How Clue Works

Learn how Clue can help you evolve your investigations

How Clue Works

Overview

Clue is a globally trusted application for investigation and intelligence management, helping investigations professionals across diverse organisations to identify and manage threats, and achieve justice.

Whether you handle intricate investigations or a steady stream of incidents, Clue centralises intelligence sources and offers powerful tools and workflows to help you detect and respond to threats, streamline investigations, and achieve effective outcomes. Our software is fully customisable to meet your specific investigative needs, making it suitable for both experienced users and beginners.

In this guide, we explore Clue’s core components across three pathways: investigations, intelligence, and performance.

Clue paths

Clue offers three clear pathways: investigate, intelligence, and performance, representing common use cases. While your needs may lead you to switch or combine pathways, these guides provide insights into Clue’s core features within typical contexts.

Clue’s pathways are configurable, allowing users to adapt the software to their unique investigative processes and accommodate non-linear investigations.

Investigation Path

The Investigation Path outlines the key phases in the investigative process, spanning from the initial referral to the presentation of the investigation’s outcome.

Refer Phase

In the Refer Phase, we define how information is reported, recorded, and prepared for initial evaluation, assessment, and subsequent development or investigation.

Recording Referrals: Referrals are typically documented in the Information Register, which serves as a permanent log of all received information. Referrals can be made through Automated data capture, Direct data capture, or manual data capture (for more details, refer to the Data Management sections).

Initial Evaluation: During this stage, users conduct initial searches and connect information to new or existing records. The identity of the referral source can be protected and managed through Access Control and dedicated Source management.

Develop Phase

The Develop Phase guides users through a more in-depth evaluation of the referral. It involves several key steps:

Creating Incidents: Users initiate the process by creating an Incident and connecting related information.

Research and Insights: Users perform further research using Insights and Search to identify additional connections. The Connect function facilitates the creation of new links and the application of Link Reasons to existing entities and related records. Users can also expand their investigations by searching data sets beyond Clue, such as geographical information services. The Insights function offers Charting to visualise data connections and Mapping to pinpoint locations on a map.

Recording Information: Users document their findings in Investigator Notes and record decisions on the course of action in the Decision Register. Tasks are assigned using Workflow as needed.

Determining Next Steps: Users decide on the appropriate course of action, which may include opening a formal investigation, determining that no further action is required, or referring the case to relevant third parties while sharing intelligence.

Investigate Phase

The Investigate Phase commences when a decision is made to initiate a formal investigation. This phase involves:

Setting up Investigations: Investigations can be created from scratch or promoted from Incidents. All connected records are automatically brought into the Investigation to enhance security, focus, and structure. The Access Control function is used to assign members to the investigation team.

Recording Investigative Activities: Tasks and Investigator Notes document the progress of the investigation. New records are added, and links to existing records are created, including other related Incidents.

Specialised Registers: The Investigation Register offers a structured way to record Inputs, using the Material and Statement Register. The Events Register can store evidential events such as ANPR, bank transactions, and communications data.

Tracking Lines of Enquiry: Search and Insights functionality is utilised to identify lines of enquiry, both from data gathered during the investigation and data held more broadly in Clue. The Decision Register records new lines of enquiry or excluded ones.

Administrative Activities: Investigation reviews, as well as administrative activities like arrests, court dates, and surveillance, are recorded in Investigator Notes or dedicated Lists.

Supervision and Reporting: Workflow, Insights, and Reporting functions assist managers and supervisors in overseeing and managing investigations. Note that for smaller, less complex investigations, it may be possible to complete the process using an Incident without creating a separate Investigation record.

Present Phase

In the Present Phase, when the investigation reaches the threshold for presenting a case to the relevant authority or sharing information with third parties, the user has several options:

Case File: For presenting a case, Clue provides tools to manage material classification and disclosure, creating a structured output in compliance with the relevant authority’s requirements.

Shared Intelligence: Intelligence can be shared following the UK’s National Intelligence Model. This process allows users to sanitise intelligence, add handling instructions, and disseminate information externally, either by creating a PDF for sending or by sending it directly to another Clue system using the Clue API.

Custom Reports: Users can create customized report templates to generate structured outputs using registered data for specific presentation purposes, such as HR hearings or information sharing.

