Digital Evidence: The Forensic Science Regulator's Code and ISO 17025

A square peg in a round hole or a necessary step to ensure evidence credibility? Many digital experts have their views on ISO 17025. But one thing is sure; getting accredited presents a lot of benefits for your lab and clients.

With the new Regulator’s Code, accreditation is no longer an option but a necessity. For you to ensure the credibility of your evidence, and to be statutory compliant, you must turn to the ISO standards.

Both these new standards and accreditation are changing the way digital scientists collect, process, and present evidence.

What is ISO 17025, what is its place in the world of digital forensics, and how can you get accredited? We have all those answers for you below.

What Is the New Statutory Code?

The new statutory code is a set of regulations that govern forensic science activities in England and Wales. This excludes Scotland and Northern Ireland. These two countries have their own forensic science crime investigation standards.

What this means for forensic laboratories is that compliance is mandatory for investigations aimed at solving criminal cases.

The new code will officially come into effect on the 2nd of October 2023. Though it encompasses some ideas embodied in the Forensic Science Regulator CoP v7, there are some notable differences to anticipate. We will dive further into these in the next header.

The Forensic Science statutory code is issued by the Forensic Regulator’s office after section 2 of the Forensic Science Regulator Act 2021.

New Statutory Code Vs. FSR CoP v7

In August 2022, the Regulator published a draft of the Statutory Code which provided the forensics industry with a glimpse of the requirements to come. The House of Lords approved the new Code on 1st of March 2023 under section 3 of the Act.

Since the Code is changing from voluntary to statutory, it has been expanded. This permits it to clarify areas that were only regarded as a scope of operation.

But what are some of the changes to anticipate?

Statutory

The new Code of Practice arising from the Regulator is statutory. This means that all parties involved in Forensic Science Activities (FSA) in Wales and England must comply. The previous code of conduct was not statutory.

This allowed industry participants to decide on compliance. With the new CoP, however, laboratories that are not fully compliant will be required to be compliant.

Management Requirements

The new Act expands on the management requirements all units must meet instead of covering only accreditation requirements. In this section, the FSR Code mandates that forensic units define all roles involved in Forensic Science Activities (FSAs).

This includes roles that have an impact on FSAs. For unit personnel whose roles do not directly affect the FSAs, but are supportive roles, training must be conducted.

Forensic Processes

Another area seeing better clarification is the process and procedure scope. The non-statutory FSR Code provided simple guidelines on processes. For example, we didn’t see much information included when it came to the control of records or personnel competence.

However, the new Code sheds more light on these regulatory areas. An area worth noting is under competence guidelines (Section 28). Here the Regulator has added rules that govern practitioners whose role involves evidence reporting.

Expert Testimony

The Statutory Code has also added more weight to the rules surrounding expert witnesses. The Code further impresses the importance of the impartiality of expert witnesses. But it doesn’t end there.

The Code also clarifies that the expert called to testify should be loyal only to the court. It expands to make demands on these witnesses to have been investigated for competence in their capacity as experts.

This is particularly true for expert witnesses called to share their opinions in criminal trials.

Business Continuity

The Regulator didn’t neglect to outline requirements in the event of business interruption. Though highlighted in the previous Code, the new Code further defines the appropriate courses of action in the event of interruption.

For example, what used to be a three-part section covering the frequency of business continuity assessments, recovery of data, and maintenance of data integrity is now a five-part section.

Under this section, continuity plans are better defined. This includes what the plan should cover and expands on data recovery and integrity preservation. The document also warrants that units have safeguard measures should external legal partners go out of business.

What Is New?

There are several aspects of the soon-to-be-implemented Code that cover areas not included in the previous Code. These areas include:

Senior Accountability Individual

The Code now mandates that forensic units have a senior manager whose role shall be to ensure compliance. This manager shall be the senior accountability individual.

Every unit that has two or more practitioners must appoint a senior accountability individual or SAI. But if a unit has only one practitioner, then that practitioner shall assume the role of SAI.

The SAI will be the point of communication between the unit and the Regulator. In their capacity as SAI, appointed practitioners will be responsible for ensuring data quality including averting quality failures.

The senior accountability individual will be held liable for any action the Regulator takes against the unit.

Every unit must report the contact details and appointment date, and outline the responsibilities of the SAI to the Regulator. And should any of the information change, the unit has 30 days to communicate these changes to the Regulator.

Infrequently Commissioned Experts

Though covered in the FSR-C-100, it was not in-depth. But in the new document, the parameters for infrequently commissioned experts earned an entire section: Section 46.

In the FSR-C-100 regulations concerning these experts, there is a subset of a section discussing a team of experts from other professions. It outlines obligations the experts must meet before participating in a testimonial capacity.

But in the new document, rules about infrequently commissioned experts are more strictly governed.

