Guidance

The NPCC National Fingerprint and Footwear Strategic Board policy for access and use of the National Footwear Database and National Footwear Reference Collection (accessible)

Published 25 September 2025

Forensic Information Databases Service (FINDS):

The NPCC National Fingerprint and Footwear Strategic Board Policy for Access and Use of the National Footwear Database and National Footwear Reference Collection

Authorised by: Zo-dee Ledger

Date: 11th August 2025

Job Title: Head of Unit

Please note that the content and the layout of this document are controlled by the FINDS Quality Team and are not to be altered in any way.

We are constantly looking for ways to improve our policies and procedures. Constructive feedback both positive and negative is always welcome. Please submit your feedback or proposals for change to: FINDS_Quality_Management@homeoffice.pnn.police.uk

Identification

Policy Reference Number and Policy Title: FINDS-SB-P-005 - The NPCC National Fingerprint and Footwear Strategic Board Policy for Access and Use of the National Footwear Database and National Footwear Reference Collection

Ownership

Organisation and Department Responsible: FINDS - Biometrics Assurance

Distribution

Law Enforcement Agencies and the NPCC National Fingerprint and Footwear Strategic Board (NFFSB)

Recent Revision History

Issue Number	Issue Date	Summary of changes
4		DCR1428 – Full Document Review

The full revision history can be viewed at the end of this document

1. Governance

This policy is issued on behalf of the NPCC National Fingerprint and Footwear Strategic Board (NFFSB). The responsibility and accountability for the accuracy and intended meaning of the document resides with the NFFSB and as such may only be varied or amended with their explicit consent.

2. Objective and Scope

The aim is to maintain the integrity of the footwear databases under the Strategic Board’s remit by ensuring that the data is fairly and lawfully accessed and retained. This means:

• processed for purposes related to the prevention, investigation, detection, or prosecution of crime, or the execution of criminal penalties;

• necessary and proportionate for the prevention and detection of crime;

• accurate and up to date, and held within the appropriate data collection to ensure appropriate use and access;

• retained proportionately; and

• secure.

The principles of the data assurance strategy for the National Footwear Service (NFS) - comprising the National Footwear Database (NFD) and the National Footwear Reference Collection (NFRC) are:

• adherence to quality assurance standards;

• performance monitoring of the end-to-end supply chain which is supported by the database;

• risk based;

• transparent; and

• supported by an approval process.

This policy describes the specific conditions, permissible purposes, and the level of authority required to access the products of item/exhibit processing and information derived from the NFD/NFRC including:

• footwear marks^{[footnote 1]} and impressions^{[footnote 2]} taken either digitally or retained in the form of a copy;

• the results derived from the processing (including the Footwear Image derived from the original mark/impression);

• the associated data derived during the processing and searching of data on the NFD/NFRC;

• where records are searched against the NFD/NFRC to deliver results, but the searched records are not retained on the database;

and also has in scope:

• items/exhibits submitted or collected/seized by a Footwear unit for examination whether it is digital or physical.

The policy also specifies the permissible purposes for which the forensic information may be used once accessed.

The policy defines how the NFD^{[footnote 3]} meets the principles relating to processing of personal data, as defined in the Part 3 of the Data Protection Act 2018. This applies to England and Wales and covers forensic materials, relating to criminal investigations by LEAs, that have been collected by, submitted to, generated by, and retained by Forensic Units.

This policy applies to:

• the National Footwear Database (NFD) and National Footwear Reference Collection (NFRC) whereby images are taken, digitally or in the form of a copy of the original, for the detection, investigation, and prevention of crime where the resulting data is intended to be loaded, searched, or compared – including arrestee and crime scene images;

• the access to footwear images retained on the National Footwear Database and National Footwear Reference Collection; and

• the access to records retained on the National Footwear Database and National Footwear Reference Collection where the associated data relates to the footwear impressions taken.

