processes via online booking may enable applications to be processed faster and without penalty, subject to agreement with the provider.

Tax

Due to the administrative burden involved, as a matter of policy, providers do not operate in jurisdictions where they would be required to register for VAT.

Events are run as independent legal entities and/or under the authority of the provider. Listed fees do not generally include tax unless otherwise stipulated, as tax obligations vary depending upon the provider's status and where the event is delivered. The provider typically operates below the threshold for VAT registration due to the Institute’s unincorporated cellular structure, and consequentially nominal turnover per cell. The provider may also carry non-profit status and other privileges which grant special exemptions from other forms of local taxation. Typically attendance events are liable for taxation at local rates at the point of service delivery in accordance with the appropriate tax laws for that country. The most common exemptions for this are if events are digital, excursions or otherwise exempt locally. Excursions are optional, ancillary, non-profit, educational events delivered overseas as a part of a significantly larger digital or local event liable for taxation at local rates. The delivery of digital products and services is completed locally, as a "hands-on" EU cross-border digital service, or is exempt from taxation outside of the EU and therefore only liable for taxation at local rates.

Intellectual Property Rights

All non-educational materials delivered at the event remain the intellectual property of the provider. All rights not expressly granted shall be reserved by the provider. Modification or incorporation of materials shall not constitute a joint work. If the attendee wishes to make additional use of materials not covered in these terms and conditions the attendee shall obtain permission from the provider and pay an additional fee to be agreed upon. If permission is granted for the attendee to make additional use of materials, a credit in the name of the provider shall accompany the materials whenever practical and the attendee shall supply the provider with a copy of any publication the material appears in. 

Due to the potential for material covered at events to be abused, attendees have a legal duty to protect the public from any harm caused by reckless or negligent disclosure. Specifically, attendees may not disclose materials covered at events without taking due diligence precautions the public would expect relating to such material (e.g. security vetting, clearances, contracts, etc).

Security

Some events place special requirements upon the attendee prior to attendance (e.g. security vetting) and whilst at the event (e.g. venue security requirements). Attendees must adhere to those requirements and be willing to undertake all necessary action in order to comply with them. The applicant is liable for any costs the provider incurs in meeting these requirements. For further information on Institute vetting policy, including the Baseline Security Check (BSC), Enhanced Security Check (ESC) for access to sensitive materials consult the relevant policy pages on this site. If these checks are required the normal 28 day notice period for applications and payment may be extended to 6 months in order to complete sufficient security investigations.

Amongst other commitments attendees may also be required to limit personal movements in venues, limit communication with others on or before events, share data with European authorities and sign non-disclosure agreements. These requirements will be communicated to the applicant prior to an offer of a place at the event. With the exception of forfeiture of a place at the event the applicant or attendee will not suffer any further disadvantage for non-cooperation with special requirements.

In lieu of a current EU or NATO security clearance of any level, written authority at UN ASG, NATO OF-6 or EU DDG level, enhanced security investigations with necessary and justifiable "need-to-know/attend" will be accepted. Photographic proof of identity will be requested at course registration.

Declaration

By agreeing to these terms and conditions an attendee agrees to the following declaration:

"In applying for this event I hereby declare that I have no unlawful or unethical intent nor do I intend to use skills or knowledge gained therein to commit unlawful or unethical actions in the future. Furthermore, I recognise and attest to my on-going legal obligation not to pass on course material to others and not to misuse that material to commit or conspire in unlawful or unethical actions that undermine the rule of law.”

Policy reference:	IEIS/0202/150706/1
Policy owner:	Chair of the Institute
Authorised date:	06 July 2015
Operational date:	22 July 2015
Review schedule:	Annual

Full policy

This policy constitutes the Institute's position on the use of personal information in fulfilling its obligations to the public.

Introduction

This website is hosted by the Institute for European Intelligence and Security. Representatives of the Institute may be reached via the contact page.

The Institute needs to gather and use certain information about individuals in order to function. This can include contact details, security, medical, financial and other personal information. This policy describes the Institutes position on how this information must be collected, handled and stored.

This policy ensures that the Institute:

• Complies with data protection law and follows good practice.
• Protects the rights of individuals.
• Stores and processes data in a transparent way.
• Protects itself from the risks of data breach.

