National Vulnerability Verification Infrastructure™ (NVI™)

SAFECHAIN™  |  NATIONAL VULNERABILITY VERIFICATION INFRASTRUCTURE™  |  NVI™ SERIES

NVI™ — Publication No. NVI-002

CONSENT-BASED VULNERABILITY

VERIFICATION™

The Governance Architecture for Consent, Proportionality, and Lawful Intelligence Sharing

Document Reference: NVI-002

Series: National Vulnerability Verification Infrastructure™ (NVI™)

Series Position: Core Governance Paper — Consent, Proportionality, and Rights Architecture

Foundational Paper: NVI-001 — National Vulnerability Verification Infrastructure™ (read first)

Author: Samantha Avril-Andreassen FRSA

Status: Published — First Edition

Version: 1.0

Date: June 2026

Classification: Public — Institutional and Government Distribution

Publisher: SAFECHAINN Ltd (Company No. 12038453)

Contact: samantha@safe-chain.org  |  safe-chain.org

Executive Summary

Consent-Based Vulnerability Verification™ (CBV™) is the governance framework that makes the National Vulnerability Verification Infrastructure™ (NVI™) legitimate. Where NVI-001 establishes what the NVI™ is and how it is architecturally designed, NVI-002 establishes the conditions under which it may operate — the consent architecture, proportionality standards, lawful sharing framework, verification permissions model, and human rights safeguards that govern every single act of intelligence access within the network.

This paper is one of the most important governance documents in the entire SAFECHAIN™ ecosystem. That assessment is not rhetorical. The NVI™ is a national infrastructure that will hold the most sensitive safeguarding intelligence about the most vulnerable people in the United Kingdom. Its legitimacy — legal, ethical, and in the eyes of the people it serves — depends entirely on the rigour, transparency, and rights-preservation of the framework that governs how that intelligence is accessed, shared, and used. A network without this framework is not a safeguarding infrastructure. It is a liability.

The CBV™ framework resolves a tension that is fundamental to safeguarding governance: the tension between the imperative to share intelligence to protect vulnerable people and the fundamental right of those people to control information about themselves. This tension cannot be resolved by privileging one value absolutely over the other. Absolute privacy prevents protection. Unconstrained sharing violates rights and destroys trust. The CBV™ framework resolves the tension by designing the conditions — the precise, governed, accountable conditions — under which sharing serves protection without sacrificing rights.

This paper covers: the introduction and position of CBV™ within the NVI™ five-layer model; the theoretical foundation for consent governance in safeguarding contexts; the governance principles that are specific to consent and rights; the four-tier consent architecture; the implementation framework for consent governance across the NVI™; the operational model for consent in practice; the strategic applications of CBV™ in complex multi-sector scenarios; the policy implications for data protection law, human rights compliance, and institutional practice; and the conclusion.

1. Introduction

1.1 CBV™ Within the Five-Layer Infrastructure Model

The NVI-001 five-layer infrastructure model defines the architectural layers of the NVI™: Intelligence Generation (Layer 1), Verification (Layer 2), Exchange (Layer 3), Accountability and Traceability (Layer 4), and Predictive Integration (Layer 5). The CBV™ framework defined in this paper does not sit within a single layer. It governs all five. Consent architecture is embedded in Layer 1 — in the CIF™ consent metadata fields that must be completed before intelligence is submitted for verification. It governs Layer 2 — verification is itself a data processing act requiring a lawful basis. It governs Layer 3 — the Exchange Protocol Engine™ (EPE™) runs consent validation as its third mandatory governance step before any intelligence is released. It governs Layer 4 — every accountability record includes the consent basis applied to the exchange event it documents. And it governs Layer 5 — predictive intelligence can only be generated from intelligence whose consent basis covers the analytical purpose for which it is being used.