Specific to England and Wales, this policy applies to:

• all Footwear marks/impressions, images, and associated data (collectively referred to as Footwear Data), taken in England and Wales and loaded to the NFD/NFRC; or where such Footwear Data is utilised in authorised research undertaken to increase the understanding of the impact and/or potential uses of the NFD/NFRC.

This policy does not cover:

• the legislative provision for the sampling of footwear images;

• the use of Footwear Data in direct casework comparison; and

• footwear images taken in the other UK jurisdictions, for example those taken under Scotland or Northern Ireland legislation, where governance falls to the Scottish Police Authority and the Department of Justice (Northern Ireland) respectively.

3. Responsibilities

The joint controllers in respect of personal data for National Footwear System purposes will be the Chief Officer (or Chief Executive or equivalent) of the Law Enforcement Agency (LEA) where the sampling event took place and the National Police Chiefs’ Council (NPCC) Lead (Chair of the NFFSB)^{[footnote 4]}.

The Forensic Information Databases Service (FINDS) (part of the Home Office) is defined as processor on behalf of the NPCC lead and responsible for the integrity and protection of the data held on the National Footwear System (NFS) which comprises the National Footwear Database (NFD) and the National Footwear Reference Collection (NFRC) on behalf of the NFFSB.

For data protection purposes, within the role of processor undertaken by the Home Office for the delivery of services from the NFD, there are solely actions taken as determined by the controllers. Where the delivery mode (ways and means of undertaking activities) is subject to change to accommodate, for example, new collections or data capabilities, the controllers as the decision makers fulfil that role by ensuring the issuing of processing instructions, including but not limited to, the information contained within this policy. Home Office processors are required to engage with the NFFSB to ensure there is sufficient information available to enable controllers to discharge this duty, with the standard form being the inclusion of an agenda item on the quarterly NFFSB meeting.

As part of maintaining the integrity of this data, Home Office processors have the responsibility to report notifiable breaches of privacy to the ICO where the source of a breach specifically relates to the IT system which hosts the database.

The Forensic Science Regulator is appointed by the Home Secretary to be responsible for the setting of, and compliance with, national quality standards for the provision of forensic science services to the Criminal Justice System in the United Kingdom, including those relating to the NFS.

Forensic Units are responsible for assuring that they comply to legislative, regulative, and policy requirements to ensure the integrity of the records held on the National Footwear Database and National Footwear Reference Collection.

LEAs are responsible for ensuring the continuity of evidence for each footwear impression they have taken and will be responsible, through their Data Protection Officer function, to report notifiable breaches of privacy to the ICO.

The LEA has ultimate responsibility for ensuring that materials from a given case are retained for a period of time appropriate to the outcome of that case and as such should consider the assigned retention time when undertaking their periodic review(s)^{[footnote 5]} of that case.

All organisations which actively undertake sensitive processing must adhere to the requirements of data protection legislation to include that stated in the Data Protection Act 2018.

It is the responsibility of LEAs and any other agency or organisation acting on their behalf to comply with this policy. If there is any doubt as to whether a specific action or activity complies with this policy, then clarification should be sought from the NFFSB (through contacting FINDS) prior to commencement.

4. Overarching Policy

The Chief Officer (or equivalent) of the LEA who determines the purposes and means of the processing of personal data by performing the sampling event is the controller for all data linked to the NFS footwear image.

Footwear Data may not be used directly by, or provided to, any other agency or organisation other than those listed in Annex I or those specifically authorised by the NFFSB.

Forensic Units submitting information to the NFS must comply with the Code of Practice issued by the Forensic Science Regulator (FSR Code) where currently applicable i.e. where the specific activities are within scope.

The FSR Code identifies Footwear Forensic Science Activities (FSA) FSA – MTP201 – Footwear: Screening and FSA – MTP202 – Footwear Mark Comparisons which must be accredited to BS EN ISO/IEC 17020 or 17025, as appropriate. The FSR Code allows an alternative approach to accreditation to be taken for FSA – MTP200 – Footwear: Coding and the NPCC Framework for Footwear Coding is available as that alternative.