This policy applies to:

• All staff and directors.
• All volunteers and registrants.
• All customers and other recipients of Institute services.
• All contractors, suppliers and others working on behalf of the Institute.

The policy applies to all data that the Institute holds relating to identifiable individuals. This can include any information relating to individuals including but not limited to:

• Sensitive information: Information which may be harmful to the data subject if inappropriately disclosed such as medical conditions, political or religions opinions, criminal convictions (inc. alleged offences), lifestyle profiles, financial stability, opinions/analysis etc.
• Personal information: Information that is privately held or permanently linked to an individual such as full names, education, training, home postal addresses, personal e-mail addresses, home telephone numbers, etc.
• Non-personal information: Information that is publicly available or not permanently linked to an individual such as work addresses, office telephone numbers/extensions, professional e-mail addresses, etc.

This policy helps to protect the Institute from data security risks, including:

• Breaches of confidentiality.
• Legal damages.
• Reputational damage.

Policy Statement

Information provided to the Institute shall be treated in full accordance with the EU regulations and standards.

Personal data will:

• Be processed fairly and lawfully.
• Be obtained only for a specific and lawful purpose.
• Be adequate, relevant and not excessive.
• Be accurate and kept up to date.
• Not be held longer than is necessary.
• Processed in accordance with the rights of data subjects.
• Protected proportionately.
• Not be transferred outside of the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

Everyone who works for or with the Institute has some responsibility for ensuring data is collected, stored and handled in line with this policy and data protection principles. However, these roles have key areas of responsibility:

• The central committee is ultimately responsible for ensuring that the Institute meets its legal obligations.
• The data controller is responsible for:
  • Keeping the central committee updated about data protection responsibilities, risks and issues.
  • Conducting an annual review of all data protection procedures and related policies.
  • Arranging data protection training and advice for those covered by this policy.
  • Handling data protection questions from those covered by this policy.
  • Dealing with requests to view, correct or delete data the Institute holds about them.
  • Checking and approving any contracts or agreements with third parties that may handle the Institute's data.
  • Ensuring all systems, services and equipment used for storing data meets acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating third-party services the Institute is considering using to store or process data.
  • Approving any data protection statements attached to communications.
  • Addressing data protection queries from journalists or media outlets.
  • Working with others to ensure any marketing activities abide by data protection principles.

All those covered by this policy are required to follow general protection guidelines for personal data:

• Only those with a need to know should be able to access personal data.
• Personal information should be formally requested and access authorised.
• Access will not be granted to personal data until data protection training has been received.
• Personal data must be kept secure.
• Computers should be locked when unattended.
• Strong passwords must be used, regularly changed and never shared.
• Anyone possessing personal data is obligated to protect against unauthorised disclosure.
• Personal data should be regularly reviewed and updated. If it is out of date or no longer required it should be safely disposed of in a manner that would prevent recovery.
• Whenever possible personal data should be stored using pseudonymisation or anonymisation.
• If unsure about any aspect of data protection request assistance from the data controller.

These guidelines describe how and where personal data should be safely stored. Further questions about storing data can be directed to the data controller:

• All data should be stored securely in a compartmentalised fashion so as to prevent inadvertent unauthorised disclosure.
• Physical files should not be left unattended but locked in a drawer or filing cabinet when not in use.
• Physical files should be shredded when no longer required.
• Electronic files should be protected from unauthorised access, accidental deletion and malicious hacking attempts.
• If electronic files are stored on removable media, these should be locked away securely when not in use.
• Electronic files should only be stored on designated drives and servers and not uploaded to cloud services.
• Servers containing personal data should not be co-located in general office space.
• Electronic data should be backed up incrementally and backups should be tested annually.
• Electronic data should never be saved directly to mobile devices.
• All servers and computers containing personal data should be protected by approved security software.

Personal data is at the greatest risk of loss, corruption or theft at the point of access. Therefore, personal data should:

• Be securely communicated.
• Be encrypted before being transferred electronically.
• Never be saved to private computers.
• Always be accessed centrally.