This total integration of consent governance into every layer of the NVI™ architecture is not an administrative requirement — it is a design principle. NVI-001 Principle 2 establishes that consent is architecture, not procedure. This paper is the detailed specification of that principle: what consent architecture means in practice, how it is designed, what it requires from institutions, and what it guarantees for individuals.

1.2 The Non-Weaponisation Imperative

Before setting out the CBV™ framework, this paper states its most important protection explicitly: the NVI™ and the intelligence within it must never be used as a tool of control, coercion, or harm against the individuals whose protection is its purpose. This is the Non-Weaponisation Imperative — and it is the ethical foundation on which every element of the CBV™ framework rests.

Perpetrators of domestic abuse, coercive control, and economic abuse must have no access to NVI™ intelligence about their victims. Institutions using NVI™ intelligence to justify decisions that restrict, control, or harm vulnerable individuals rather than protect them are in fundamental breach of NVI™ participation obligations. The consent framework must be designed to prevent access by those who would use intelligence for harm — and the accountability architecture must be designed to detect and respond to institutional misuse.

The Non-Weaponisation Imperative is not assumed to be self-enforcing. It requires specific design features: access controls that exclude known perpetrators from intelligence about their victims; governance processes that detect patterns of institutional misuse; and an independent reporting mechanism through which individuals can raise concerns that their NVI™ intelligence is being used against rather than for them.

2. Theoretical Foundation

2.1 Why Consent Is Complex in Safeguarding Contexts

Consent in safeguarding contexts is not the same as consent in commercial data processing contexts. In commercial contexts, consent is typically a straightforward transaction: a person is presented with information about a proposed data use, they agree or decline, and the decision is respected. In safeguarding contexts, the environment in which consent decisions are made is structurally different — and the CBV™ framework must reflect that difference.

First, the person giving or withholding consent in a safeguarding context may have had their autonomy systematically violated through abuse, coercion, and control. A domestic abuse survivor's capacity to make free decisions about information sharing has been compromised by the dynamics of her relationship — her abuser may have controlled what she disclosed to institutions, monitored her communications, and used previous disclosures against her. A consent framework that treats her decision-making as free when it has been structurally constrained is not respecting her autonomy — it is using the language of autonomy to impose a model of decision-making that does not reflect her reality.

Second, the intelligence that safeguarding institutions hold about vulnerable people is frequently generated through statutory duties that do not themselves require consent. Police intelligence, child protection records, and court documents are generated in the exercise of statutory powers. A consent framework that requires individual consent for the use of all such intelligence would effectively prevent the NVI™ from functioning in precisely the high-risk cases where it is most needed. The CBV™ framework addresses this through its tiered consent architecture — which acknowledges the full range of conditions under which safeguarding intelligence is generated and defines appropriate governance for each.

Third, the person whose consent is sought may not have the capacity to give or withhold it — through mental incapacity, age, or the impact of trauma. The CBV™ framework's substituted consent tier and its emergency sharing provisions address these circumstances without abandoning the principle that intelligence sharing requires a governed basis that protects the individual's fundamental interests.

2.2 The Rights Tension and Its Resolution

The fundamental rights tension in NVI™ governance is between two sets of positive state obligations under the Human Rights Act 1998. Article 2's positive obligation to protect the right to life, and Article 3's prohibition of degrading treatment, require the state to take reasonable steps to protect individuals from serious harm — including through effective intelligence sharing among safeguarding institutions. Article 8's right to respect for private and family life requires the state not to interfere with that right except where the interference is lawful, necessary, and proportionate.

In domestic abuse contexts, both obligations apply simultaneously to the same person. The state has an obligation to protect her life — which may require sharing intelligence about her risk across institutional boundaries. And the state has an obligation to respect her private life — which constrains how that sharing occurs. The CBV™ framework resolves this tension not by choosing between the obligations but by designing the specific conditions under which both can be honoured: sharing that is consent-informed, proportionality-governed, accountability-anchored, and rights-preserving at every step.