It is mandatory that all users of the NFD/NFRC are from an organisation that is either:

• accredited for the specific FSAs being employed; or

• adhering to the NPCC Framework.

For any user identified from an organisation where compliance to this requirement is not in place, FINDS will remove the user’s access to the system.

4.1. IT support for Footwear databases

For the purposes of provision of IT support for the NFD/NFRC, the service provider must ensure that all supported environments comply with this policy and legislative requirements. Where the database system setup is such that datasets can be linked through the live environment for functionality test and development, or for validation purposes, the same requirements are applicable.

Where supported Test and Development environments/datasets contain fields within which personal data is populated, this data must be anonymised^{[footnote 6]} as a minimum. There must be full transparency for the environments and datasets retained in order that the NFFSB, administered by FINDS on their behalf, have the necessary oversight to be able to track the purpose, authority, and approvals in place, and afford the same level of scrutiny to all regardless of the system container.

IT system providers for the NFD/NFRC should be working to the principles of the ISO/IEC 27000 standard in order that key Data Protection Act 2018 (Part 3) controls are in place (such as auditing of system access and data changes). The FINDS Unit defines the processes to meet their obligations through the following documentation and procedures:

• NFS Security Solution Document (SSD)

• NFS Security Operating Procedures (SyOps)

• Code of Practice issued by the Forensic Science Regulator

4.2. Storage of Data

For the purposes of conforming to the Government Security Classifications (GSC), inputs and outputs from the NFD should be treated as ‘Official Sensitive’ status. Images/personal data retained on the NFS and related records held by the Forensic Units and LEAs, must be managed in accordance with data protection principles. Retention of these records must comply with legislative requirements and the accuracy of the records must be maintained.

Considering Data Protection, there must be allowance for controllers (through processors, as necessary) to:

• Implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing, to meet the requirements of the Data Protection Act 2018 (Part 3) and protect the rights of data subjects.

• By default, ensure that only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

It is advisable that the lawful basis for processing the data is logged and recorded.

• Assess the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with Data Protection Act 2018 (Part 3), taking into account the rights and legitimate interests of the data subjects and other persons concerned. This point is specifically pertinent for implementing new technologies, mechanisms or procedures which involve a high risk to the rights and freedoms of data subjects (identified through data protection/privacy impact assessment) – in these the controller or processor must consult the supervisory authority (in this case, the ICO) prior to processing.

4.3. Policy for Access and Use of NFD/NFRC Images

The National Footwear Reference Collection (NFRC) is a catalogue utilised by forces which can be used to identify the pattern code for a footwear mark left at a scene or a footwear impression taken from an item of footwear from an arrestee. The sole patterns on the NFRC each have a unique code number to identify them: in most cases this comprises the name of the manufacturer followed by a sequential number e.g. the 120th Nike pattern to be added would be Nike0120, the 121st would be Nike0121. This enables footwear practitioners and investigators in different forces to be able to refer to patterns encountered at scenes or from footwear of individuals in a common language, facilitating the linking of scenes to scenes, or scenes to individuals.

In order to classify a scene mark or footwear impression as a particular pattern code, it is necessary to have a reference image. These images consist for the most part of prints from shoes taken either in custody or in the laboratory during casework. Only the image of the footwear impression is added to the NFRC. No information about the individual to whom the shoe was attributed is included on the NFRC or retained within the data. The NFRC is only used for this purpose. The images are retained indefinitely as patterns may be reissued by the manufacturer from time to time. Patterns not encountered over time will be archived but still searchable as a reference image to enable the coding of scene marks or footwear impressions without duplication of pattern types. When an archived pattern is encountered again, it is reinstated to the main collection, with all linked data.