The law requires that the Institute take reasonable and proportional steps to ensure data is accurate and up to date:

• Data must only be held in as many places as is necessary. Unnecessary duplicates must not be created.
• Every opportunity should be taken to verify and validate data.
• The Institute must, where possible, enable others to update their own information.
• Data should be updated as inaccuracies are discovered.

All individuals who are the subject of personal data held by the Institute are entitled to:

• Ask what information the Institute holds about them and why.
• Ash how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the Institute is meeting its data protection obligations.

Requests for subject information should be made by e-mail, addressed to the data controller at the link below. The data controller can supply standard request forms but individuals do not have to use these.

Once a request for personal data is made by a data subject the data controller must provide the relevant data within 1 month.

Prior to releasing subject information individuals may be required to pay an administrative fee not exceeding €50 and proportional to the expenses incurred in processing the request. The identity of an individual making a request must always be verified prior to the release of any personal information.

In limited circumstances, a subject may make a request to prevent processing if it causes damage or distress. To do so a request must be made by e-mail stating what the objection is, how processing is unwarranted and reasons why handling is causing damage or distress.

Privacy Policy

The Institute aims to ensure that individuals are aware that their data is being processed and that they understand:

• How the data is being used.
• How to exercise their rights under the law.

For the reasons described in this policy outline how personal data is used by the Institute.

The Chair of the Institute is a designated data controller for the purposes of this policy and relating legislation. The Institute takes takes great care to ensure that personal information is handled appropriately and confidence in their security and discretion is maintained.

The Institute may obtain personal information from a variety of open and closed sources, including government agencies, private individuals and organisations.

Personal information is typically processed by the Institute to facilitate, protect and promote the:

• Interests of international security.
• Prevention of public disorder, international crime and terrorism.
• Maintenance of judicial authority and the rule of law.
• Protection of the fundamental rights and freedoms others.

Personal and non-personal information may be processed in the legitimate interests of the Institute when those interests are not overridden by the interests of the fundamental rights and freedoms of the data subject. However, it is strictly prohibited for sensitive information to be processed for ancillary support purposes (e.g. routine administration, public relations, advertising and other marketing activities).

Our website automatically gathers some impersonal information from your computer such as your general location, when and what you viewed. This is collected to provide some insight into our visitors (e.g what pages to people like to visit most, from what countries and when?) so we can improve our site and services. None of the data our site gathers is specific enough to identify an individual.

Cookie policy: Cookies are very small text files that are stored on your computer when you visit some websites. We use cookies to help identify your computer so we can tailor your user experience and track changes you have made to parts of our site (e.g. e-learning entries, messages and other interactive elements). Our website statistics program also uses cookies so we can tell what pages you find most interesting so we can improve the performance of our site. You can prevent your browser storing cookies on your computer, but this may stop our website from functioning properly. Our cookies are designed to provide you with the best user experience. Functional cookies help programs on our website work and targetting cookies allow you to share our data with other websites.

The Institute will never make decisions that may affect an individual based solely upon the automated analysis of personal data.

By voluntarily submitting personal data to the Institute the data subject explicitly grants the Institute permission to process it for the purpose for which it was originally supplied and to retain it for as long as may be required to fulfil that purpose and satisfy any legal obligations relating to it.

The Institute ensures that personal information is handled lawfully and justifiably. Personal information must be as accurate and current as possible, adequate and not excessive to the task, in respect of individual's rights.

The Institute complies with the relevant parts of European data protection regulation, common security policies and ISO27001 information security standards.

Any data breach likely to result in risks to the rights and freedoms of individuals will be reported to the relevant authority within 72 hours of the data controller becoming aware of it.

Oversight: The Inspectorate is the independent regulator responsible for overseeing data protection compliance. In limited circumstances complaints may also be lodged with the relevant national data protection or supervisory authorities. To find out where your relevant authority is located please contact the data controller who will aim to address your query within 14 days.

Sensitive Data Policy

For legal and security reasons the Institute is required hold some sensitive data on data subjects (e.g. in order to satisfy legal obligations to conduct security checks on delegates). Sensitive information is subject to rigorous security standards and may only be used in the interests of public safety and security. The use of such information for ancillary support (e.g. routine administration, public relations, advertising and other marketing activities) is strictly prohibited.