2.3 The Data Protection Architecture

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 provide the statutory framework within which the CBV™ operates. The primary processing basis for NVI™ intelligence exchange is Article 9(2)(g) UK GDPR — processing necessary for reasons of substantial public interest, with a basis in law, proportionate to the aim pursued, respectful of the essence of the right to data protection, and providing specific and suitable measures to safeguard the fundamental rights and interests of the data subject.

The substantial public interest basis is clearly established by the safeguarding purpose of the NVI™. The basis in law is provided by the NVI™ enabling legislation defined in Phase 1 of the implementation framework (NVI-001, Section 5). The proportionality requirement is met by the CBV™ proportionality framework. And the specific and suitable measures requirement is met by the CBV™'s consent architecture, individual rights regime, accountability governance, and the Non-Weaponisation controls.

3. Governance Principles Specific to CBV™

The ten NVI™ governance principles established in NVI-001 apply throughout the NVI™. The CBV™ framework adds five principles specific to consent and rights governance — principles that apply with particular force to every element of the consent and sharing architecture.

CBV™ Principle 1: Consent Is Relational, Not Transactional

Consent within the CBV™ framework is not a one-time transaction completed at the point of engagement. It is a relational governance process — one that is initiated, developed, reviewed, renewed, and, where necessary, withdrawn across the full duration of a person's engagement with the NVI™. The institution that obtains consent at intake has not discharged its consent obligation; it has begun it. Consent must be reviewed whenever the purposes, scope, or institutions covered by sharing change materially; when the person's circumstances change in ways that may affect their consent decision; and at defined intervals regardless of material change.

CBV™ Principle 2: Capacity Is Assessed, Not Assumed

The CBV™ framework does not assume that any individual has or lacks the capacity to give or withhold consent. Capacity is assessed — using the Mental Capacity Act 2005 best interests framework where relevant — and the consent tier applied reflects the outcome of that assessment. Assumptions of incapacity based on diagnosis, age, or cultural background are not acceptable. Assumptions of capacity based on verbal assent without genuine assessment of understanding are equally not acceptable.

CBV™ Principle 3: Refusal Is Respected Unless Override Is Justified

Where a person refuses consent to NVI™ intelligence sharing, that refusal is respected unless one of the defined Statutory Override criteria is met. Refusal is not treated as a barrier to overcome or a problem to manage — it is a legitimate exercise of individual autonomy that the NVI™ is designed to respect. Where refusal creates a safeguarding risk, the institution's obligation is to address that risk through consent-respecting means before considering whether Override criteria are met.

CBV™ Principle 4: Sharing Is Earned, Not Entitled

No institution is entitled to access NVI™ intelligence by virtue of its participation status. Access to intelligence about a specific individual must be earned through the governance process — authentication, authorisation, consent validation, proportionality assessment — for every exchange event. Participation status grants the right to seek access; it does not grant access itself.

CBV™ Principle 5: Transparency Is Continuous

Individuals whose intelligence is within the NVI™ have a right to continuous transparency about how it is being used. This is not satisfied by an initial disclosure at the time consent is obtained. It requires ongoing transparency mechanisms — access to their own IAR™ record, notifications of material access events, and clear, accessible information about the network's operation — that keep the person informed about their intelligence throughout its lifecycle within the NVI™.

4. The Four-Tier Consent Architecture

The CBV™ consent architecture is structured in four tiers, each reflecting a different condition under which safeguarding intelligence sharing may occur. The tiers are not a hierarchy of preference alone — they are a governance framework, each with defined applicability criteria, quality requirements, and accountability obligations. The highest applicable tier is always used; lower tiers are applied only where higher tiers cannot be achieved and the criteria for the lower tier are clearly met.

Tier

Name

Applicability

Key Requirements

Tier 1

Active Informed Consent

The person has capacity, has been fully informed, and can freely choose.