Additional information associated with a pattern may also be included, such as images of variations of the sole pattern due to size or country of manufacture, images to demonstrate how the shoe appears as it becomes more worn and images of example uppers associated with the sole pattern; the latter may be taken of footwear in the laboratory during casework, downloaded from websites or taken from manufacturer catalogues. Other associated information may include the range of sizes of shoe the pattern is believed to be available on, the date when the pattern was first encountered and by which LEA, how frequently it has been encountered and the manufacturer’s model name, plus any other information which may provide relevant or useful intelligence.

The NFRC does not hold records of who has worn particular patterns.

Where initial access to the NFRC is sought by a Forensic Service Provider (FSP), and this request is received directly by the IT provider for the NFS, the IT provider must contact FINDS detailing the application – in order that FINDS approval on behalf of Policing can be confirmed and visibility given to the NFFSB. In the same way, where additional NFRC functionality is being sought by an FSP with existing access, such as access to view ‘hit counters’ then the IT provider is to contact FINDS for approval.

The National Footwear Database (NFD) is an intelligence tool and is used to hold records of the patterns encountered at both scenes and on footwear recovered from arrestees or those suspected of involvement in a crime. A pattern code from the NFRC can be allocated to both types and recorded on the system; this can be used to link scenes to scenes, or scenes to arrestees. This pattern code will be recorded against the person/scene on NFD, providing updated frequency data and ensuring that the person/scene will be returned during any future searches for that pattern.

There is currently variation in the format which forces use to add records to the NFD. Some forces upload images of both scene marks and custody impressions to the NFD, some upload only one or the other, and others only record the pattern code and do not upload images.

Once obtained, NFD Images may only be accessed by LEA staff, or parties working on behalf of a LEA (including for the purposes of the international sharing of data). The LEA controller may define specific contractual constraints regarding the access to NFD Images on any third party (e.g. Forensic Unit within an FSP or LEA) acting on their behalf.

On receipt of a footwear image, the Forensic Unit may only access that image to derive the result for the purpose of submitting to, searching against, or comparing against existing results held on the NFD/NFRC or for comparison purposes within the case under investigation.

Items collected/seized by or submitted to a Forensic Unit but not examined are subject to the same principles of retention, storage, and destruction.

4.4. Arrestee footwear impressions and images

To conform to PACE as amended by the Protection of Freedoms Act (2012) (PoFA) requirement, section (63S) in PACE which governs the retention and destruction of impressions of footwear; where a footwear impression has been taken under section 61A of PACE or otherwise is obtained in connection with the investigation of an offence, it must be destroyed unless the retention is necessary for purposes related to the prevention or detection of crime, the investigation of an offence, or the conduct of a prosecution.

In practice, to ensure the necessary periodic review takes place, Management of Police Information (MoPI) is undertaken for the records via applying the relevant College of Policing’s authorised professional practice (APP) for the Review, retention, and disposal (RRD) of policing information and records, with the Police information and records management: code of practice describing the principles in place for England and Wales.

Forces must maintain adequate audit/quality assurance documentation for the RRD schedule in place, and ensure this is available for inspection by relevant external regulatory bodies when requested.

4.5. Crime scene marks/images

Records should be loaded to the NFS that are appropriate (in-line with this policy) and measures to prevent unwittingly loading a record that does not relate to the offender should be taken. As a rule, there should be only one copy of a particular crime scene record held per case reference on the NFD; duplicate records should be avoided.

The NPCC ‘Retention, Storage and Destruction of Materials and Records relating to Forensic Examination’ gives guidance for retention acknowledging Management of Police Information (MoPI) principles for footwear marks/impressions retained in Force.

4.6. Transferring marks/impressions or images between Forensic Units

For footwear purposes, any LEA which accesses and retains printouts of a footwear image/record or Intelligence packages - such as those created on TreadMatch - is responsible for any subsequent destruction.

4.7. Access and Use of Associated Data

The data associated with footwear images and their corresponding records must only be used to:

• Evaluate the result from a search performed against the respective database.

• Confirm the integrity of the records held on the footwear databases.

• Perform tasks associated with the forensic unit’s daily routines.