When processing sensitive data, the Institute and its personnel are typically subject to national security, law-enforcement, research/analysis or third-party exemptions.

Related Policy

Risk assessment and mitigation is required whenever specific risks to the rights and freedoms of data subjects are identified. Recurring high risk functions have been identified in legal disclosure, security vetting and unsolicited communication. All risks have been mitigated or reduced through the application of security procedures. Further details are available upon request.

Additional security regulations outlined in 2013/488/EU surround the use of sensitive, privileged and classified material and form the basis of the Institutes standard operating procedure for the protection of that material.

Additional policies regarding the terms and conditions of sale and use of services provided by the Institute are provided in the Institutes general terms and conditions.

Policy reference:	IEIS/0202/180524/1
Policy owner:	Data Controller
Authorised date:	14 May 2018
Operational date:	25 May 2018
Review schedule:	Annual

Full policy

This policy describes the measures to be taken to protect Institute personnel and the public. Thereby, fulfilling the Institute’s public safety obligations.

Introduction

The Institute recognises an ongoing risk to personnel and the public in the form of recurring pandemics and as a result an obligation to take standardised protective and preventative measures whilst ensuring the ongoing viability of its services. This policy applies to facilities and personnel bound by the Institute’s contractual terms of service who are assigned to Institute facilities. This includes but is not limited to: 

• Volunteers, staff and directors.
• Students, customers and recipients of services delivered on-site at a facility. 
• Contractors, suppliers and others working at a facility.

This policy only applies to students and other customers, contractors and suppliers, whilst in attendance at an Institute facility.

Compliance with this policy is mandatory and ensures personnel affected by it are not exposed to any more risk than is absolutely necessary, reducing the probability of infection. Failure to comply with this policy is considered an act of gross misconduct, potentially resulting in dismissal and being struck from the professional register. If violations of this policy are found to be in breach of local, national or international law, legal action may be taken or evidence provided to the appropriate authorities in support of a conviction. 

This policy ensures that the Institute:

• is socially responsible and meets its public health obligations.
• prevents the spread of the illness.
• explains its position on how personnel affected by this policy are expected to assist in organisational efforts to promote public health and safety.

For the purposes of this policy a pandemic is defined as a virus in sustained circulation (globally or within a quarantine zone) where:

• Transmission is airborne or otherwise highly communicable.
• Propagation is international in scope.
• Less than 70% of the population have immunity.
• Individual infection can result in severe or fatal conditions or widespread infection of the workforce has the potential to impact upon the national infrastructure.
• The host nation’s attempts to separate healthy members of the population from those that have the virus have not been successful.

This definition is motivated largely by experiences with COVID-19, but is easily adaptable for future pandemics with minor alterations. Senior representatives may be reached via the contact page on the website to discuss or propose changes to any aspect of this policy. Personnel should be informed of current pandemics on the home page of the website.

Policy Statement

Policy regarding pandemic is based on expert scientific advice from sources with an established track record for acting in the public interest. Such advice is supported by scientific research and motivated exclusively by public health concerns. If previously credible sources are found to be motivated by concerns other than public health, their recommendations are discarded unless found to correlate with other expert scientific sources who have been found to have been motivated exclusively by public health concerns.

Pandemic imposes additional responsibilities in the public interest, it does not exempt an organisation or individual from their responsibilities. During a pandemic, obligations to customers, suppliers and the public will me maintained, unless subject to mutual agreement. Salaries, invoices, products and services will be delivered according to the terms of the original contract. The means of delivery may change, but only to the extend necessary to meet obligations in a safe and secure way. Current policy based around imposing quarantine procedures upon personnel. These procedures are well established and for the purposes of brevity will not be repeated in this policy.

Academic Policy

Attendance events are strictly prohibited during a pandemic. Virtual attendance via video-conferencing is recommended as an alternative means of continuing study. Therefore, in the planning and delivery of materials, as much material as possible must be adapted for online delivery by distance learning, so learning can continue during quarantine. Regardless of the delivery method faculty will continue to work hard to ensure the highest standards of training and education. The progress and status of scheduled events will be displayed on the website, providing an alert to any changes. Notifications may be made in banners or alerts to communicate urgent news.