Intelligence Path

The Intelligence Path outlines the various stages in the lifecycle of intelligence, starting from the initial receipt of information and progressing through evaluation, development, and analysis to identify trends and future risks.

Receive Phase

The Receive Phase is where we collect and capture raw information in the Information Register. This information can come from various sources:

Source Contributions: Information sent by a source, which can be securely managed in the Source Register.

Investigative Discoveries: Information identified through investigative activities.

Intelligence Reports: Assessed information received from third parties.

Assess Phase

The Assess Phase involves the critical evaluation of the collected information to determine its value and authenticity.

Evaluation and Sanitisation: Information is evaluated and, where required, one or more graded and sanitised Intelligence reports will be created.

Search and Linking: Users conduct searches within Clue and often in other databases to establish connections with related records.

Supervisory Evaluation: In larger organisations, draft intelligence reports are typically evaluated by a supervisor or manager. These reports are either authorised or returned to the intelligence officer for further refinement.

Decision Point: Once the intelligence reports have been confirmed, a decision is made to:

  • File: No further action is taken, and the intelligence is stored for future reference.
  • Share: A sanitised intelligence report with handling instructions is created and shared with a third party.
  • Tasking: Decision made for further intelligence development or referral to internal investigation teams.

Develop Phase

The Develop Phase is relevant when intelligence requires further refinement and is likely to involve multiple users working on a relatively complex development. In such cases, it is advisable to group and manage the intelligence development activities, aligning with the Investigate Phase in the Investigation path.
Note: Intelligence dissemination is covered in the Present Phase, as outlined previously.

Performance Path

The Performance Path outlines the Review Phase, which consistently provides reports and analyses of activities and data in both the Investigation Path and the Intelligence Path. The insights gained during the Review Phase are subsequently used in the Prevent Phase to identify opportunities for preventing further misconduct.

Review Phase

The Review Phase guides users through the process of reporting and analysing data to assess performance, make resourcing decisions, discover ways to enhance investigative effectiveness, and identify emerging trends and threats.

Data Analysis: Users can utilise the Insights function to analyse and extract insights from the structured data collected in the Investigation and Intelligence Paths.

Performance Visualisation: Performance and trends can be visualised using Dashboard tools or by exporting data to specialised analysis tools through Data Exchange.

Prevent Phase

The Prevent Phase empowers users to identify opportunities for preventing further wrongdoing, protecting vulnerable parties, and averting future crimes or incidents. Early detection, disruption, robust case presentation, and in-depth investigation analysis are all strategies to prevent misconduct.

Disruption and Robust Case Presentation: This capability is facilitated in the Present Phase through:

  • Sharing Intelligence: Sharing pertinent intelligence with relevant parties.
  • Issuing Sanctions and Notices: Taking actions such as issuing sanctions and notices as preventive measures.
  • Building Case Files: Creating comprehensive case files to support preventative actions.

Clue Visualised

User Functions

Clue users carry out their tasks through Functions, which are reusable blocks of business logic that form the foundation of users’ actions. Clue’s primary functions encompass:

Record
Depending on their permission group, users can add, edit, and delete Records within Registers. Registers are instrumental in organizing and managing data within Clue. For a comprehensive understanding of how data is recorded in Clue, please refer to the Registers section.

Search
The Search function automatically indexes all data within Clue, including text within attachments. This index allows users to search across all accessible data. Search terms support familiar syntax and operators, fuzzy matching, proximity searching, and results can be filtered.
Users can conduct searches in three ways within Clue: Global Search, Quick Search, and from a Register. Clue’s Multi-lingual Support ensures that text in any “alphabet” can be captured, stored, and searched.

Connect
Connect serves as the foundation for establishing relationships and connections between records in Clue. It enables users to create connections to other records through Links. All records within Clue can be linked, and configurable Link Reasons are employed to document the context and rationale for these connections. Links to other records and their context are visible on each record.
Structured Links are employed when specific connections are required. For example, “Given by” in Statement is a pre-configured link to the Person register. Connections can be visualised and comprehended through the Charting feature.

Insights

Clue’s Insights function empowers users to gain a profound understanding of the data held within Clue:

Views: Available on all Registers, Views allow users to create diverse perspectives of the data by specifying the records to include through filtering, column selection, and setting the sort order. Views are updated dynamically as data changes and can be saved and shared with other users. Cross Register Views display linked records, and Views can be exported as CSV files.