Controllers and processors must ensure any transfer of subject records complies with legislative requirements. Considering ‘associated data’ (as defined):

• no transfer of data from records deleted from the footwear databases is permitted; and

• any data originally transferred from a subsequently deleted record must also be deleted.

For the National Footwear Database, rectification of inaccurate personal data may be automated through linkage with systems where records are administered by the controller, for example personal data amendments on Niche or Socrates. Similarly, where automated updating is not available, rectification is available through the controller contacting the processor to perform record amendments on their behalf.

The National Footwear Database will have a defined data assurance strategy which aims to identify and resolve inaccurate records. Any records that have breached the privacy of one or more individuals will need to be sent through the organisation’s Data Protection Officer to consider whether the case needs to be reported to the ICO.

Where the footwear database system contains open access case data for operational purposes, for example the usage of the NFS front page as a type of forum to convey information to assist practitioners; appropriate consideration from the user posting the information is required to ensure that the sensitivity, persistence, and alignment to data protection principles is acknowledged.

4.8. Control of Access to the NFS

For the footwear image collections/records held on the NFD, the general principle is that an authoriser of appropriate status within an LEA (Force Administrators) can grant access to staff; the respective database Security Operating Procedures (SyOps) define requirements and restrictions such that the authoriser is of suitable status as to take responsibility for the Organisation’s database user access, and that the staff granted access are deemed competent and have the appropriate access. This appropriate access will be an account which is suitable for the role of the individual within force and be one of the following with the exclusion of the Admin User (which FINDS holds as administrator).

Admin User	This Role grants users Admin rights.
Corvus User	This is the Basic Corvus User Role.
Duty Roster User	Role for Users with access to Duty Roster modules only
External Agency User	This user has a restricted view of the images relating to an item.
NFD Custody User	This gives access to record scans using a scanner in custody, but with no access to the main NFD
NFD Footwear User	This gives access to manage all force level data (including coding and linking)
NFD Force Administrator	This gives access to manage users within a force and perform all force level functions
NFD Intelligence User	This gives access to manage and control events, but not to code or create them
NFD Investigator User	This gives access to search view and extract data, but not to modify it in any way
Practitioner User	This is for a footwear practitioner which can search/upload and use the hit counters
Support User	General Role for Support Staff.

A small number of staff are responsible for the day-to-day management of the Footwear databases and have the relevant access to the system, as appropriate for their role. The designated Information Asset Owners (or responsibility delegated to the controller with respect to footwear) ensures that only staff with a legitimate reason for accessing the databases have access and that their access is regularly reviewed.

Personal data breach

In the case of a personal data breach, the controller must notify without undue delay and, where feasible, not later than 72 hours after having become aware of it, the personal data breach to the supervisory authority (in this case, the ICO) and the NFFSB, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The specifics for an event should be fully detailed and allow the logical decision taken for where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller (processor) can communicate the personal data breach to the data subject without undue delay.

As processor, FINDS responsibilities extend to notification to the controllers of personal data incidents or breaches, and FINDS internal processes are in place to ensure consistent reporting directly to LEAs for standard processing activities and visibility of collated data from these activities given to the NFFSB.

For newly identified issues for NFD record(s) where there is potential for data protection infringement, FINDS are to ensure early contact with the supervisory authority (as the ICO) and/or the Home Office ‘Office of the Data Protection Officer’ (ODPO) to ensure there is an appropriate level of consideration undertaken, to provide guidance for subsequent escalation to the NFFSB and notification to controllers.

4.9. Use of Footwear Database Data for Research

The NFFSB supports, in principle, the use of data for enhancing the criminal justice, academic and public understanding of the use and impact of the National Footwear System (NFS). All requests for accessing data for such purposes must be specifically authorised by the NFFSB. Decisions will be made on a case-by-case basis based on the proportionality, necessity, impact on privacy and perceived value of the proposed research.

Early consideration of the ethical impact of this research is encouraged. It is of note that the Data Protection Act 2018 (Part 3) does not permit access to personal data if it relates to decisions or measures made in relation to a specific data subject or would cause damage or substantial distress.