The development of distance-learning courses to replace attendance versions is a complex and lengthy task. Courses and materials must adequately cover the scope of professional conduct for two domains (one general and one specialist) with over two hundred competencies. As a result it will likely take years to adapt the entire curriculum. However, efforts are focused on one course and one domain at a time, ensuring that as many courses can become available as soon as possible.

Course status updates on the homepage shall be listed in three code categories pertaining to their readiness for launch. Green pertains to courses that are already available or will be available by the time an application is processed for them. There are two states for green coded courses:

• Available Online Now!: Limited places are available online. Annual residential or online schools may run at a fixed times once or twice a year, but enrolment can take place on the pre-requisite e-learning component as soon as an application is processed.
• Coming Soon: Guidelines have been issued to the directing staff, training materials are being field-tested and the course is being revised and finalised prior to release. Courses at this stage will generally be ready for enrolment in less than 30 days.

Yellow status pertains to courses that are in the final stages of delivery. These courses would have been prioritised and are actively being worked on. There should be no more than one or two yellow coded courses at any one time and the two states for these courses can be:

• Under Development: Unit outlines are being developed with instructional objectives, unit content and methodological descriptors. Experts are providing course materials including examples and exercises before units are re-drafted and packaged for evaluation. By this stage a course can be expected to launch in 2-4 months.
• Refining Design: Learning objectives are being organised into teaching units, appropriate training methodologies are being selected, content is developed and syllabus/curriculum documents are published. At this stage of development a course can be 5-7 months from launch.

Red status pertains to courses that are not actively being worked on or are in the preliminary stages of development. There are two states for red coded courses:

• Assigned for Analysis: The course has been assigned for review, the target audience is being redefined, the ICF amended for the new audience's European functions and the pre-requisite skills and knowledge for those functions defined and selected as the new learning objectives. At this stage of development a course is generally 8-12 months from launch.
• Unassigned: Pre-existing course materials exist in other formats e.g. full attendance mode. The course is scheduled for review, a plan for redevelopment has been agreed, but the course is currently awaiting allocation for translation to delivery by blended-learning. At this stage of development a course could be years from launch.

Outbreak Response

No attendee at any event may participate in any activity that may endanger their health if they have been diagnosed, are displaying symptoms or have reason to believe they may be infectious. Any such person may not return to full active duty or resume attendance until full recovery has been confirmed by a medical professional. Restricted home working with special conditions may be acceptable if a suitably qualified medical professional can verify that the effect on the individual’s health would be negligible.

Attendees that develop symptoms whilst at an event will be separated from other persons, sent home, instructed to remain in isolation and seek medical attention. The event will be reported to the relevant authorities, all persons with whom the symptomatic individual has been in contact with will also be required to list their recent contacts and place themselves in isolation until cleared by a medical professional.

In the interests of public health, events may be switched to a remote format without notice and all events post-2020 will be prepared with distance-learning contingencies. Attendees entering onto events accept that there may be changes in the delivery methods of that event to accommodate for a pandemic response.

Imposing Quarantine

During a period of pandemic, facilities will be closed and all personnel must work from home. Quarantine procedures must be observed in the interests of public safety. A controlled quarantine zone should be as large as possible whilst still guaranteeing the integrity of its cordons. Personnel may only break quarantine if forcibly compelled to do so or obliged to do so to sustain life. For example, if food deliveries are not made available an employee may be required to break home quarantine in order to buy food. An employee may also be ordered to leave his home to report for vaccination. However, social visits, exercise, mental health or work are never acceptable reasons for breaking quarantine. 

During a pandemic good hygiene standards must be maintained by: 

• Working outside whenever practicable
• Ventilating work areas with the outside air as much as possible
• Using disinfectant gel and spray regularly
• Routinely disinfecting all frequently touched surfaces
• Using a secure bio waste container for disposable tissues and wipes
• Regularly washing and cleansing, especially after outside contacts

When imposing quarantine upon individuals and facilities it is important that appropriate support is provided to ensure quarantine can be maintained. Such provisions will be made on a case by case basis but must as a minimum ensure: 

• Provision of basic needs.
• Communication with family and caretakers.
• Constraints are equally applied and non-discriminatory.
• Compensation for economic and material loss.
• Treatment for any psychological impact.
• Prevention of threats or abuse (if diagnosed).