Specific, informed, freely given, unambiguous, affirmative act. Documented in Consent Record. Reviewable and withdrawable.

Tier 2

Informed Non-Objection

Full active consent cannot be obtained but the person has capacity and opportunity to decline.

Proactive, accessible information provision. Clear, easy objection mechanism. Documented assessment of why Tier 1 was not achievable.

Tier 3

Substituted Consent

The person lacks capacity to consent or withhold consent.

MCA 2005 best interests assessment. Substitute decision-maker identified and documented. Regular review. Capacity reassessment at defined intervals.

Tier 4

Statutory Override

Serious, imminent risk that cannot be addressed through consent-based means.

Override criteria formally documented. Immediate IAR™ recording. Notification to individual as soon as safe. Independent review within 28 days. Oversight Body notification within 72 hours.

4.1 Tier 1: Active Informed Consent — The Standard

Tier 1 is the CBV™ framework's preferred and highest-quality consent tier. It represents the fullest expression of individual autonomy within the NVI™ — the condition in which a person has been genuinely informed, genuinely understood, and genuinely chosen. Achieving Tier 1 is not always possible, but it must always be the first objective. Institutions that consistently fail to achieve Tier 1 when it should be achievable — because they have not developed trauma-informed consent engagement approaches, have not provided information in accessible formats, or have not invested in the practitioner skills required — are in breach of their CBV™ obligations regardless of which lower tier they apply.

The five UK GDPR consent quality requirements apply in full to Tier 1: freely given (no conditioning on service access), specific (defined purposes, institutions, and intelligence categories), informed (genuine understanding, not mere information receipt), unambiguous (affirmative act, not inferred from silence), and withdrawable (effective withdrawal mechanism, withdrawal without detriment). The Consent Record documenting Tier 1 consent must evidence each of these five requirements — not merely assert that consent was obtained.

4.2 Tier 2: Informed Non-Objection — The Transition

Tier 2 applies in the space between full active consent and its absence — where the person has capacity and opportunity but where the dynamics of their situation make Tier 1 genuinely unachievable rather than merely inconvenient to pursue. It requires that the institution has made a proactive, accessible, trauma-informed effort to provide the person with information about the proposed sharing and a clear mechanism to object. It requires that the failure to achieve Tier 1 is documented and assessed — not simply noted — and that the specific reasons Tier 1 was not achievable are recorded in the Consent Record.

Tier 2 is not a default for situations where the institution has not tried hard enough for Tier 1. It is a genuine governance tier for situations where Tier 1 has been genuinely pursued and genuinely not achieved. The distinction between these two situations is assessed in the NVI™ Oversight Body's annual compliance review — institutions with high Tier 2 rates and low evidence of Tier 1 pursuit are subject to capability development obligations under the Institutional Trust Framework™ (NVI-005).

4.3 Tier 3: Substituted Consent — The Protection

Tier 3 protects the intelligence rights of individuals who lack capacity to exercise those rights directly. The Mental Capacity Act 2005 best interests framework applies: the substitute decision-maker — whether a court-appointed guardian, a lasting power of attorney holder, an Independent Mental Capacity Advocate, or a local authority representative — must act in the best interests of the person, not in the interests of the institution or the wider safeguarding system. Where the person's best interests are genuinely unclear, the default position of the CBV™ framework is to share the minimum intelligence necessary to prevent serious harm and no more.

Tier 3 requires regular review: capacity is not a fixed condition, and the CBV™ framework requires that capacity assessments are repeated at defined intervals and whenever the person's circumstances change in ways that may affect capacity. Where capacity is restored, the framework moves immediately to Tier 1 or Tier 2 as appropriate.

4.4 Tier 4: Statutory Override — The Last Resort

Tier 4 is the CBV™ framework's recognition that there are circumstances in which the safeguarding imperative must prevail over the consent framework — but it frames this recognition as a last resort, not a convenience. The Override criteria are narrow: imminent risk of serious physical harm, risk to life, or a defined public safety ground that cannot be addressed through consent-respecting means within the time available. Administrative convenience, institutional resource constraints, and practitioner discomfort with consent conversations are not Override criteria.