Dashboards: Dashboards graphically present the output of Views for further analysis, such as pie charts illustrating referral distribution.
Charting: Charting offers a visual representation and analysis of the relationships between connected data in Clue. Location data stored in Address records can be presented and analysed using mapping tools.

Data Exchange: Data Exchange enables the structured export of data for further analysis in Analyst tools or integration with other datasets, providing broader insights. Available in our Marketplace, the Clue Analytics Connector is an Excel and Power BI connector that allows real-time analysis of Clue data.

Workflow

Workflow empowers Clue users to enhance productivity and ensure that investigations progress in line with local processes:

Tasks: Tasks are used to formally manage work across the investigation lifecycle, providing an additional level of governance by recording and monitoring investigative activities.

Views & Dashboards: Views and Dashboards are utilized to identify changes in state or assignment, such as identifying new, unassigned referrals added in the last 24 hours or tasks allocated to a User or Team that need processing.

Tags: Tags can be applied based on rules to alert users to immediate actions required based on a combination of Review date and Type.

Alerts: Alerts are configured on a team or individual basis to trigger notification to users when a task is assigned and when it is completed.

Guided Workflow: Guided Workflow is applied to manage the dissemination of intelligence reports, ensuring adherence to operational procedures.

Register Workflow: Register Workflow can be used to track and manage investigation progress through fields records. For example, the status field can be updated as an investigation progresses. Conditional Custom Fields can be used to further localize workflow.

Custom Workflows and Automation: Custom Workflows and Automation can be employed to drive interactions with other systems. For example, setting Triggers to share data with the Police National Database (PND).

Access Control
Whether managing small or large cross-functional investigation teams, Clue enables the management of sensitive data by controlling access to Records and Registers.

Permissions Groups: Permissions Groups determine the functions a user can perform. For example, access to the Source Register may be limited to Intelligence Officers only.

Record Permissions: Record Permissions restrict access to individual Records to identified individuals or Teams.

Assess
Clue actively aids users in managing risks by developing a comprehensive understanding of risk and impact, with features to record, assess, and manage actions to mitigate risk throughout the investigation lifecycle.

Assessment Register: This highly configurable tool serves as the primary means for assessing risk, and Workflow can assist users in recording and assessing risk in a structured manner to ensure consistency in decision-making.

Tags: Tags allow users to identify risks associated with specific records, for instance, identifying a person with a history of carrying firearms.

Comply
Clue is structured to guide users in following operational procedures that ensure the integrity and compliance of investigations. It provides an audit trail of activities and actions:

Audit Register: The Audit Register captures all user actions, enabling assurance teams to ensure that processes are followed and monitor user behaviour.

Decision Register: The Decision Register records decisions as well as the policies that justify these decisions, demonstrating that investigations are conducted in accordance with terms of reference or broader governing legislation or rules.

Investigator Notes: Investigator Notes can be used to maintain a running narrative of the investigation and provide a comprehensive operational audit trail.

Report
Clue offers versatile reporting tools to present a wide range of data in structured outputs.

Document Generation: All Registers in Clue have a document generation capability, allowing users to generate MS Word or PDF formatted reports using configured Templates, and embed or attach stored files. This supports various use cases, including:

  • Notice: A notice output arising from the conclusion of an incident or investigation to provide information to a person or persons. For example, sharing information to alert recipients about a new type of threat or vulnerability.
  • Sanction: Similar to a criminal offense, a sanction can be applied to a person as a result of a hearing. For instance, a safeguarding hearing could result in a person being banned from working with children.
  • Learning: A report detailing insights from the outcome of an investigation. For example, when identifying an accident or health and safety risk, the report details any policy or process changes that may prevent a recurrence.
  • Other examples of reports include letters to victims, “be on the lookout” reports, person profiles, or RIPA requests.

Structured Reports: Clue’s Reporting feature provides users with a set of structured reports for common reporting requests, such as an “orphan entity report.”

Clue Registers

In Clue, common record types are organised into Registers, which are instrumental in structuring the information collected during investigations. Each Register serves a distinct purpose and can be further configured to align with an organisation’s specific usage requirements.