Exceptional Cases

In some cases facilities must remain open and personnel may be required to place themselves or others at risk of communicating the disease for security reasons. In these cases, each facility and duty assignment is subject to risk assessment to ensure the security risk significantly outweighs the public risk of spreading the virus. In such rare cases, the risk assessment must identify measures to reduce the risk of infection as much as possible. In the case of facilities, such measures may include, but are not limited to placing the facility under quarantine. In the case of personnel, measures may include bio-containment or short-term quarantine.

The Siracusa Principles

The imposition of this policy upon individuals restricts their human rights for the public good. Specifically, the right to freedom of movement is limited. As such, this policy is viewed as a means of last resort when national and international measures have failed. However, due to the impact on human rights, a quarantine measure may not be imposed if any of the following conditions are met: 

• • Failure to comply with the measure does not represent a danger to the public.
  • The quarantine measure violates local, national or international law, or exceeds the legal authority of the Institute to implement.
  • Imposing the quarantine measure is not necessary or effective in preventing infection or providing care.
  • A less intrusive or limiting restriction is available to prevent infection or provide care.
  • The quarantine measure is not based on scientific evidence.

Tactical Restrictions

Home working is known to have many benefits including increases in access and authority needed to facilitate home working environments, increased responsibility and independence, increases in disposable income and more. When combined with the social benefits of contributing to public health, satisfying civil responsibilities or even playing an active role in combating a pandemic, the responsible decision is to self-isolate and conform with policy. However, there will always be a disruptive element within every society that prioritises their own self-interest over the survival of others. Therefore, it is the responsibility of every socially responsible organisation to plan for the eventuality that such an attitude may manifest within their own ranks.

During quarantine supervisors receive automated warnings based on the use of passive surveillance that scans for the indicators of a quarantine breach. For example, scraping social media or open source content, access or activity log alerts and other data harvesting. On receipt of a warning, a narrow selection of pre-approved overt non-intrusive means may be applied for by supervisors who are also accredited intelligence officers.

For example, on receiving an automated warning regarding a member of staff, a supervisor requests permission to make “spot checks” by phone. During such a check the supervisor would phone the employee to confirm their voice and request that they provide their device’s timestamped GPS beacon to demonstrate they are within a prescribed quarantine zone. Authorisation is granted under strict conditions and specific guidance on the technique is provided to the supervisor to ensure GPS checks remain efficient and effective, but also non-invasive and infrequent. The employee is then informed and checks begin to ascertain their compliance. 

Intrusive or active covert surveillance methods are not authorised on the grounds of pandemic.

Lifting Quarantine

Quarantine may only be of a limited duration. Specific and achievable criteria for lifting quarantine must be established at the outset and those criteria should be reviewed at regular meetings no more than once every three months. Quarantine may be lifted as soon as the criteria for a pandemic outlined in the introduction to this policy are no longer met. However, to avoid rapidly lifting and re-imposing quarantine, it is recommended that more than one of the criteria no longer be applicable, and the review period for lifting quarantine is carried out no more than once per month.

As quarantine should be as limited in duration as possible, production of substantial evidence that the pandemic is in the post-pandemic stage will trigger an emergency review to lift quarantine. Decisions to impose quarantine on either facilities or individuals may be appealed in writing to the Chair of the Institute. If successful, quarantine will be immediately lifted and may not be re-imposed without a second blind-authorisation by an official of equivalent rank.

Related Policy 

Risk assessment and mitigation is required whenever specific risks to the rights and freedoms of others is identified in professional activities. Additional specific risks have been identified and measures taken to mitigate and reduce those risks. Further details are available upon request. Additional specific regulations and laws and the local, national and international level surrounding pandemic response will be integrated into standing operating procedure. Additional policies regarding the terms and conditions of sale and use of services are provided in general terms and conditions.

Policy reference:	IEIS/0202/210421/1
Policy owner:	Chair of the Institute
Authorised date:	21 April 2020
Operational date:	19 May 2020
Review schedule:	Annual