°Ç¸ç³Ô¹Ï

Benefits of followingÌýthe RVSS code of practiceÌý

The RVSS code of practice has been developed in collaboration with government departments, the police and industry stakeholdersÌýto mitigate the risk of rental vehicles being used in terrorist attacks.Ìý

Following this guidance helps reduce security risks and can improve your organisation’s reputation.ÌýByÌýadhering to its code of practice,ÌýyouÌýwill:Ìý

• help keep the public safe from vehicle attacksÌýÌý

• make it harder for rental vehicles to be used in attacksÌýÌý

• deter potential attackers from using vehicles from your fleetÌýÌý

• improve your organisation’s security culture and reduce the risk of crimeÌýÌý

• strengthen your professional reputation and corporate social responsibility (CSR) credentialsÌýÌý

• getÌýaccess to current government security advice and campaignsÌý

How to follow this guidanceÌý

ToÌýmeet the recommended standards,Ìýapply theÌýsecurity measuresÌýoutlined by theÌýRVSS code of practiceÌýinto action every day:Ìý

• create andÌýregularly updateÌýa ²õ±ð³¦³Ü°ù¾±³Ù²âÌý»å±ð±ô¾±±¹±ð°ù²âÌý±è±ô²¹²Ô that shows how youÌýareÌýmeetingÌýthe requirementsÌý

• make sure your business follows the relevant code(s) of practice inÌýitsÌýdaily operationsÌý

You should also consider and apply theÌýRVSS code of practiceÌýwhen:Ìý

• designingÌýpoliciesÌýand processesÌý

• onboardingÌýand training staffÌýÌý

• conductingÌýregular internal auditsÌý

• responding toÌýincidents or security alertsÌýÌý

DevelopingÌýa ²õ±ð³¦³Ü°ù¾±³Ù²âÌý»å±ð±ô¾±±¹±ð°ù²âÌý±è±ô²¹²ÔÌý

Complete aÌý²õ±ð³¦³Ü°ù¾±³Ù²âÌý»å±ð±ô¾±±¹±ð°ù²âÌý±è±ô²¹²ÔÌýbefore adopting the relevantÌýcode ofÌýpractice.

Your plan shows how your organisation will meet RVSSÌýcode of practiceÌýrequirements and embed security inÌýday-to-dayÌýoperationsÌýby:Ìý

• explainingÌýhow you willÌýput in placeÌýand manage security measuresÌý

• identifyingÌýrisks andÌýtheÌýactionsÌýthat will be takenÌýto reduce themÌý

• assigningÌýresponsibilities,ÌýtimelinesÌýand resourcesÌý

The code of practiceÌý

The table belowÌýexplainsÌýthe RVSS code of practice requirements depending on your business model. For full details see the codes of practice in full.

Table 1:ÌýRVSS code of practice requirementsÌý

Requirement	Applies to
Recognised security contacts	All models
Electronic payments only	All models
Staff training (including counter-terrorism awareness and fraud prevention)	All models
Engage with law enforcement	All models
Data protection and GDPR compliance	All models
Consistent security standards across operating models	All models
Verify driver licence and identity at vehicle handover	Face-to-face rentals
Apply extra checks for commercial vehicle hires	Face-to-face rentals
Fit security technologies (immobilisers, trackers)	Face-to-face rentals
Remove company liveries before resale	Face-to-face rentals, Car clubs
Initial registration checks (selfie + license or DVLA share code)	Car clubs, Peer-to-peer
Review customer identity	Car clubs (every 12 months), Peer-to-peer (annually)
Verify both host and guest IDs	Peer-to-peer
Highlight risks of key collection boxes and recommend secure solutions	Peer-to-peer

³§±ð³¦³Ü°ù¾±³Ù²âÌý»å±ð±ô¾±±¹±ð°ù²âÌý±è±ô²¹²Ô²õÌý

What a security plan isÌý

A security plan is a strategic document that sets out how your company will implement and manage security measures to protect assets,ÌýsystemsÌýand data. It should include the actions, timelines, responsibilities,ÌýresourcesÌýand technologies needed to meet the RVSS code of practice.Ìý

How to create yourÌý²õ±ð³¦³Ü°ù¾±³Ù²âÌý»å±ð±ô¾±±¹±ð°ù²âÌý±è±ô²¹²ÔÌý

See the °Ç¸ç³Ô¹Ï page for this guidance for a template that you can use to create your security delivery plan.Ìý