Every Tier 4 Override triggers a cascade of accountability obligations: immediate IAR™ recording of the Override decision, the criteria applied, and the intelligence shared; notification to the NVI™ Oversight Body within 72 hours; notification to the individual as soon as it is safe to do so; and independent review of the Override decision within 28 days by the NVI™ Operations Centre, with the review findings reported to the Oversight Body. Institutions that rely disproportionately on Tier 4 — particularly in non-acute contexts — are subject to the enhanced oversight provisions of the Institutional Trust Framework™.

5. Implementation Framework

5.1 Consent Infrastructure Requirements

Implementing the CBV™ framework requires institutions to develop and maintain four elements of consent infrastructure. The first is the Consent Record system: an institution-level information management system capable of creating, storing, reviewing, and auditing Consent Records for every individual whose intelligence enters the NVI™. Consent Records must include all elements defined in the CBV™ standard — consent tier, information provided, purposes and institutions covered, review date, conditions and limitations, and withdrawal mechanism — and must be accessible to both the institution and the individual.

The second is accessible information provision: the institutional capacity to provide NVI™ information to individuals in formats and languages appropriate to their circumstances. This includes: translated materials in the languages spoken by the institution's service user population; Easy Read formats for people with learning disabilities; trauma-informed communication approaches that recognise the impact of abuse on information processing; and digital and non-digital alternatives for people with limited online access.

The third is practitioner consent engagement capability: the trained capacity of frontline practitioners to have genuine, trauma-informed consent conversations with the people they serve. Consent engagement is a practitioner skill that requires specific training — it cannot be reduced to providing a form and obtaining a signature. The SAFECHAIN™ MØPIT™ programme includes specific consent engagement modules that build this capability within the broader recognition and vulnerability assessment training framework.

The fourth is withdrawal infrastructure: effective, accessible mechanisms through which individuals can withdraw their consent for NVI™ sharing at any time, without detriment to their access to services, and with immediate effect on future sharing decisions. Withdrawal infrastructure must be as easy to use as consent infrastructure — if withdrawal requires more effort than consent, the CBV™ framework's withdrawability standard is not met.

5.2 The Lawful Sharing Framework

Every act of NVI™ intelligence sharing requires a documented lawful basis under UK GDPR. The CBV™ framework defines six lawful bases applicable within the NVI™, each with defined conditions and accountability requirements:

Legal Basis

Article

NVI™ Application Conditions

Substantial public interest

Art. 9(2)(g)

Primary basis. Applies where sharing is necessary for the safeguarding purpose, meets proportionality standards, and is grounded in the NVI™ enabling legislation.

Explicit consent

Art. 9(2)(a)

Applies where Tier 1 Active Informed Consent has been obtained. Highest quality basis; preferred where achievable.

Vital interests

Art. 9(2)(c)

Applies in acute Tier 4 Override situations where the person cannot consent and sharing is necessary to protect life.

Legal claims

Art. 9(2)(f)

Applies to accountability tracing records used in regulatory enforcement, legal proceedings, or public inquiry contexts.

Preventive / social protection

Art. 9(2)(h)

Applies to healthcare and social care participants sharing clinical and social care intelligence for preventive safeguarding purposes.

Research (anonymised)

Art. 9(2)(j)

Applies where anonymised, aggregated NVI™ intelligence is used for safeguarding research under GDPR research exemptions. Requires separate governance approval.

5.3 Proportionality Assessment — The Four Dimensions

Every NVI™ exchange event requires a real-time proportionality assessment documented in the IAR™ record before intelligence is released. The CBV™ proportionality framework covers four dimensions, each of which must be satisfied independently — satisfying three of the four is not sufficient:

•       Scope proportionality: Is the category and extent of intelligence to be shared the minimum necessary for the identified safeguarding purpose? The assessment must identify specifically why each category of intelligence included in the exchange is necessary, and specifically why intelligence not included is not necessary.

