Request Review of new content on Filming and Photography Policy

[warmanaMOJ]

Hello @cybersquirrel

(FYI @L-Crosby )

Please may I request a review of new content describing the MoJ security stance regarding filming and photography. The content was created with Group Security.

A preview of the current draft may be seen here.

Many thanks.

[cybersquirrel]

One comment I'd have is that a strict interpretation of POLFLM009 would seem to imply that taking a picture out of the window of the view at 102PF with a personal phone is forbidden? Is that the intention?

The second comment is whether POLFLM010 and the subsequent statements are intended to apply to the sorts of uses covered in POLFLM004? For example, taking headshots of people using a corporate device - do you need to seek approval via the form?

Best wishes,

Jon.

[warmanaMOJ]

Hello @cybersquirrel (FYI @L-Crosby )

Many thanks for your comments. We've discussed with Group Security, and offer the following answers.

Regarding the strict interpretation of 009, yes, that is indeed the intent. The risk is that a poorly framed picture unintentionally includes something sensitive inside the building. Taking a picture with a work device would be a business task for business purposes, and therefore the expectation is that the person taking the picture will apply due diligence to sensitive material, just as they would for any other business task. Taking a casual 'snap' with a personal device is much more informal and less likely to be thought through. We've added a note clarifying this point.

Regarding 010, we've added a note that the first time the activity is being performed, the form must be completed, but where the expectation is that the activity will be repeated (for example, taking ID photos for access badge purposes), this repetition is indicated on the form, so that approval is only required once.

[cybersquirrel]

Thanks for the clarification @warmanaMOJ - I am happy to agree to publication based on these points of clarification from Group Security as policy owners, but note some implementation details:

• POLFLM009 is almost certainly not what the majority of people's expectations are, so thought needs to be put into how this will be communicated to users and visitors of our sites (e.g. 'no photography' sigs inside the building etc?)
• POLFLM010+ this makes me wonder if we ought to apply geofencing-type restrictions to MoJ-owned / managed devices to prevent those which aren't approved for photographic / video use being used until a form has been completed. Likewise to the 009 policy I think that most staff would not anticipate these rules (particularly with official devices) and so are likely to (regularly) operate in contravention of them, so thought is needed about how to communicate this effectively to users.
• One final thought on the implementation of POLFLM010+ statements - does this imply we should block recording of Teams calls too until staff have completed the paperwork?

Thanks!

Jon.

[cybersquirrel]

Just checking on the POLFLM010+ statements and the interplay with the earlier POLFLM004 statement - if I am taking a picture of a whiteboard after a meeting with a work device, do I need to apply for permission first (which is what 10+ and your reply imply), or is it already understood as acceptable (which is what reading 004 would make me think).