Your security plan willÌýshowÌýhow you plan to:Ìý

• meet (or plan to meet) each requirementÌý

• record gapsÌý

• carry outÌýactionsÌý

• authoriseÌýsign offÌý

Keep the completed plan for future reference.Ìý

UseÌýtheÌýNational Protective Security Authority (NPSA)Ìýguidance onÌýÌý²¹²Ô»åÌýÌýas well asÌýÌýto help create your plan.Ìý

How to meet the requirementsÌý

This section explains how to meet the requirements in the RVSS code of practice. Use it alongside the table to understand what each requirement means in practice.Ìý

Governance and rolesÌý

Appoint a recognised security contact (RSC) and, where practical, a deputy. Make sure they fulfil their responsibilitiesÌýby:Ìý

• actingÌýas the main point of contact with DfT and law enforcementÌýand relevant national security bodies

• sharingÌýsecurity material and keep staff trainingÌýup-to-dateÌý

• making sureÌýstaff complete checks as outlined in the code of practice

• making sure liveries are removed from fleet vehicles prior to disposal

Customer verification and paymentsÌý

Secure payments and identity checks by:Ìý

• acceptingÌýelectronic payments onlyÌý

• record payment card details and require PIN authorisation where possibleÌý

• adaptingÌýprocedures for third-party payments andÌýensuring a payment card is provided for verification

• checkingÌýthe licence photo matches the person renting the vehicle and record the driver number correctlyÌý

• usingÌýdigitalÌýchecksÌýfor online bookings to reconcile licence and payment card informationÌý

For detailed guidance on secure identity checks, seeÌýidentity proofing and verification of an individual.

Staff training and suspicious behaviourÌý

Make sure staff can recognise and respond to suspicious behaviour by:Ìý

• providingÌýup-to-date counter-terrorism guidanceÌý

• training staff in verification procedures and encouraging vigilanceÌý

• giving clear instructions for assessing customer needs and spotting inconsistenciesÌýor suspicious behaviour

• setting up an escalation process for reporting concerns and explaining when to contact law enforcementÌýauthorities

• supporting government counter-terrorism campaigns, such the ACT campaign and displaying logos where practicalÌý

Free training is available to help staff stay alert and report concerns, includingÌýÌý²¹²Ô»åÌýÌýcan support this.Ìý

Vehicle security and technologiesÌý

Use security technologies toÌýprotectÌýyour fleet by:Ìý

• fittingÌýsecurity equipment when renewing fleetsÌý

• choosingÌýtechnologies based on risk assessment and available optionsÌý

• cooperatingÌýwith law enforcement on use of security technologiesÌý

Data protection and lawful information sharingÌý

Handle personal data securely and share it only when lawfulÌýby:Ìý

• trainingÌýstaff on the Data Protection Act (DPA) and the General Data Protection Regulations (GDPR)

• sharing data including rental and customer scheme information with law enforcement upon request and only when there is a lawful basis and ensure all decisions are documented in accordance with data protection requirements

• keep records of any data shared with law enforcementÌý

For GDPR training and awareness, seeÌý.Ìý

Commercial vehicle checksÌý

Apply extra checks when hiring out commercial vehiclesÌýby:Ìý

• askingÌýsecurity questions for hires without an operator’s licenceÌý

• before hiring out large commercial vehicles,ÌýcheckingÌýoperator licencesÌýusingÌýthe officialÌýÌý

• questioningÌýthe purpose for light commercial vehicle hiresÌý

• using the DVLA share code processÌýto verify driver license detailsÌý

Branding and disposalÌý

RemoveÌýliveriesÌýbefore vehicles are sold or disposed of:Ìý

• removeÌýbrandingÌýbefore onward saleÌý

• confirm completion if removal is done by a third partyÌý

AdditionalÌýguidance for car club and peer-to-peerÌý

Apply these measures as per the relevant code of practice outlined in table 1:Ìý

• apply consistent security measures across all modelsÌý

• completeÌýinitialÌýregistration checks using selfie and licence (checked for any discrepancies by a trained employee and/orÌýby the use ofÌýproprietary software) or DVLA share codeÌý

• review customer ID at least every 12 monthsÌý

• use secure, tamper-evident key collection boxes, change codes regularly and keep locations discreetÌý