Standard Record Layout

Records in Clue adhere to a standardized template that is consistent across all Registers. This template includes Tags, Details, Custom fields, Lists, Tasks, Files, and Links. Records also feature common advanced features:

Record Permissions: These manage access to users or Teams.
Record Properties: This includes a URN, creation and last update timestamps, and the Owner Team.
Field Management: Ensures mandatory data is populated for each record and applies formatting rules. Multiple field types are supported, including free text, dates, dropdown lists, and currency. Field-level validation ensures structured data consistency.
Custom Fields: These can be added to any register to collect specific information and can be conditional based on the value of other fields, enabling users to set up custom Workflows.
Lists: Configurable to each customer, these are used to add lists to records, with Investigator Notes being a common example.

Register Types

Clue is comprised of the following register types:

  • Entities
  • Workspaces
  • Actions
  • Inputs
  • Outputs
  • Entities

Entities

Entities in Clue are singular, identifiable, and distinct objects. These encompass people, places, locations, and more. Clue adheres to the principle of a single record for each entity, also known as a “Golden Nominal,” ensuring that an entity exists only once and can be linked to multiple records, presenting users with a comprehensive view of the entity.

The primary entities in Clue include:

Person: Used to record individuals involved in an investigation, such as victims, suspects, subjects, and witnesses Personal information, such as passport details and aliases, can be added to specific Lists.

Organisation: Used to record organisations related to an investigation, including agencies, companies, as well as informal groups like gangs.

Address: Utilised to store location data.

Communication: Used to store all communication records, such as telephone numbers and social media accounts.

Vehicle: The place to record all vehicle data.

Staff: Used to record personnel involved in managing the investigation process, often Clue users. Staff Entity is deliberately separated from Person to distinguish those involved in managing the investigation from key actors in an investigation. Clue user accounts can be linked to the corresponding Staff record, and the staff register can be used to record employee documents, such as security clearances.

Source: Used to manage sources of intelligence and sensitive information related to the source. Sources can be individuals, organisations, or technical resources (e.g., CCTV feed). Source is typically used by intelligence teams when heightened permissions and controls are necessary, such as protecting the identity of a whistleblower.

Workspace
Workspaces provide the context for activities in Clue, often referred to as a “job,” “case,” “operation,” or investigation. Workspaces are also used to record administrative activities like case reviews, court dates, recurring events, and deadlines.
Clue has three core workspaces:

Incident: Used to assess and develop referrals. As an investigation progresses, an incident can be converted into an investigation as needed, at which point all records linked to the incident are included in a new investigation. Incidents can also manage the complete lifecycle of simple investigations without creating a new investigation.

Intelligence: Used to record, review, and disseminate intelligence in alignment with the 3x5x2 Intelligence Model. Intelligence records contain “intelligence entries” that can be separately graded, recording source evaluation, intelligence assessment, and handling code. Intelligence records can be shared internally or disseminated externally.

Investigation: Provides a structured container for managing resources connected to an investigation. It is designed to accommodate multiple users and has its own record permissions. When a user selects a particular investigation, Clue enters Investigation Mode, displaying only records related to that investigation.

Actions
Actions are the tasks necessary to complete an investigation. They include:

Assessment: Provides flexible templates for structuring risk and other assessments when making decisions. For example, performing a risk assessment as part of an operation to perform a property search.

Decision: Used to record decisions made during an investigation, including decisions in line with related policies or lines of inquiry. It also records key milestones in an investigation, such as decisions related to GDPR and data retention.

Task: Formally manages the work carried out in an investigation and is valuable for recording and monitoring standard activities.

Inputs
Inputs are structured working objects within Clue, used to manage an investigation. They include:
Information: Aids in managing sensitive information received during the Referral and Receive Phases. It provides a safe place to store information in its original form to maintain its integrity throughout the investigative process.

Statement: Provides a structured way to add witness testimony, typically stored as files (PDF, Microsoft Word, audio, or video files). The register includes structured data such as who provided the testimony and when and where it was taken, along with links to referenced supporting evidence.

Material: Provides a structured way to manage evidence and other material collected during an investigation, including when and where it was found, who found it, and links to referenced supporting evidence. An exhibit flag is used to indicate that the record will be exhibited in a case. Material Movements are used to record who handled the evidence and its locations and movements.

