How the standard concepts fit together:
- principles: general rules and values that inform the way we work
- policies: expectations for compliance, security and behaviour in the department
- standards: requirements that we must comply with
- patterns: reusable common solutions that help us comply with standards
Guidance can be applied to any part of the framework.
Principles
General rules and values that inform the way we work.
Principles are fundamental guidelines and beliefs that guide, inform, and support the way an organisation fulfils its mission. They should be enduring and rarely changed. In the context of DDT (Digital Data Technology), they help make consistent decisions and align digital, data, and technology activities with business goals.
Principles can be established within different domains and at different levels. For example, the UK Government sets out various design principles for services. A high-level principle like 'design for accessibility' underscores its importance for all service design. This can then be broken down into more specific 'accessibility' principles that guide a team's thinking and decision-making.
Other examples include the UK General Data Protection Regulation (UK GDPR) and Secure by Design, which provide high-level principles on data protection and enhancing cyber resilience in government organisations.
Policies
Statements of intent for compliance, security and behaviour in the organisation.
In Government, 'policy is about delivering change in the real world'. It has intent. DfE's policy profession defines public policy as 'the management of the Government's role in improving the welfare, security and prosperity of the nation.'
Within DfE, and specifically in the context of DDT, policies relate to our responsible use of data and information, digital innovation and the management of technology resources. They set the direction and establish the foundation for governance of DDT services.
Policies provide a framework for decision-making, ethical considerations, and legal and regulatory compliance within the organisation. They define what is expected in terms of compliance, security, and acceptable behaviour within the organisation. They are relatively static, generally only changing when there is a change in regulation or corporate strategy.
For example, a 'Password Policy' (DfE intranet) outlines the rules for creating and managing passwords. A Data Lifecycle Policy - pdf - 248KB (DfE intranet) provides the framework for how teams should consistently handle data throughout its lifecycle journey, to ensure statutory regulations are met.
Standards
Established norms or requirements that we must comply with, to enact policies.
Standards often define products or actions required, and may suggest patterns, processes and components for their implementation.
Standards should be accessible to teams so they can understand and plan for delivery obligations. They are enforceable, meaning compliance can be objectively assessed. Standards must also be actionable, achievable, and ideally driven by policy intent.
New standards are identified and managed through a lifecycle process, with all standards reviewed at least annually. They can be superseded or retired. Typically, standards fall into the following 3 categories based on a hierarchy of needs.
Legal and regulatory obligations
These are non-negotiable.
They are mandated by law. Organisations must comply or face serious consequences.
Examples include ICO policies for the UK GDPR (General Data Protection Regulation) or the Public Sector Bodies (Websites and Mobile Applications)(No. 2) Accessibility Regulations 2018.
Industry standards
These can be influenced and must be followed, where mandated.
Established by industry bodies and adopted by the organisation, they offer potential for interoperability and resource sharing across organisations. Although, they require active monitoring as fall outside the organisation's control.
Examples include the Government Service Standard, Technology Code of Practice, Algorithmic Transparency Recording Standard, or ISO 27001 for Information Security Management.
Organisational standards
These are decided internally based on business aspirations.
Examples include selection of standard technology products to support portfolio consolidation. DfE's technical standards are now stored in Find and use a standard.
Managing these standards requires processes to handle exceptions, grant exemptions, and update them as needed over time.
Patterns
Reusable common solutions that help us comply with standards.
A pattern is a solution that has been useful in one practical context and is likely to be useful in others.
Patterns provide reusable, standardised and proven ways to solve problems. They can either be standards themselves, or recommended methods for implementing standard solutions, or components for specific use cases. For instance, they describe reusable solutions to common problems.
Patterns guide you on how, when, and why to use components, and what trade-offs to consider. Components are the elements you use.
A 'design pattern' refers to any pattern addressing issues of software architecture, service design, or software development.
Components
A reusable building block
A component is a modular, self-contained unit or element that can be created once and reused multiple times in different services or business contexts.
Components act as building blocks, usually linked to a business or technical capability, which can be combined to deliver more complex services or systems.
Components are often used in conjunction with patterns. Patterns explain which components to use and how to use them.
Components need to be managed to ensure they are compatible, secure, scalable, and follow the relevant standards and policies within the DDT standards framework.
Processes
A process is a series of related or structured activities that produce an output, which helps achieve a business goal.
Business processes are often shown as a flowchart or a sequence of activities.
This flowchart should help understand key decision points, any associated rules, outputs, or sub-processes. An example of a process could be the steps involved in managing incidents or requests within a digital service.
Guidance
Everything else is guidance.
Guidance is organised information that will direct you to the appropriate policies, principles, standards, patterns, components, and processes relevant to your work.
Guidance may be found in a manual, handbook, or playbook.
How these concepts relate to and differ from each other
Scope
Policies and principles are broad and provide overall guidance, while standards and patterns are more detailed.
Mandatory vs. Recommended
Policies and standards are usually mandatory and enforceable, whereas principles and patterns are often suggested best practices.
Flexibility
Principles allow more flexibility and can be interpreted in different ways, whereas standards and patterns provide specific instructions or solutions.
Purpose
Policies set the direction, principles guide decisions, standards ensure compliance, and patterns offer specific solutions.