•       Institutional proportionality: Is access being granted only to institutions with a direct, current, and active safeguarding responsibility relevant to the sharing purpose? Access is not granted to institutions with historical, speculative, or administrative interest in the intelligence.

•       Temporal proportionality: Is the duration of access limited to the minimum period necessary for the safeguarding purpose? Access is not granted indefinitely — every exchange event has a defined access period, with renewal requiring a fresh proportionality assessment.

•       Risk proportionality: Is the privacy intrusion involved in sharing proportionate to the safeguarding risk being addressed? Minor, well-managed risks do not justify comprehensive intelligence disclosure. Severe and imminent risks — particularly where Tier 4 Override is engaged — may justify broader sharing than would normally be proportionate, but the expanded scope must still be documented and limited to what the risk genuinely requires.

6. Operational Model

6.1 Consent Governance in Practice

The CBV™ framework operates continuously throughout the NVI™ intelligence lifecycle defined in NVI-001, Section 6. At the point of intelligence generation, the practitioner completes the CIF™ consent metadata fields — recording the consent tier, the lawful basis, the consent record reference, and the purposes and institutions covered by consent. These fields are mandatory; intelligence without completed consent metadata does not pass Layer 1 pre-submission screening.

At the point of verification, the verifier assesses Domain 4 of the VVS™ (Audit Standards, as defined in NVI-004) — which includes the consent documentation standard. Intelligence without NVI-002-compliant consent documentation fails the verification domain and is returned for remediation before verification can proceed. The Verification Certificate issued to passing intelligence includes a consent compliance flag — confirming that the intelligence has been assessed as having an adequate consent basis.

At the point of exchange, the EPE™ governance sequence includes consent validation as its third mandatory step. The EPE™ accesses the Consent Record referenced in the intelligence's CIF™ metadata and verifies that the consent tier, scope, and institutional coverage extend to the requesting institution and the stated purpose of the request. Where consent does not extend to the exchange requested, the EPE™ returns a Consent Query — triggering a consent engagement process rather than simply blocking access. The Consent Query gives the institution the opportunity to resolve the consent issue before access is granted, recognising that consent gaps are often addressable rather than permanent.

6.2 The Consent Engagement Process

Where the EPE™ returns a Consent Query, the requesting institution has three governance options. First, it may initiate a consent engagement process with the individual — providing them with information about the proposed sharing and seeking the appropriate tier of consent. This is the preferred option and must always be the first step where the individual's circumstances allow it. Second, where consent engagement is not immediately possible — due to the individual's unavailability, the urgency of the safeguarding need, or the nature of the individual's circumstances — the institution may request a Consent Hold: a defined period during which access is held while consent engagement is pursued. Third, where the urgency of the safeguarding need meets the Tier 4 Override criteria, the institution may invoke Override — subject to all Override governance obligations.

The Consent Engagement Process is designed to be supportive rather than bureaucratic. The NVI™ Operations Centre provides institutional support for complex consent situations — including guidance on trauma-informed engagement approaches, accessible information formats, substitute consent assessments, and Override criteria application. The objective is to achieve the highest possible tier of consent for every exchange event, recognising that consent is a relational process that benefits from institutional support.

6.3 Consent Withdrawal in Practice

When an individual withdraws their consent for NVI™ sharing, the withdrawal is recorded immediately in the Consent Record and transmitted to the NVI™ Operations Centre. The Operations Centre updates the EPE™ governance parameters for that individual's intelligence within 24 hours — removing the consented basis for future access. Any future access requests for that individual's intelligence are returned with a Consent Withdrawn flag, triggering either a new consent engagement process or an assessment of whether an alternative lawful basis applies.

