Table of contents

Personal mail and parcel delivery policy and procedure

This personal mail and parcel delivery policy applies to all Ministry of Justice (MoJ) employees, contractors, partners and service providers, including those on co-located sites and sites owned by other public bodies. This also includes employees of other organisations who are based in, or work at, MoJ occupied premises.

Agencies and Arms Length Bodies (ALBs) are expected to comply with this corporate framework but may establish their own arrangements tailored to operational needs and should supplement it with local policy or guidance for any business-specific risk.

Objective

Following a review by Government Security Centre People and Physical (GSCPP), it is recommended that the MoJ implements a policy on personal and business deliveries, including prohibiting personal parcel deliveries, to MoJ buildings. This policy prohibits deliveries of personal items to MoJ buildings, to comply with HMG minimum physical standard No.10 on mail or delivery management. For further information regarding this standard, contact mojgroupsecurity@justice.gov.uk.

This provides MoJ employees, contractors, partners and other interested parties with a clear policy on mail deliveries, to prevent attack, damage, or interference (malicious or otherwise) to MoJ assets, and - most importantly - physical harm to MoJ people and the public.

Scope and Definition

For the purpose of this policy, personal deliveries are goods purchased over the internet from online retailers or mail subscriptions that are delivered to an office without a legitimate business need. This policy permits vital work-related courier deliveries to reception, as outlined in the policy statement in this document. Vital work-related deliveries are those required to support a business’s function, or to support a business need. Ordering gifts to be delivered for colleagues who are leaving the organisation, or for a special occasion, are not considered to be a business-related activity.

Context

The growth in online shopping has seen an increase in the number of personal parcels delivered to the office, as a convenient location because of onsite staff on hand to receive deliveries that would otherwise be returned to depot. However, receiving personal parcels in reception diverts reception and security staff from their core duties, and presents a significant vulnerability to the building’s security: the parcel contents are unknown by reception staff. Reception areas are generally within the main fabric of a building and with no separate ventilation or enhanced blast resistant walls, any hazardous substance or explosive device would have a serious impact throughout the building. The MoJ employs off-site mail screening to mitigate against the chances of hostile mail being accepted into MoJ premises.

Couriers often require a receiver to sign a Proof of Delivery document, stating that the parcel arrived in good condition, which risks the MoJ being liable for accepting the package if contents turn out later to be damaged.

Online retailers recognise the needs of their customers of convenience by offering either “Click and Collect” options, or offering parcel collection facilities in convenient locations. This alternative to office-based deliveries is both convenient and reduces the need for staff to carry parcels on their commute home.

Responsibilities

All employees, contractors, partners, service providers, and employees of other organisations who are on MoJ premises and co-located sites remain accountable for the security, health, and safety of themselves, colleagues, and the protection of MoJ assets.

Policy Statements

Items required for a legitimate business need can be delivered to the office, provided reception have been notified by email from a verifiable email account (for example a Civil Service or Government contractor) 48 hours before the parcel is to be delivered, or as soon as practicable in the case of next-day or same-day deliveries. The email notification should provide all of the following information:

  • Estimated date of delivery.
  • Name of Courier.
  • Contact details of the recipient(s), who can sign for the parcel and collect it from reception.

MoJ reception produces a list of scheduled deliveries. Before accepting parcels from the courier, reception confirms who the parcel is for, and that it is a pre-approved delivery. Failure to follow this procedure may result in the need to have the parcel scanned, or it being treated as suspicious and the suspicious package process being adopted; disciplinary action may be taken.

Compliance

The level of risk and potential impact to MoJ information, assets, and people determines the controls to be applied, and the degree of assurance required. The MoJ shall ensure a baseline of physical security measures are in place at each site, and receive annual assurance that such measures are in place to provide appropriate protection to all occupants and assets, and that these measures can be strengthened when required, for example in response to a security incident or a change in the Government Response Level.

The implementation of all security measures must be able to provide evidence that the selection has been made in accordance with the appropriate information security standards ISO27001/27002, physical security advice taken from the Centre for the Protection of National Infrastructure (CPNI), and Government Functional Standard - GovS 007: Security.

The constantly changing security landscape has necessarily dictated that physical security measures be constantly re-evaluated and tested in order to meet new threats and other emerging vulnerabilities. This policy and subsequent supporting standards are subject to annual review, or more frequently if warranted.

Physical security advice

Physical security advice, including specific advice on this guidance, can be obtained by contacting MoJ Group Security: mojgroupsecurity@justice.gov.uk.

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.