File: Attachments are stored and managed as files in Clue, with additional metadata. Files inherit permissions from the record that “owns them” and can be connected to multiple records.

Event: Used to record key events relevant to the investigation, often derived from wider investigation inputs.

Outputs
Outputs offer tools to create structured investigative documents, including:

Case: In Investigation Mode, it provides advanced case-building features, witness and subject management, charge and offense recording, and classification & disclosure tools. Users can create multiple cases from a single investigation.

Intelligence: Records contain one or more “intelligence entries,” separately graded and used to record source evaluation, intelligence assessment, and handling codes. Intelligence records can be shared internally or disseminated externally.

Outcome: Records what happened in an investigation, including outcomes such as monies recovered or sentences imposed, often used for management information.

Data Management

Data management functions in Clue offer a read and write interface to access the information within the system, providing users with a broader dataset for various processes.

Data Capture

Data is captured and recorded in Clue through the following methods:
Manual Data Capture
Users input data and upload files directly through the browser-based Clue application UI.
Automated Data Capture
Clue API is utilised to receive data directly into Clue via integrations with external systems. Integrations can be customer-specific or ‘off-the-shelf’ from the Clue Marketplace.
Direct Data Capture
Clue receives referrals directly into the Information Register using the Whistleblower interface, a configurable module that offers custom forms on web pages. The multi-lingual interface supports anonymised reporting and can be public facing.

Data Exchange

Clue facilitates two-way data exchange with other applications and services via APIs.
Clue API
The Clue API is a REST API that allows data to be transferred into and out of Clue. Customers can consume the Clue API as part of integrations or business processes.

Integrations and add-ons

Users can tailor their Clue configuration with a wide range of add-on Applications, Enhancements, and Services to meet the unique needs of their investigation and intelligence operations.
Clue Applications
Clue Applications extend the capabilities of the core platform, allowing users to add enhanced capabilities.
Clue Confidential Reporting: This provides a web form interface for confidential reporting directly into a Clue register.
Clue Analytics Connector: This is an Excel and Power BI connector to allow real-time analysis of Clue data.
Clue Marketplace
Integrations provide connections to services that enhance workflow and data in Clue.
Clue Postcode Lookup Address: This enables users to look up addresses from postcodes or partial addresses and populate address records.
Clue PND Connector: This provides a connection for Clue users to transfer investigation data to the Police National Database (PND).
Clue CPS TWIF Connector: This is a two-way interface enabling Clue users to submit case files directly to the CPS.

Data Tools

Data & Classification: To meet data retention and deletion obligations, all records in Clue have configurable retention dates. These dates can use default values (e.g., 6 years, 12 months) or be set manually upon record creation. Security Classification can also be applied at the record level.
Onboarding: Clue Customer Services provide tools to assist with data migration when onboarding new users. These tools offer data import and de-duplication capabilities.
Privacy: Clue offers a range of facilities to support user compliance with data privacy regulations. For GDPR compliance, Clue acts as the Data Processor, and the user acts as the Data Controller. As the Data Processor, Clue cannot access customer data without explicit permission.

Configuration Functions

Configuration functions are essential for administering the system, enabling users to carry out their work productively and securely.
User Management
Clue offers identity management functionality for user provisioning, management, and role-based access controls.
Roles & Permission Group Management
Roles can be created through permission groups to determine the system functions a user can access. Users are assigned to a Permission Group, which is configured based on their role, for example, Intelligence Officer.
Teams Management
User Management also serves to create and manage Teams. Teams are used to control record-level access, and users can be assigned to multiple Teams.
Configuration Management
Clue is highly configurable both at deployment and continuously, allowing it to adapt to an organisation’s evolving workflow and processes. Clue provides an array of configuration tools to customise the system to the specific needs of the organisation. This flexibility enables Clue to manage various threats, use cases, and processes while supporting multiple teams within the same organisation.
Settings Management
Settings represent the foundational layer of a customer’s Clue instance configuration and are managed by Clue Support. Settings offer access to specific features through feature flags, define field-level rules (e.g., auto number generation format), and provide endpoint management for integrations.

Related Resources

Book a demo

Book a demo

Find out how Clue can help your organisation.