Withdrawal does not remove past sharing from the IAR™ record — the accountability history of prior exchange events is maintained. Withdrawal does not necessarily remove the intelligence from the network — it removes the consented access basis, but where an alternative lawful basis (such as vital interests or the substantial public interest basis) applies, access may continue under that basis subject to the proportionality assessment. Withdrawal does remove the institution's ability to access intelligence under a consent basis — making explicit that future access requires either a renewed consent engagement or a documented alternative lawful basis.

7. Strategic Applications

7.1 Complex Domestic Abuse Cases

The CBV™ framework's most significant strategic application is in complex domestic abuse cases involving multiple institutional actors, multiple consent considerations, and the specific dynamics of coercive control. In these cases, the survivor may have been conditioned by her abuser to distrust institutions, to withhold information, and to fear the consequences of disclosure. A consent framework that does not account for these dynamics will either fail to obtain the consent needed for effective intelligence sharing, or will obtain consent in conditions that make it less than genuinely free.

The CBV™ framework responds to this through its trauma-informed consent engagement approach — recognising that genuine consent in coercive control contexts requires more than information provision; it requires the building of institutional trust, the provision of safety and confidentiality guarantees that the survivor can rely on, and the recognition that consent decisions may change over time as the survivor's safety and autonomy develop. Institutions engaging in consent conversations in domestic abuse contexts are required to complete the SAFECHAIN™ trauma-informed consent engagement training module as a condition of participation.

7.2 Children and Young People

The CBV™ framework's application to cases involving children and young people requires specific attention to age, capacity, and the relationship between parental responsibility and the child's own developing rights. Children under 16 may have capacity to consent or withhold consent for intelligence sharing about themselves — particularly older adolescents — and the CBV™ framework requires that their capacity and wishes are assessed and respected within the framework of the Children Act 1989 and the Fraser guidelines. Where parents or guardians exercise consent rights on behalf of a child, those rights must be exercised in the child's best interests, not in the interests of the adult exercising them.

The specific risks arising where a parent or guardian may be the source of harm — where parental consent for sharing is sought in a context where the parent is the abuser — are addressed through the CBV™ framework's Non-Weaponisation controls: specific access controls prevent parental consent from being used to access intelligence about child protection concerns that the parent's own behaviour has generated.

7.3 Cross-Jurisdictional Consent

Where NVI™ intelligence sharing involves institutions in different jurisdictions — England, Wales, Scotland, Northern Ireland, or international partners — the CBV™ framework's consent architecture must be applied to the legal framework of each jurisdiction. The NVI™ operates primarily within the England and Wales legislative framework, but its intelligence may be relevant to safeguarding proceedings in other jurisdictions. The NVI-007 cross-jurisdictional architecture paper defines the specific consent governance for these situations. The CBV™ framework's core principles apply throughout — but the specific legal bases, consent mechanisms, and proportionality standards may differ.

8. Policy Implications

8.1 Data Protection Law Reform

The CBV™ framework identifies three areas where UK data protection law would benefit from clarification or reform to support NVI™ operation. First, the Information Commissioner's Office should issue specific guidance on the application of Article 9(2)(g) UK GDPR to NVI™-style multi-institutional safeguarding intelligence exchange — providing institutional clarity on the conditions under which the substantial public interest basis is available and the safeguards it requires. Second, the Data Protection Act 2018's Schedule 1 conditions for substantial public interest processing should be reviewed to ensure they are sufficiently specific to provide a clear statutory basis for NVI™ data processing. Third, the ICO's codes of practice on information sharing and law enforcement should be updated to reflect the NVI™ governance architecture and the CBV™ framework's consent standards.