Embedding a security cultureÌý

Build a strong security culture across your organisation by:Ìý

• training staff during recruitment

• defining suspicious behaviour and providing examplesÌý

• encouraging prompt reporting and verificationÌý

Free cyber security training is available from theÌýÌý²¹²Ô»åÌý.Ìý

Risk-management support and free-to-use trainingÌý

The NPSA offerÌýadditionalÌýhelpful resources that may support you in following the requirements of the RVSS code of practice including information onÌýÌý²¹²Ô»åÌý.ÌýÌý

Training and informationÌýisÌýalso available in the form ofÌý,ÌýÌý²¹²Ô»åÌý

The codes of practice in full

The code of practice as it applies to each business model in the vehicle rental sector, is detailed below.Ìý

Where used, the term customer refersÌýto a person using the service to rent a vehicle.Ìý

Face-to-face commercial rentalsÌýcode of practice

1) Appoint aÌýrecognisedÌýsecurity contact (RSC) and (where practical) a deputy.Ìý

2) Only accept electronic forms of payment.Ìý

3) When ‘handing over’ vehicles toÌýcustomers undertake driverÌýlicenceÌýverification checks.Ìý

4) Train staff toÌýidentifyÌýand report suspiciousÌýbehaviours.Ìý

5) Support law enforcement counter terrorism and communications campaigns.Ìý

6) Share data and information with law enforcement agencies where it can be done so lawfully and consistent with data protection requirements.Ìý

7) Based on assessment of risk and available vehicle technologies, the company should ensure thatÌýappropriate securityÌýequipment is fitted to vehicles.Ìý

8) When ‘handing over’ commercial vehicles toÌýcustomers,ÌýadditionalÌýsecurity checks should be undertaken.

9) The code recommends that company liveries are removed prior to onwards sale of vehicles.Ìý

10) Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) 2018. The company will ensure staff have sufficient trainingÌýin regard toÌýthe DPA and GDPR.Ìý

Car club code of practiceÌý

1) Ensure aÌýrecognisedÌýsecurity contact at a senior level of theÌýorganisationÌýhas overall responsibility forÌýoperatingÌýin a secure way.Ìý

2) Ensure that similar levels of security areÌýmaintainedÌýacross the different business models yourÌýorganisationÌýoperates.Ìý

3) Train all staff to identify behaviours that the organisation understands to be suspicious and provide them with a robust means of reporting their concerns to senior managers.

4) TheÌýorganisationÌýshould actively engage with law enforcement and counter-terrorism policing including communication campaigns.Ìý

5) Only accept electronic forms of payment and ensure any refunds are paid to the card used to make the original transaction.Ìý

6)ÌýComply withÌýall data regulations (GDPR) and share data with law enforcement when asked to.Ìý

7) Initial registration should use either the ‘selfie and drivingÌýlicence’ process (checked for any discrepancies by a trained employee and/orÌýby the use ofÌýproprietary software) or the DVLA’s share code.Ìý

8) AllÌýinitialÌýsign-up checks and verifications should be completed before any access to vehicles is given.Ìý

9) After theÌýinitialÌýsign-up process is completed a review ofÌýcustomerÌýID should be undertaken at least every 12 months.Ìý

10) The removal of liveries prior to the onward sale of vehicles is strongly recommended.Ìý

Peer-to-peer code of practiceÌý

1) Ensure aÌýrecognisedÌýsecurity contact at a senior level of theÌýorganisationÌýhas overall responsibility forÌýoperatingÌýin a secure way.Ìý

2) Ensure that similar levels of security areÌýmaintainedÌýacross the different business models yourÌýorganisationÌýoperates.Ìý

3) Train all staff to identify behaviours that the organisation understands to be suspicious and provide them with a robust means of reporting their concerns to senior managers.

4) TheÌýorganisationÌýshould actively engage with law enforcement and counter-terrorism policing including communication campaigns.Ìý

5) Only accept electronic forms of payment and ensure any refunds are paid to the card used to make the original transaction.Ìý

6)ÌýComply withÌýall data regulations (GDPR) and share data with law enforcement when requested to do so.

7) Initial registration should check both the guest and host ID using either the ‘selfie and drivingÌýlicence’ process (checked for any discrepancies by a trained employee and/orÌýby the use ofÌýproprietary software) or the DVLA’s share code.Ìý

8) AllÌýinitialÌýsign-up checks and verifications should be completed before any access to vehicles is given.Ìý

9) After theÌýinitialÌýsign-up process is completed a review of activeÌýcustomerÌýID should be undertaken at least every 12 months – an ‘active customer’ is defined as a P2P customer who has used the service within the previous 12-month period.Ìý

10) Highlight to hosts the potential risks associated with the use of a ‘key collection box’.