In order to apply for the use of data to support this principle, research requests should be submitted using form FINDS-F-067 ‘Proposal to Conduct Research and Development using Fingerprint and Footwear Images, DNA Samples, Profiles and or NDNAD, IDENT1 or NFS Data’ with the accompanying Process for Release from the Forensic Information Databases and the National Footwear Database for Research purposes.

The FINDS Unit shall maintain a register of all research applications and the corresponding NFFSB decisions.

4.10. Records and Audits of Access and Use of Footwear Data

FINDS, Forensic Units, and LEAs are required to maintain records/logs and audit their access and uses of data that is processed for storage or searching against the Footwear databases. Such records are to be kept for at least the following processing operations in automated processing systems: collection, alteration, consultation, disclosure including transfers, combination, and erasure.

The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data.

The logs shall be used solely for verification of the lawfulness of processing, self-monitoring, ensuring the integrity and security of the personal data, and for criminal proceedings.

For NFS purposes, this requirement is primarily achieved through audit logs present within the NFS IT system, with the content of these logs allowing adherence to the Data Protection Act 2018, section 62.

Forensic Units may be required to demonstrate their compliance to this policy by provision of records to the NFFSB, FINDS, and/or the Forensic Science Regulator on request.

4.11. Data Protection Impact Assessment for the NFS

With the operation of the NFD^{[footnote 7]} being in concordance to the type of processing likely to result in a high risk to the rights and freedoms of individuals, there is a requirement under the Data Protection Act 2018 (Part 3) for a data protection impact assessment (DPIA) to be undertaken by the controller. This is an assessment of the impact of the envisaged processing operations on the protection of personal data for each type of processing carried out by a controller, and the DPIA may be compiled by the processor on behalf of the controller. The DPIA must consider the nature, scope, context, and purposes of the processing and must include the following:

• a general description of the envisaged processing operations;

• an assessment of the risks to the rights and freedoms of data subjects;

• the measures envisaged to address those risks; and

• safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

Where the DPIA concludes that the processing would (in the absence of any mitigation) be likely to incur a high risk to the rights and freedoms of data subjects, there would be a need to provide a copy of the DPIA, and any other relevant information, to the Information Commissioner’s Office.

For the purposes of DPIA compilation, FINDS act on behalf of, and only on the instructions of, the (joint) controllers for the databases. On this basis, the overarching approvals for DPIA lie with the Information Asset Owner(s)^{[footnote 8]} for the specific DPIA processing activity. A scheduled review of the data protection impact assessment - instigated within 3 years from the original publication or previous review - should also be undertaken to ensure that there is continued adherence.

4.12. International Agreements/ Footwear data access

For all international agreements relating to the sharing of Footwear Data, including mechanisms such as:

• the direct access to the National Footwear Database and National Footwear Reference Collection;

• an extract of the NFS sent via an automated data feed; or

• access via the Corvus Footwear Platform

there must be initial application to the NFFSB (administered by FINDS on their behalf) for approval prior to any data share taking place.

FINDS will (on behalf of the NFFSB) hold records of any NFD/NFRC international data sharing agreements which have been approved by the NFFSB.

References

Title	Reference / Link
Proposal to Conduct Research and Development using Fingerprint and Footwear Images, DNA Samples, Profiles and or NDNAD, IDENT1 or NFS Data	FINDS-F-067
Process for Release from the Forensic Information Databases and the National Footwear Database for Research purposes	FINDS-S-023

Source Materials

In preparing the overall policy, due regard has been given to certain legal and policy provisions including, but not limited to, the following which are all applicable:

Legal or policy provision

Police and Criminal Evidence Act 1984 (PACE) – particularly Part 5

Criminal Justice and Public Order Act 1994

Criminal Evidence (Amendment) Act 1997

Serious Organised Crime and Police Act 2005

Crime and Security Act 2010

Protection of Freedoms Act 2012

Counter-Terrorism Act 2008

Counter-Terrorism and Border Security Act 2019

Human Rights Act 1998

Data Protection Act 2018 (Part 3)