8.2 Human Rights Compliance

The CBV™ framework's human rights architecture — its consent governance, proportionality standards, individual rights regime, and accountability mechanisms — is designed to meet the test of Convention compliance under the Human Rights Act 1998. Government legal advisers, the Equality and Human Rights Commission, and the Joint Committee on Human Rights should be engaged in the review of NVI™ enabling legislation to ensure that the legislative framework fully reflects and embeds the CBV™ framework's human rights protections. The JCHR's scrutiny of the NVI™ legislative programme is not an obstacle to implementation — it is a quality assurance mechanism that strengthens the framework's legitimacy and durability.

8.3 Institutional Practice

For institutions preparing for NVI™ participation, the CBV™ framework's most immediate policy implication is the need to audit and develop their existing consent governance practices. Most safeguarding institutions have information sharing agreements and data protection policies — but few have consent governance frameworks of the depth and rigour that the CBV™ requires. The CBV™ institutional audit should cover: the existence and quality of Consent Record systems; the accessibility and quality of information provision for service users; the consent engagement training of frontline practitioners; the accessibility and effectiveness of withdrawal mechanisms; and the integration of consent governance into existing safeguarding practice frameworks.

9. Conclusion: Consent as the Architecture of Trust

Consent-Based Vulnerability Verification™ is not a compliance requirement imposed on the NVI™ from outside. It is the governance architecture that makes the NVI™ trustworthy — and trustworthiness is not optional for a national safeguarding intelligence network. It is the condition without which the network cannot function effectively, because institutions will not participate in a network they do not trust to handle intelligence responsibly, and individuals will not engage with institutions they do not trust to respect their rights.

The CBV™ framework earns trust through design — through the four-tier consent architecture that respects individual autonomy across the full range of safeguarding circumstances; through the proportionality framework that constrains sharing to what protection genuinely requires; through the lawful sharing framework that anchors every exchange event in a documented legal basis; through the individual rights regime that preserves the person's control over their own intelligence throughout its lifecycle in the network; and through the Non-Weaponisation Imperative that ensures the infrastructure designed to protect the vulnerable cannot be turned against them.

The NVI™'s power lies in its intelligence. Its legitimacy lies in its consent governance. NVI-002 is the paper that makes the power legitimate — and legitimacy durable.

This paper is NVI-002 in the National Vulnerability Verification Infrastructure™ series. It should be read following NVI-001, which establishes the foundational architecture, terminology, and governance model that this paper builds upon. Cross-references are maintained in the SAFECHAIN™ Master Publication Register™.

COPYRIGHT NOTICE

© 2026 Samantha Avril-Andreassen. All rights reserved.

SAFECHAINN Ltd (Company No. 12038453).

SAFECHAIN™, National Vulnerability Verification Infrastructure™ (NVI™), Safeguarding Intelligence Series™ (SIS™), Vulnerability Intelligence Framework™, Recognition Intelligence™, Continuity Intelligence™, Vulnerability Intelligence™, Accountability Intelligence™, Predictive Safeguarding™, Consent-Based Vulnerability Verification™, National Safeguarding Intelligence Exchange™, Vulnerability Verification Standards™, Institutional Trust Framework™, Common Intelligence Format™, Exchange Protocol Engine™, Vulnerability Verification Standards™, Institutional Trust Framework™, and all associated methodologies, frameworks, governance models, verification infrastructures, safeguarding systems, interoperability architectures, intelligence models, implementation models and intellectual constructs are proprietary intellectual property authored and developed by Samantha Avril-Andreassen.

No reproduction, implementation, adaptation, deployment, AI training, machine learning ingestion, commercialisation, derivative development, institutional adoption, regulatory implementation, governmental implementation, software development, systems development, framework replication, architecture replication or operational implementation of any component of the SAFECHAIN™ ecosystem may occur without the prior written permission of Samantha Avril-Andreassen and SAFECHAINN Ltd.

The SAFECHAIN™ Master Publication Register™ remains the sole authoritative source of publication status, architecture lineage, governance authority, terminology control, implementation hierarchy, version control and intellectual property provenance.