Some of the rules state that the expert shouldn’t have been called as a witness in any criminal justice system case within the preceding 12 months in the Wales and England territory. Experts are also required to comply with several Acts applicable to the CJS (criminal justice system) like the Criminal Procedure Rules and Criminal Practice Directions.

The Role of ISO 17025 in the Code

The Statutory Code places a significant demand on quality. The majority of the sections in the Code reference standards of quality expected of the Wales and England forensic units and laboratories. The Regulator’s office has the responsibility of upholding these standards.

One of the outlined quality requirements in the Code is compliance with an internationally recognised standard.

For digital forensics, the Regulator continues to suggest the ISO 17025 standards as the most appropriate.

ISO/IEC 17025 in particular exists to regulate global laboratories. This ensures consistency in the results provided. And it enhances global collaboration and international trade.

With ISO 17025, all testing and calibration bodies will have the confidence to trust results from other laboratories regardless of their location around the world.

Why? Because with ISO 17025, labs follow the same standards for testing. These standards help laboratories produce credible results that are globally admissible.

In the Code, ISO accreditation is required from 2nd of October 2023 at 00:01.

How to Achieve ISO 17025 Accreditation

Now that we have outlined the place of ISO 17025 in the Forensic Science Regulator’s Code, let’s explore steps for achieving accreditation.

If you need help with ISO accreditation, we are the team to partner with. Backed by over 40 years of experience, we can help you and your unit develop an accreditation strategy that ensures compliance.

Step 1: Study the ISO Requirements

Before you start your accreditation journey, you must acquaint yourself with the ISO 17025 requirements. To employ ISO, you must know what it means and demands from your unit.

The three focus areas for ISO are:

Quality management
Technical competence
Result accuracy

Gaining an understanding of how the three interact with your organisation will help you know the standards you need and which copy is perfect for your business.

Step 2: Create a Gap Analysis

With the Code becoming mandatory, you will have to review your existing systems to ensure compliance. This will involve an in-depth study of your quality management system or QMS.

Review areas that don’t line up with the required ISO standards. You may need to involve a consultant in this step. Working with a professional consultancy firm like SYTECH can help you create an analysis that encompasses all areas of your operations.

With SYTECH by your side, you can create an accreditation plan that will guarantee you are ISO accredited. We will help you ensure that you don’t miss any standards outlined in ISO 17205 and help you modify any operation that falls short.

Step 3: Employee Training

The third step to accreditation is training. For your ISO standards to succeed, your entire unit will have to be educated in line with the requirements.

You can create PowerPoint presentations for your employees, partner with Sytech, or send your employees to online training.

Step 4: Documentation of the QMS

Regardless of industry, QMS documentation is important. This makes compliance audits easier while also ensuring all parties know their roles.

But for digital forensics, this is vital on your road to accreditation. Not only will it help you know which standards need updating, but the QMS document will be reviewed as part of your application.

Step 5: Audit the QMS

Conducting an internal audit can help you review your QMS before the accrediting body sends an assessor. This will assist you in reviewing your system and reveal areas where it needs improvement. After an internal audit, you may need to redesign some aspects of your QMS.

Step 6: Apply for Accreditation

When your QMS system is in order, your technical competence is verified, and the internal audit is complete, then it is time to apply for accreditation.

You will need to pick an accreditation body to help you conduct the assessment.

The assessor will review your documentation before doing an onsite review. These audits will review your competency in line with the ISO 17025 requirements. The assessor will look into your equipment calibration and proficiency testing.

Benefits of ISO Accreditation

Getting an ISO 17025 accreditation can help your organisation build trust, avoid penalties and enhance trade. Below we review these benefits in greater depth.

Improved International Trade

One of the major benefits of ISO accreditation is that it opens the door to international trade. What this means is that results from an accredited lab in one country can be admissible as evidence in another. This allows for the collaboration of labs in different countries.

Competitive Advantage

Laboratories that are accredited inspire trust among clients. This assures that data is handled with integrity and that testing is conducted by qualified personnel.

Build Trust

ISO 17025 is designed to ensure a management hierarchy in an organisation. This makes a demand on labs to ensure that only qualified personnel handle testing and calibration. Therefore, an accredited laboratory communicates trust to its clients, certifying that qualified employees are the ones handling laboratory operations.

Regulator’s Code Compliance

Implementing ISO 17025 standards within your organisation is one of the best ways to be Statutory Code compliant. The ISO 17025 standards are part of the requirements listed within the new Code, especially for testing and calibrating laboratories.

Your Journey to Accreditation

With the new Statutory Code effective from October 2023, an ISO 17025 accreditation is no longer an option. For every lab and forensic unit within the UK, it is now a must.

When it comes to getting started on your accreditation journey, SYTECH can help. We are the consultancy firm that can support your journey.