Freedom of Information Act (FOIA) 2000

The Criminal Procedures and Investigations Act 1996 (CPIA)

Code of Practice issued by the Forensic Science Regulator

NPCC Framework for Footwear Coding

College of Policing’s authorised professional practice (APP) for the Review, retention, and disposal of policing information and records

Police information and records management: code of practice

NPCC Retention, Storage and Destruction of Materials and Records relating to Forensic Examination Guidance V1 - FCN

Table 1 Legal or policy provision for National Footwear Databases

Definitions

Accreditation - third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks. In the United Kingdom (UK) the sole national accreditation body recognised by the Government to assess UK organisations that provide certification, testing, inspection, and calibration services is the United Kingdom Accreditation Service (UKAS).

Associated Data - the information contained on the NFD in relation to retained footwear images. This information identifies the specific offence for which the sampling event was taken and/or the individual to whom the footwear image and its corresponding data relate.

Controller – the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by legislation. Where the controller is working collaboratively with other controller(s), they are designated as joint controllers for the purposes of the Data Protection Act 2018.

Competent authority – organisation which is either listed under Schedule 7 of the Data Protection Act 2018 or that has statutory functions for any of the law enforcement purposes^{[footnote 9]}; UK police forces, Her Majesty’s Revenue and Customs, and the National Crime Agency are listed under Schedule 7.

Data Protection Legislation - For the purposes of this document Data Protection Legislation is defined as:

• Retained Regulation (EU) 2016/679 (United Kingdom General Data Protection Regulation (UK GDPR); and
• the Data Protection Act 2018 which implements the derogations from the GDPR (EU) (Chapter 2 of Part 2), the GDPR applied to processing outside the scope of EU law (Chapter 3 of Part 2), and transposes (EU) 2016/680 the Law Enforcement Directive (Part 3 of the Act). The vast majority of processing of personal data under this Policy is likely to fall under Part 3.
• The Data (Use and Access) Act (on commencement)^{[footnote 10]}

Footwear Data – refers to the footwear images, data derived from those images, and associated data that would allow an individual to be identified from that data, including copies of that data.

Forensic Unit - The term ‘forensic unit’ was coined in the international guidance document (ILAC-G19^{[footnote 11]}) on accreditation. It is defined as “a legal entity or a defined part of a legal entity that performs any part of the forensic science process”.

The Information Commissioner’s Office (ICO) - The Information Commissioner’s Office (ICO) - the ICO is the supervisory authority for Footwear databases processing under Part 3 of the Data Protection Act 2018.

International organisation - an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or based on, an agreement between two or more countries.

Law Enforcement Agency (LEA) – any organisation authorised to take footwear impressions under PACE.

Management Information - information derived from the footwear databases to provide high level trend analysis on the composition of the database (e.g. the number and breakdown of records stored, the number of matches between records held for people and crime scene records); and evaluation of data to show the effectiveness of the NFD.

MoPI - The principles of management of police information (MoPI) provide a way to balance proportionality and necessity for retention of police information and highlight the issues that need to be considered in order to comply with the law and manage associated risks. MoPI is undertaken via applying the relevant College of Policing’s authorised professional practice (APP) for the Review, retention, and disposal of policing information and records, with the Police information and records management: code of practice describing the principles in place for England and Wales.

National Footwear System (NFS) which is comprised of the NFD and NFRC.

National Footwear Database (NFD) – The NFD is an intelligence tool used to hold records of the patterns encountered at both scenes and on footwear recovered from people in custody.

National Footwear Reference Collection (NFRC) – The NFRC is effectively a catalogue which can be used to identify the pattern code for a footwear mark left at a scene or a footwear impression taken from an item of footwear.

NPCC National Fingerprint & Footwear Strategic Board (NFFSB) – Representatives of the National Police Chiefs’ Council (NPCC), the Home Office, the Forensic Science Regulator (or representative), senior representatives of the UK Policing’s fingerprint and footwear communities, representatives from Dstl (Defence Science and Technology Laboratory), Forensic Capability Network and other such representatives the Chair maintains in pursuit of the overall aims and objectives of the group

Personal Data - any information relating to an identified or identifiable living individual (‘data subject’); an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

Processor – means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (other than a person who is an employee of the controller). They must implement appropriate technical and organisational measures that meet the necessary legislative requirements defined in this policy. Processors can be liable for penalties issued by the ICO, or legal claims for damages from data subjects where they have “suffered material or immaterial damage” as a result of an infringement of the processor obligations under the Data Protection Act 2018.

Pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Recordable Offence - an offence which must be recorded on the Police National Computer (PNC), and includes:

1. any offence punishable with a term of imprisonment, and

2. a number of non-imprisonable offences have been specified by the Secretary of State (Home Secretary) in regulations as being required to be recorded on the PNC.

(Crime) Scene - a person, vehicle, or location associated with an incident, on or at which may be found evidence to indicate what has happened, when and how, who was involved, and whether a criminal offence may have been committed.

Sensitive Processing – for the purposes of this policy relating specifically to the processing of footwear data, for the purpose of uniquely identifying an individual.

Standard Operating Procedure - a written procedure that describes how to perform certain examination or test activities.

Full Revision History

Issue Number	Issue Date	Summary of changes
1	30/08/22	DCR861 – New Document
2	03/02/23	DCR896 – Updating of terminology (i.e. NFD to NFS), new definition for NFS, and updated responsibilities.
3	27/11/23	DCR1048 – Full Document Review

Appendix I - Law Enforcement Agencies (LEAs) Permitted Access and Use of the NFD/NFRC and Associated Data^{[footnote 12]}

General definitions – LEAs

Territorial Police Forces - England & Wales

Bedfordshire Police

Cambridgeshire Constabulary

Cheshire Constabulary

City of London Police

Cleveland Police

Cumbria Constabulary

Durham Constabulary

Dyfed-Powys Police

Gloucestershire Constabulary

Gwent Police

Hampshire Constabulary

Hertfordshire Constabulary

Humberside Police

Lancashire Constabulary

Merseyside Police

Norfolk Constabulary

North Wales Police

North Yorkshire Police

Northumbria Police

South Wales Police

South Yorkshire Police

Staffordshire Police

Suffolk Constabulary

Surrey Police

Sussex Police

Thames Valley Police

West Mercia Police

West Yorkshire Police

Territorial Police Forces – non-England & Wales

Police Scotland

Police Service of Northern Ireland

States of Jersey Police

Special Police Forces and Other Organisations

British Transport Police

Read only access to NFRC

Cellmark Forensic Services

Key Forensic Services

1. Footwear prints or images taken from a crime scene or from exhibits relating to a scene ↩

2. Footwear prints or images taken from arrestees under section 61A of PACE or otherwise obtained in connection with the investigation of an offence ↩

3. Noting that the NFRC does not contain personal data ↩

4. In accordance with the controllership framework for National Databases set out in the NPCC Joint Controllership Agreement (JCA) for the Processing of Personal Data relating to National Police Chiefs’ Council functions. ↩

5. noting the requirement for periodic review of the need for the continued storage of personal data is mandated by the fifth data protection principle within Part 3, Chapter 2 of the DPA 2018. ↩

6. With the ICO’s anonymisation guidance providing best practice ↩

7. Noting that the NFRC does not contain personal data ↩

8. NPCC lead for Fingerprints and Footwear. ↩

9. The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. ↩

10. As of June 2025 the Data (Use and Access) Bill is pending Royal Assent. ↩

11. ILAC G19:06/2022 Modules in a Forensic Science Process, available at: https://ilac.org/publications-and-resources/ilac-guidance-series/ ↩

12. Organisations with active usage as of June 2025 ↩